bug#53461: closed ([address@hidden: Rust CVE])

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#53461: closed ([address@hidden: Rust CVE])

From:	GNU bug Tracking System
Subject:	bug#53461: closed ([address@hidden: Rust CVE])
Date:	Thu, 04 Aug 2022 11:05:02 +0000

Your message dated Thu, 04 Aug 2022 13:03:57 +0200
with message-id <871qtwqnhe.fsf@gnu.org>
and subject line Re: [bug#54439] [PATCH core-updates] gnu: rust: Use rust-1.60.0
has caused the debbugs.gnu.org bug report #54439,
regarding [kiasoc5@tutanota.com: Rust CVE]
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
54439: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=54439
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: [address@hidden: Rust CVE] Date: Sat, 22 Jan 2022 19:29:57 -0500

----- Forwarded message from kiasoc5@tutanota.com -----

Date: Sun, 23 Jan 2022 01:20:10 +0100 (CET)
From: kiasoc5@tutanota.com
To: guix-security@gnu.org
Subject: Rust CVE

Hi,

Rust has a new cve that is only mitigated by upgrading to Rust 1.58+.

https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html

Attached is a patch that adds rust-1.58.1. It doesn't replace the default as 
I'm not sure whether this should be grafted or not.

Thanks
kiasoc5

>From 753f4e9c68a7b12267989d1721e97841d9f499d0 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@tutanota.com>
Date: Sat, 22 Jan 2022 19:10:50 -0500
Subject: [PATCH] gnu: Add rust-1.58.

* gnu/packages/rust.scm (rust-1.58): New variable.
---
 gnu/packages/rust.scm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 5a6d4a5c30..c9b44da844 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -784,6 +784,10 @@ (define rust-1.57
                             `("procps" ,procps)
                             (package-native-inputs base-rust))))))
 
+(define rust-1.58
+  (rust-bootstrapped-package
+   rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
+
 ;;; Note: Only the latest versions of Rust are supported and tested.  The
 ;;; intermediate rusts are built for bootstrapping purposes and should not
 ;;; be relied upon.  This is to ease maintenance and reduce the time

base-commit: dfc32d8d997da74a6e838b450649bd89905ffdc3
-- 
2.34.1



----- End forwarded message -----

--- End Message ---

--- Begin Message --- Subject: Re: [bug#54439] [PATCH core-updates] gnu: rust: Use rust-1.60.0 Date: Thu, 04 Aug 2022 13:03:57 +0200

Jim Newsome <jim@jimnewsome.net> skriver:

> Hi, I'm new to this project and this code-review workflow, so please bear 
> with me :).

Welcome!  You are doing great.  :-)

> It looks like there have been a few attempts here at updating Rust, including 
> [Paul's], [Felipe's], and [my own].
>
> [Paul's]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=54439#5
> [Felipe's]: https://issues.guix.gnu.org/54475#0
> [my own]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=56684

Indeed.  :-/

> There's some discussion in this thread about using an updated mrustc and 
> using that to cut out some earlier steps of the bootstrap chain. I propose 
> leaving that out for the moment. It seems both nontrivial and orthogonal, so 
> IMO would make more sense as its own thread / patch-set, which could be 
> reviewed and merged independently, before or after this one.

This has recently been done on the 'staging' branch courtesy of Efraim.

> I think there's some confusion about where and how tests are 
> enabled/disabled. IIUC in the current baseline, they are disabled in 
> `rust-1.55`, which is the first version built with an earlier "official" rust:
>
> ```
>        ;; Only the final Rust is tested, not the intermediate bootstrap ones,
>        ;; for performance and simplicity.
>        #:tests? #f
> ```
>
> and subsequent versions inherit that via the `rust-bootstrapped-package` 
> function.
>
> The latest and public version (currently `rust-1.57`) re-enables most of the 
> tests and fixes up some things so that the tests pass.
>
> So I think the approach here when adding versions is to change the current 
> latest (1.57) to the simpler form that keeps tests disabled, add any 
> additional necessary steps, and have the test-reenabling code again in the 
> latest version.

That is my understanding too.

> 2 patches included:
>
> * First is a pure refactor to decouple  "rust-1.57" from "rust" to help avoid 
> confusion in the future.
> * Second adds 1.58, 1.59, and 1.60, and makes rust-1.60 the new rust.
>
> In the latter patch I also tried building each version with a Rust 2 versions 
> back instead of just 1 version back, to see if any can be left out. 
> Unfortunately they couldn't. I'm including some of the errors in the comments 
> for reference.

LGTM, I've pushed both patches to the 'staging' branch since Rust was
already patched there and it has not started evaluating yet.

Note: I also added a copyright line for you, hope that was okay.

Closing the issue, but feel free to continue the discussion.

signature.asc
Description: PGP signature

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

bug#53461: closed ([address@hidden: Rust CVE]), GNU bug Tracking System <=

Prev by Date: bug#56700: closed ([PATCH 0/2]: gnu: Add h5netcdf)
Next by Date: bug#56684: closed ([PATCH 1/3] Bump rust 1.57 -> 1.58)
Previous by thread: bug#56700: closed ([PATCH 0/2]: gnu: Add h5netcdf)
Next by thread: bug#56684: closed ([PATCH 1/3] Bump rust 1.57 -> 1.58)
Index(es):
- Date
- Thread