openSUSE-SU-2022:0843-1: moderate: Security update for rust, rust1.58, rust1.59
openSUSE Security Update: Security update for rust, rust1.58, rust1.59 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:0843-1 Rating: moderate References: #1194767 Cross-References: CVE-2022-21658 CVSS scores: CVE-2022-21658 (NVD) : 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2022-21658 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for rust, rust1.58, rust1.59 fixes the following issues: This update provides both rust1.58 and rust1.59. Changes in rust1.58: - Add recommends for GCC for installs to be able to link. - Add suggests for lld/clang which are faster than gcc for linking to allow users choice on what they use. - CVE-2022-21658: Resolve race condition in std::fs::remove_dir_all (bsc#1194767) Version 1.58.0 (2022-01-13) ========================== Language -------- - [Format strings can now capture arguments simply by writing `{ident}` in the string.][90473] This works in all macros accepting format strings. Support for this in `panic!` (`panic!("{ident}")`) requires the 2021 edition; panic invocations in previous editions that appear to be trying to use this will result in a warning lint about not having the intended effect. - [`*const T` pointers can now be dereferenced in const contexts.][89551] - [The rules for when a generic struct implements `Unsize` have been relaxed.][90417] Compiler -------- - [Add LLVM CFI support to the Rust compiler][89652] - [Stabilize -Z strip as -C strip][90058]. Note that while release builds already don't add debug symbols for the code you compile, the compiled standard library that ships with Rust includes debug symbols, so you may want to use the `strip` option to remove these symbols to produce smaller release binaries. Note that this release only includes support in rustc, not directly in cargo. - [Add support for LLVM coverage mapping format versions 5 and 6][91207] - [Emit LLVM optimization remarks when enabled with `-Cremark`][90833] - [Update the minimum external LLVM to 12][90175] - [Add `x86_64-unknown-none` at Tier 3*][89062] - [Build musl dist artifacts with debuginfo enabled][90733]. When building release binaries using musl, you may want to use the newly stabilized strip option to remove these debug symbols, reducing the size of your binaries. - [Don't abort compilation after giving a lint error][87337] - [Error messages point at the source of trait bound obligations in more places][89580] \* Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. Libraries --------- - [All remaining functions in the standard library have `#[must_use]` annotations where appropriate][89692], producing a warning when ignoring their return value. This helps catch mistakes such as expecting a function to mutate a value in place rather than return a new value. - [Paths are automatically canonicalized on Windows for operations that support it][89174] - [Re-enable debug checks for `copy` and `copy_nonoverlapping`][90041] - [Implement `RefUnwindSafe` for `Rc<T>`][87467] - [Make RSplit<T, P>: Clone not require T: Clone][90117] - [Implement `Termination` for `Result<Infallible, E>`][88601]. This allows writing `fn main() -> Result<Infallible, ErrorType>`, for a program whose successful exits never involve returning from `main` (for instance, a program that calls `exit`, or that uses `exec` to run another program). Stabilized APIs --------------- - [`Metadata::is_symlink`] - [`Path::is_symlink`] - [`{integer}::saturating_div`] - [`Option::unwrap_unchecked`] - [`Result::unwrap_unchecked`] - [`Result::unwrap_err_unchecked`] - [`NonZero{unsigned}::is_power_of_two`] - [`File::options`] These APIs are now usable in const contexts: - [`Duration::new`] - [`Duration::checked_add`] - [`Duration::saturating_add`] - [`Duration::checked_sub`] - [`Duration::saturating_sub`] - [`Duration::checked_mul`] - [`Duration::saturating_mul`] - [`Duration::checked_div`] - [`MaybeUninit::as_ptr`] - [`MaybeUninit::as_mut_ptr`] - [`MaybeUninit::assume_init`] - [`MaybeUninit::assume_init_ref`] Cargo ----- - [Add --message-format for install command][cargo/10107] - [Warn when alias shadows external subcommand][cargo/10082] Rustdoc ------- - [Show all Deref implementations recursively in rustdoc][90183] - [Use computed visibility in rustdoc][88447] Compatibility Notes ------------------- - [Try all stable method candidates first before trying unstable ones][90329]. This change ensures that adding new nightly-only methods to the Rust standard library will not break code invoking methods of the same name from traits outside the standard library. - Windows: [`std::process::Command` will no longer search the current directory for executables.][87704] - [All proc-macro backward-compatibility lints are now deny-by-default.][88041] - [proc_macro: Append .0 to unsuffixed float if it would otherwise become int token][90297] - [Refactor weak symbols in std::sys::unix][90846]. This optimizes accesses to glibc functions, by avoiding the use of dlopen. This does not increase the [minimum expected version of glibc](https://doc.rust-lang.org/nightly/rustc/platform-support.html). However, software distributions that use symbol versions to detect library dependencies, and which take weak symbols into account in that analysis, may detect rust binaries as requiring newer versions of glibc. - [rustdoc now rejects some unexpected semicolons in doctests][91026] Version 1.59.0 (2022-02-24) ========================== Language -------- - [Stabilize default arguments for const generics][90207] - [Stabilize destructuring assignment][90521] - [Relax private in public lint on generic bounds and where clauses of trait impls][90586] - [Stabilize asm! and global_asm! for x86, x86_64, ARM, Aarch64, and RISC-V][91728] Compiler -------- - [Stabilize new symbol mangling format, leaving it opt-in (-Csymbol-mangling-version=v0)][90128] - [Emit LLVM optimization remarks when enabled with `-Cremark`][90833] - [Fix sparc64 ABI for aggregates with floating point members][91003] - [Warn when a `#[test]`-like built-in attribute macro is present multiple times.][91172] - [Add support for riscv64gc-unknown-freebsd][91284] - [Stabilize `-Z emit-future-incompat` as `--json future-incompat`][91535] Libraries --------- - [Remove unnecessary bounds for some Hash{Map,Set} methods][91593] Stabilized APIs --------------- - [`std::thread::available_parallelism`][available_parallelism] - [`Result::copied`][result-copied] - [`Result::cloned`][result-cloned] - [`arch::asm!`][asm] - [`arch::global_asm!`][global_asm] - [`ops::ControlFlow::is_break`][is_break] - [`ops::ControlFlow::is_continue`][is_continue] - [`TryFrom<char> for u8`][try_from_char_u8] - [`char::TryFromCharError`][try_from_char_err] implementing `Clone`, `Debug`, `Display`, `PartialEq`, `Copy`, `Eq`, `Error` - [`iter::zip`][zip] - [`NonZeroU8::is_power_of_two`][is_power_of_two8] - [`NonZeroU16::is_power_of_two`][is_power_of_two16] - [`NonZeroU32::is_power_of_two`][is_power_of_two32] - [`NonZeroU64::is_power_of_two`][is_power_of_two64] - [`NonZeroU128::is_power_of_two`][is_power_of_two128] - [`DoubleEndedIterator for ToLowercase`][lowercase] - [`DoubleEndedIterator for ToUppercase`][uppercase] - [`TryFrom<&mut [T]> for [T; N]`][tryfrom_ref_arr] - [`UnwindSafe for Once`][unwindsafe_once] - [`RefUnwindSafe for Once`][refunwindsafe_once] - [armv8 neon intrinsics for aarch64][stdarch/1266] Const-stable: - [`mem::MaybeUninit::as_ptr`][muninit_ptr] - [`mem::MaybeUninit::assume_init`][muninit_init] - [`mem::MaybeUninit::assume_init_ref`][muninit_init_ref] - [`ffi::CStr::from_bytes_with_nul_unchecked`][cstr_from_bytes] Cargo ----- - [Stabilize the `strip` profile option][cargo/10088] - [Stabilize future-incompat-report][cargo/10165] - [Support abbreviating `--release` as `-r`][cargo/10133] - [Support `term.quiet` configuration][cargo/10152] - [Remove `--host` from cargo {publish,search,login}][cargo/10145] Compatibility Notes ------------------- - [Refactor weak symbols in std::sys::unix][90846] This may add new, versioned, symbols when building with a newer glibc, as the standard library uses weak linkage rather than dynamically attempting to load certain symbols at runtime. - [Deprecate crate_type and crate_name nested inside `#![cfg_attr]`][83744] This adds a future compatibility lint to supporting the use of cfg_attr wrapping either crate_type or crate_name specification within Rust files; it is recommended that users migrate to setting the equivalent command line flags. - [Remove effect of `#[no_link]` attribute on name resolution][92034] This may expose new names, leading to conflicts with preexisting names in a given namespace and a compilation failure. - [Cargo will document libraries before binaries.][cargo/10172] - [Respect doc=false in dependencies, not just the root crate][cargo/10201] - [Weaken guarantee around advancing underlying iterators in zip][83791] - [Make split_inclusive() on an empty slice yield an empty output][89825] - [Update std::env::temp_dir to use GetTempPath2 on Windows when available.][89999] Changes in rust wrapper package: - Update to version 1.59.0 - for details see the rust1.59 package - Update package description to help users choose what tooling to install. - Provide rust+cargo by cargo: all cargo<n> package provide this symbol too. Having the meta package provide it allows OBS to have a generic prefernece on the meta package for all packages 'just' requiring rust+cargo. - Update to version 1.58.0 Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-843=1 - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-843=1 Package List: - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): cargo-1.59.0-150300.21.20.1 rust-1.59.0-150300.21.20.1 - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): cargo-1.59.0-150300.21.20.1 cargo1.58-1.58.0-150300.7.3.1 cargo1.58-debuginfo-1.58.0-150300.7.3.1 cargo1.59-1.59.0-150300.7.4.2 cargo1.59-debuginfo-1.59.0-150300.7.4.2 rust-1.59.0-150300.21.20.1 rust1.58-1.58.0-150300.7.3.1 rust1.58-debuginfo-1.58.0-150300.7.3.1 rust1.59-1.59.0-150300.7.4.2 rust1.59-debuginfo-1.59.0-150300.7.4.2 References: https://www.suse.com/security/cve/CVE-2022-21658.html https://bugzilla.suse.com/1194767
participants (1)
-
opensuse-security@opensuse.org