add CVE-2022-46176 fix

[cargo.git] / debian / patches / cve / CVE-2022-46176-08-eliminate-let-else.patch

diff --git a/debian/patches/cve/CVE-2022-46176-08-eliminate-let-else.patch b/debian/patches/cve/CVE-2022-46176-08-eliminate-let-else.patch
new file mode 100644 (file)
index 0000000..60637b1
--- /dev/null
+++ b/debian/patches/cve/CVE-2022-46176-08-eliminate-let-else.patch
@@ -0,0 +1,61 @@
+This patch eliminates let-else usage in the code introduced
+to fix CVE-2022-46176 as that construct is not stabalised in
+the version of rustc currently in Debian.
+
+It was written specifical for Debian by Peter Michael Green.
+
+Index: cargo/src/cargo/sources/git/known_hosts.rs
+===================================================================
+--- cargo.orig/src/cargo/sources/git/known_hosts.rs
++++ cargo/src/cargo/sources/git/known_hosts.rs
+@@ -89,11 +89,13 @@ pub fn certificate_check(
+     config_known_hosts: Option<&Vec<Value<String>>>,
+     diagnostic_home_config: &str,
+ ) -> Result<CertificateCheckStatus, git2::Error> {
+-    let Some(host_key) = cert.as_hostkey() else {
++    let host_key = cert.as_hostkey();
++    if host_key.is_none() {
+         // Return passthrough for TLS X509 certificates to use whatever validation
+         // was done in git2.
+         return Ok(CertificateCheckStatus::CertificatePassthrough)
+     };
++    let host_key = host_key.unwrap();
+     // If a nonstandard port is in use, check for that first.
+     // The fallback to check without a port is handled in the HostKeyNotFound handler.
+     let host_maybe_port = match port {
+@@ -234,9 +236,11 @@ fn check_ssh_known_hosts(
+     host: &str,
+     config_known_hosts: Option<&Vec<Value<String>>>,
+ ) -> Result<(), KnownHostError> {
+-    let Some(remote_host_key) = cert_host_key.hostkey() else {
++    let remote_host_key = cert_host_key.hostkey();
++    if remote_host_key.is_none() {
+         return Err(anyhow::format_err!("remote host key is not available").into());
+     };
++    let remote_host_key = remote_host_key.unwrap();
+     let remote_key_type = cert_host_key.hostkey_type().unwrap();
+ 
+     // Collect all the known host entries from disk.
+@@ -455,10 +459,18 @@ impl KnownHost {
+ }
+ 
+ fn hashed_hostname_matches(host: &str, hashed: &str) -> bool {
+-    let Some((b64_salt, b64_host)) = hashed.split_once('|') else { return false; };
+-    let Ok(salt) = base64::decode(b64_salt) else { return false; };
+-    let Ok(hashed_host) = base64::decode(b64_host) else { return false; };
+-    let Ok(mut mac) = hmac::Hmac::<sha1::Sha1>::new_from_slice(&salt) else { return false; };
++    let hostandsalt = hashed.split_once('|');
++    if hostandsalt.is_none() { return false; };
++    let (b64_salt, b64_host) = hostandsalt.unwrap();
++    let salt = base64::decode(b64_salt);
++    if salt.is_err() { return false; };
++    let salt = salt.unwrap();
++    let hashed_host = base64::decode(b64_host);
++    if hashed_host.is_err() { return false; };
++    let hashed_host = hashed_host.unwrap();
++    let mac = hmac::Hmac::<sha1::Sha1>::new_from_slice(&salt);
++    if mac.is_err() { return false; };
++    let mut mac = mac.unwrap();
+     mac.update(host.as_bytes());
+     let result = mac.finalize().into_bytes();
+     hashed_host == &result[..]