X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=debian%2Fpatches%2Fcve%2FCVE-2022-46176-08-eliminate-let-else.patch;fp=debian%2Fpatches%2Fcve%2FCVE-2022-46176-08-eliminate-let-else.patch;h=60637b14500a18507770605e32d1151b97ff5731;hb=1940b6cdd552cc71f3e4b407ccc8c6a2c6dc9b24;hp=0000000000000000000000000000000000000000;hpb=37f4bb236329244992ee0e9f4feba43622cab385;p=cargo.git diff --git a/debian/patches/cve/CVE-2022-46176-08-eliminate-let-else.patch b/debian/patches/cve/CVE-2022-46176-08-eliminate-let-else.patch new file mode 100644 index 000000000..60637b145 --- /dev/null +++ b/debian/patches/cve/CVE-2022-46176-08-eliminate-let-else.patch @@ -0,0 +1,61 @@ +This patch eliminates let-else usage in the code introduced +to fix CVE-2022-46176 as that construct is not stabalised in +the version of rustc currently in Debian. + +It was written specifical for Debian by Peter Michael Green. + +Index: cargo/src/cargo/sources/git/known_hosts.rs +=================================================================== +--- cargo.orig/src/cargo/sources/git/known_hosts.rs ++++ cargo/src/cargo/sources/git/known_hosts.rs +@@ -89,11 +89,13 @@ pub fn certificate_check( + config_known_hosts: Option<&Vec>>, + diagnostic_home_config: &str, + ) -> Result { +- let Some(host_key) = cert.as_hostkey() else { ++ let host_key = cert.as_hostkey(); ++ if host_key.is_none() { + // Return passthrough for TLS X509 certificates to use whatever validation + // was done in git2. + return Ok(CertificateCheckStatus::CertificatePassthrough) + }; ++ let host_key = host_key.unwrap(); + // If a nonstandard port is in use, check for that first. + // The fallback to check without a port is handled in the HostKeyNotFound handler. + let host_maybe_port = match port { +@@ -234,9 +236,11 @@ fn check_ssh_known_hosts( + host: &str, + config_known_hosts: Option<&Vec>>, + ) -> Result<(), KnownHostError> { +- let Some(remote_host_key) = cert_host_key.hostkey() else { ++ let remote_host_key = cert_host_key.hostkey(); ++ if remote_host_key.is_none() { + return Err(anyhow::format_err!("remote host key is not available").into()); + }; ++ let remote_host_key = remote_host_key.unwrap(); + let remote_key_type = cert_host_key.hostkey_type().unwrap(); + + // Collect all the known host entries from disk. +@@ -455,10 +459,18 @@ impl KnownHost { + } + + fn hashed_hostname_matches(host: &str, hashed: &str) -> bool { +- let Some((b64_salt, b64_host)) = hashed.split_once('|') else { return false; }; +- let Ok(salt) = base64::decode(b64_salt) else { return false; }; +- let Ok(hashed_host) = base64::decode(b64_host) else { return false; }; +- let Ok(mut mac) = hmac::Hmac::::new_from_slice(&salt) else { return false; }; ++ let hostandsalt = hashed.split_once('|'); ++ if hostandsalt.is_none() { return false; }; ++ let (b64_salt, b64_host) = hostandsalt.unwrap(); ++ let salt = base64::decode(b64_salt); ++ if salt.is_err() { return false; }; ++ let salt = salt.unwrap(); ++ let hashed_host = base64::decode(b64_host); ++ if hashed_host.is_err() { return false; }; ++ let hashed_host = hashed_host.unwrap(); ++ let mac = hmac::Hmac::::new_from_slice(&salt); ++ if mac.is_err() { return false; }; ++ let mut mac = mac.unwrap(); + mac.update(host.as_bytes()); + let result = mac.finalize().into_bytes(); + hashed_host == &result[..]