+++ /dev/null
-From c4de262f1f6e813e06981c3d635c009d4f5d7082 Mon Sep 17 00:00:00 2001
-From: Josh Triplett <josh@joshtriplett.org>
-Date: Thu, 18 Aug 2022 17:17:19 +0200
-Subject: [PATCH 1/2] CVE-2022-36113: avoid unpacking .cargo-ok from the crate
-
----
- src/cargo/sources/registry/mod.rs | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/src/cargo/sources/registry/mod.rs b/src/cargo/sources/registry/mod.rs
-index 413734e10..b28bc4942 100644
---- a/src/cargo/sources/registry/mod.rs
-+++ b/src/cargo/sources/registry/mod.rs
-@@ -639,6 +639,13 @@ impl<'cfg> RegistrySource<'cfg> {
- prefix
- )
- }
-+ // Prevent unpacking the lockfile from the crate itself.
-+ if entry_path
-+ .file_name()
-+ .map_or(false, |p| p == PACKAGE_SOURCE_LOCK)
-+ {
-+ continue;
-+ }
- // Unpacking failed
- let mut result = entry.unpack_in(parent).map_err(anyhow::Error::from);
- if cfg!(windows) && restricted_names::is_windows_reserved_path(&entry_path) {
-@@ -654,16 +661,14 @@ impl<'cfg> RegistrySource<'cfg> {
- .with_context(|| format!("failed to unpack entry at `{}`", entry_path.display()))?;
- }
-
-- // The lock file is created after unpacking so we overwrite a lock file
-- // which may have been extracted from the package.
-+ // Now that we've finished unpacking, create and write to the lock file to indicate that
-+ // unpacking was successful.
- let mut ok = OpenOptions::new()
-- .create(true)
-+ .create_new(true)
- .read(true)
- .write(true)
- .open(&path)
- .with_context(|| format!("failed to open `{}`", path.display()))?;
--
-- // Write to the lock file to indicate that unpacking was successful.
- write!(ok, "ok")?;
-
- Ok(unpack_dir.to_path_buf())
---
-2.34.1
-
+++ /dev/null
-From 886efa25746cc4bf397442adebd43d2159bd09d2 Mon Sep 17 00:00:00 2001
-From: Josh Triplett <josh@joshtriplett.org>
-Date: Thu, 18 Aug 2022 17:45:45 +0200
-Subject: [PATCH 1/2] CVE-2022-36114: limit the maximum unpacked size of a
- crate to 512MB
-
-This gives users of custom registries the same protections, using the
-same size limit that crates.io uses.
-
-`LimitErrorReader` code copied from crates.io.
----
- src/cargo/sources/registry/mod.rs | 6 +++++-
- src/cargo/util/io.rs | 26 ++++++++++++++++++++++++++
- src/cargo/util/mod.rs | 2 ++
- 3 files changed, 33 insertions(+), 1 deletion(-)
- create mode 100644 src/cargo/util/io.rs
-
-diff --git a/src/cargo/sources/registry/mod.rs b/src/cargo/sources/registry/mod.rs
-index b28bc4942..b1e246968 100644
---- a/src/cargo/sources/registry/mod.rs
-+++ b/src/cargo/sources/registry/mod.rs
-@@ -182,7 +182,9 @@ use crate::util::hex;
- use crate::util::interning::InternedString;
- use crate::util::into_url::IntoUrl;
- use crate::util::network::PollExt;
--use crate::util::{restricted_names, CargoResult, Config, Filesystem, OptVersionReq};
-+use crate::util::{
-+ restricted_names, CargoResult, Config, Filesystem, LimitErrorReader, OptVersionReq,
-+};
-
- const PACKAGE_SOURCE_LOCK: &str = ".cargo-ok";
- pub const CRATES_IO_INDEX: &str = "https://github.com/rust-lang/crates.io-index";
-@@ -194,6 +196,7 @@ const VERSION_TEMPLATE: &str = "{version}";
- const PREFIX_TEMPLATE: &str = "{prefix}";
- const LOWER_PREFIX_TEMPLATE: &str = "{lowerprefix}";
- const CHECKSUM_TEMPLATE: &str = "{sha256-checksum}";
-+const MAX_UNPACK_SIZE: u64 = 512 * 1024 * 1024;
-
- /// A "source" for a local (see `local::LocalRegistry`) or remote (see
- /// `remote::RemoteRegistry`) registry.
-@@ -615,6 +618,7 @@ impl<'cfg> RegistrySource<'cfg> {
- }
- }
- let gz = GzDecoder::new(tarball);
-+ let gz = LimitErrorReader::new(gz, MAX_UNPACK_SIZE);
- let mut tar = Archive::new(gz);
- let prefix = unpack_dir.file_name().unwrap();
- let parent = unpack_dir.parent().unwrap();
-diff --git a/src/cargo/util/io.rs b/src/cargo/util/io.rs
-new file mode 100644
-index 000000000..cc617954e
---- /dev/null
-+++ b/src/cargo/util/io.rs
-@@ -0,0 +1,26 @@
-+use std::io::{self, Read, Take};
-+
-+#[derive(Debug)]
-+pub struct LimitErrorReader<R> {
-+ inner: Take<R>,
-+}
-+
-+impl<R: Read> LimitErrorReader<R> {
-+ pub fn new(r: R, limit: u64) -> LimitErrorReader<R> {
-+ LimitErrorReader {
-+ inner: r.take(limit),
-+ }
-+ }
-+}
-+
-+impl<R: Read> Read for LimitErrorReader<R> {
-+ fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
-+ match self.inner.read(buf) {
-+ Ok(0) if self.inner.limit() == 0 => Err(io::Error::new(
-+ io::ErrorKind::Other,
-+ "maximum limit reached when reading",
-+ )),
-+ e => e,
-+ }
-+ }
-+}
-diff --git a/src/cargo/util/mod.rs b/src/cargo/util/mod.rs
-index 4b8604f92..dd695fbff 100644
---- a/src/cargo/util/mod.rs
-+++ b/src/cargo/util/mod.rs
-@@ -14,6 +14,7 @@ pub use self::hasher::StableHasher;
- pub use self::hex::{hash_u64, short_hash, to_hex};
- pub use self::into_url::IntoUrl;
- pub use self::into_url_with_base::IntoUrlWithBase;
-+pub(crate) use self::io::LimitErrorReader;
- pub use self::lev_distance::{closest, closest_msg, lev_distance};
- pub use self::lockserver::{LockServer, LockServerClient, LockServerStarted};
- pub use self::progress::{Progress, ProgressStyle};
-@@ -44,6 +45,7 @@ pub mod important_paths;
- pub mod interning;
- pub mod into_url;
- mod into_url_with_base;
-+mod io;
- pub mod job;
- pub mod lev_distance;
- mod lockserver;
---
-2.34.1
-
projects / cargo.git / commitdiff