From 4ffc06147cf7b398ff3d38a761b59988e8e4d522 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 11 Jan 2023 11:04:09 +0100 Subject: [PATCH] adjust CVE patches for src:cargo MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Cargo.toml files are not normalized here, since they are not obtained from crates.io but from the upstream tarball. The bundled cargo-test-support crate also needs to be adjusted. Signed-off-by: Fabian Grünbichler --- ...2022-46176-01-validate-ssh-host.keys.patch | 73 +++++++++++-------- ...22-46176-07-support-hashed-hostnames.patch | 37 +++++----- 2 files changed, 58 insertions(+), 52 deletions(-) diff --git a/debian/patches/cve/CVE-2022-46176-01-validate-ssh-host.keys.patch b/debian/patches/cve/CVE-2022-46176-01-validate-ssh-host.keys.patch index c1f0287f9..590dd5d97 100644 --- a/debian/patches/cve/CVE-2022-46176-01-validate-ssh-host.keys.patch +++ b/debian/patches/cve/CVE-2022-46176-01-validate-ssh-host.keys.patch @@ -543,35 +543,44 @@ Index: cargo/src/doc/src/appendix/git-authentication.md +[sshd man page]: https://man.openbsd.org/sshd#SSH_KNOWN_HOSTS_FILE_FORMAT --- rust-cargo-0.66.0.orig/Cargo.toml +++ rust-cargo-0.66.0/Cargo.toml -@@ -38,6 +38,9 @@ version = "1.0" - [dependencies.atty] - version = "0.2" - -+[dependencies.base64] -+version = "0.13" -+ - [dependencies.bytesize] - version = "1.0" - -@@ -72,10 +75,10 @@ features = ["zlib"] - default-features = false - - [dependencies.git2] --version = "0.15.0" -+version = "0.16.0" - - [dependencies.git2-curl] --version = "0.16.0" -+version = "0.17.0" - - [dependencies.glob] - version = "0.3.0" -@@ -114,7 +120,7 @@ version = "1.2.0" - version = "0.2" - - [dependencies.libgit2-sys] --version = "0.14.0" -+version = "0.14.1" - - [dependencies.log] - version = "0.4.6" +@@ -17,6 +17,7 @@ path = "src/cargo/lib.rs" + + [dependencies] + atty = "0.2" ++base64 = "0.13" + bytesize = "1.0" + cargo-platform = { path = "crates/cargo-platform", version = "0.1.2" } + cargo-util = { path = "crates/cargo-util", version = "0.2.1" } +@@ -28,8 +29,8 @@ pretty_env_logger = { version = "0.4", o + anyhow = "1.0" + filetime = "0.2.9" + flate2 = { version = "1.0.3", default-features = false, features = ["zlib"] } +-git2 = "0.15.0" +-git2-curl = "0.16.0" ++git2 = "0.16.0" ++git2-curl = "0.17.0" + glob = "0.3.0" + hex = "0.4" + home = "0.5" +@@ -41,7 +42,7 @@ jobserver = "0.1.24" + lazycell = "1.2.0" + libc = "0.2" + log = "0.4.6" +-libgit2-sys = "0.14.0" ++libgit2-sys = "0.14.1" + memchr = "2.1.3" + opener = "0.5" + os_info = "3.5.0" + +--- cargo-0.66/crates/cargo-test-support/Cargo.toml.orig 2023-01-11 11:33:00.584077593 +0100 ++++ cargo-0.66/crates/cargo-test-support/Cargo.toml 2023-01-11 11:33:12.564917363 +0100 +@@ -14,7 +14,7 @@ cargo-util = { path = "../cargo-util" } + snapbox = { version = "0.3.0", features = ["diff", "path"] } + filetime = "0.2" + flate2 = { version = "1.0", default-features = false, features = ["zlib"] } +-git2 = "0.15.0" ++git2 = "0.16.0" + glob = "0.3" + itertools = "0.10.0" + lazy_static = "1.0" + diff --git a/debian/patches/cve/CVE-2022-46176-07-support-hashed-hostnames.patch b/debian/patches/cve/CVE-2022-46176-07-support-hashed-hostnames.patch index 344059502..65c5eb7a6 100644 --- a/debian/patches/cve/CVE-2022-46176-07-support-hashed-hostnames.patch +++ b/debian/patches/cve/CVE-2022-46176-07-support-hashed-hostnames.patch @@ -106,23 +106,20 @@ Index: cargo/src/cargo/sources/git/known_hosts.rs #[test] --- rust-cargo-0.66.0.orig/Cargo.toml +++ rust-cargo-0.66.0/Cargo.toml -@@ -83,6 +86,9 @@ version = "0.3.0" - [dependencies.hex] - version = "0.4" - -+[dependencies.hmac] -+version = "0.12.1" -+ - [dependencies.home] - version = "0.5" - -@@ -163,6 +169,9 @@ version = "0.1.0" - version = "1.0.30" - features = ["raw_value"] - -+[dependencies.sha1] -+version = "0.10.1" -+ - [dependencies.shell-escape] - version = "0.1.4" - +@@ -33,6 +33,7 @@ git2 = "0.16.0" + git2-curl = "0.17.0" + glob = "0.3.0" + hex = "0.4" ++hmac = "0.12.1" + home = "0.5" + humantime = "2.0.0" + indexmap = "1" +@@ -53,6 +54,7 @@ semver = { version = "1.0.3", features = + serde = { version = "1.0.123", features = ["derive"] } + serde_ignored = "0.1.0" + serde_json = { version = "1.0.30", features = ["raw_value"] } ++sha1 = "0.10.1" + shell-escape = "0.1.4" + strip-ansi-escapes = "0.1.0" + tar = { version = "0.4.38", default-features = false } + -- 2.39.2