Skip to content

Instantly share code, notes, and snippets.

@pietroalbini

pietroalbini/CVE-2019-16760.md

Last active July 6, 2021 08:27
Show Gist options
  • Save pietroalbini/0d293b24a44babbeb6187e06eebd4992 to your computer and use it in GitHub Desktop.
Save pietroalbini/0d293b24a44babbeb6187e06eebd4992 to your computer and use it in GitHub Desktop.
Download ZIP
Patches for CVE-2019-16760
Raw
CVE-2019-16760.md

Patches for CVE-2019-16760

This gist contains the patches for CVE-2019-16760 (read the security advisory). The following patches are available:

The patches are meant to be applied on top of a source tarball of Rust, and they contain both the fix to the vulnerability and a test to ensure they work. Running Cargo's test suite should also execute the new test.

The patches are released under both the MIT license and the Apache 2.0 license, and signatures from the Rust Security Team's GPG key are provided. This gist was created by a member of the Rust Security team, and it is linked in the security advisory as the official source for the patches.

Raw
rust-1.19.0.patch
diff --git a/src/tools/cargo/src/cargo/util/toml.rs b/src/tools/cargo/src/cargo/util/toml.rs
--- a/src/tools/cargo/src/cargo/util/toml.rs
+++ b/src/tools/cargo/src/cargo/util/toml.rs
@@ -169,7 +169,15 @@ impl<'de> de::Deserialize<'de> for TomlDependency {
where V: de::MapAccess<'de>
{
let mvd = de::value::MapAccessDeserializer::new(map);
- DetailedTomlDependency::deserialize(mvd).map(TomlDependency::Detailed)
+ let dep = DetailedTomlDependency::deserialize(mvd).map(TomlDependency::Detailed);
+ if let Ok(&TomlDependency::Detailed(ref dep)) = dep.as_ref() {
+ if dep.package.is_some() {
+ return Err(<V::Error as de::Error>::custom(
+ "the package subkey is not allowed due to CVE-2019-16760"
+ ));
+ }
+ }
+ dep
}
}
@@ -187,6 +195,7 @@ pub struct DetailedTomlDependency {
git: Option<String>,
branch: Option<String>,
tag: Option<String>,
+ package: Option<String>,
rev: Option<String>,
features: Option<Vec<String>>,
optional: Option<bool>,
diff --git a/src/tools/cargo/tests/cve_2019_16760.rs b/src/tools/cargo/tests/cve_2019_16760.rs
new file mode 100644
--- /dev/null
+++ b/src/tools/cargo/tests/cve_2019_16760.rs
@@ -0,0 +1,28 @@
+extern crate cargotest;
+extern crate hamcrest;
+
+use cargotest::support::{project, execs};
+use hamcrest::assert_that;
+
+#[test]
+fn test_cve_2019_16760() {
+ let pb = project("foo")
+ .file("Cargo.toml", r#"
+ [package]
+ name = "foo"
+ version = "0.0.0"
+ authors = []
+
+ [dependencies]
+ lazy_static1 = { version = "1", package = "lazy_static" }
+ "#)
+ .file("src/lib.rs", "");
+ let p = pb.build();
+
+ assert_that(p.cargo("check"), execs().with_status(101).with_stderr("\
+error: failed to parse manifest at `[..]`
+
+Caused by:
+ the package subkey is not allowed due to CVE-2019-16760 for key `dependencies.lazy_static1`
+"));
+}
Raw
rust-1.19.0.patch.asc
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEV2nIi/XdPRSiNKes77mGCudSDawFAl2SDVUACgkQ77mGCudS
DawFtw/+Izd+WevY6f+vZSYEvgxVlJ/3Ebdv14NQReiLgTBk+zAc0eTQLPHEj92+
lIiheh4IBA5xbzg6x4vXLsfk3KjKh8FeKq/Am5i9ZqHG0QTFxsJeyAUBCnnuf2v+
zZ95O37/cGC92/MA3RGO8SJ3Fdr21G3Fp6aKhhB2gCt1wI/yxNmf9WZm/RQ4C5ir
ORKKqJ9wlEB4VwekHjZ53khtBRKRgImJzPLdBnKhImMmaBkZWJssZ/Dtgub9lB91
dh3gx+WCqihuJZ0+gmkIHkyeWRfS75lT4PLWB0ppNVlvN8Twlaq52wb0++K/KcnH
IH5brdr2RR3m84lddkzKS7s+AMUXR3I4iHUP+QQYjcTSyV+q4kodf3MGQdG8YA8C
E+eodS6XoY+7cfLP8XYvzIz1w7aXJwkbkvy9bLdqLQ8uXldR0rhD/mnEANjP4XDG
ymBnzY+bBbtkTQxyVuIdcAh6VXDjHm5YnUi8uoy9DjwZMF9C+uSJyQxzx4rMt7Eo
bRWu+VdJrXcs5dQVwnjAMCZf+Tzmx/Z8/8eOVkqM30nJfn+m26DZCPOzRiDmswiC
G/HU6u4ji5wCQ77hq5tCOeUVROkTH5IGC99XkFCGYzfePIyucj941q0OajWF213V
NsG7vpzYG0eET4YtHG9gTcRk54zYmMBODyhJcrSD3xs3rBC8E+k=
=vOYF
-----END PGP SIGNATURE-----
Raw
rust-1.2x.0.patch
diff --git a/src/tools/cargo/src/cargo/util/toml/mod.rs b/src/tools/cargo/src/cargo/util/toml/mod.rs
--- a/src/tools/cargo/src/cargo/util/toml/mod.rs
+++ b/src/tools/cargo/src/cargo/util/toml/mod.rs
@@ -169,7 +169,15 @@ impl<'de> de::Deserialize<'de> for TomlDependency {
where V: de::MapAccess<'de>
{
let mvd = de::value::MapAccessDeserializer::new(map);
- DetailedTomlDependency::deserialize(mvd).map(TomlDependency::Detailed)
+ let dep = DetailedTomlDependency::deserialize(mvd).map(TomlDependency::Detailed);
+ if let Ok(&TomlDependency::Detailed(ref dep)) = dep.as_ref() {
+ if dep.package.is_some() {
+ return Err(<V::Error as de::Error>::custom(
+ "the package subkey is not allowed due to CVE-2019-16760"
+ ));
+ }
+ }
+ dep
}
}
@@ -187,6 +195,7 @@ pub struct DetailedTomlDependency {
git: Option<String>,
branch: Option<String>,
tag: Option<String>,
+ package: Option<String>,
rev: Option<String>,
features: Option<Vec<String>>,
optional: Option<bool>,
diff --git a/src/tools/cargo/tests/cve_2019_16760.rs b/src/tools/cargo/tests/cve_2019_16760.rs
new file mode 100644
--- /dev/null
+++ b/src/tools/cargo/tests/cve_2019_16760.rs
@@ -0,0 +1,28 @@
+extern crate cargotest;
+extern crate hamcrest;
+
+use cargotest::support::{project, execs};
+use hamcrest::assert_that;
+
+#[test]
+fn test_cve_2019_16760() {
+ let pb = project("foo")
+ .file("Cargo.toml", r#"
+ [package]
+ name = "foo"
+ version = "0.0.0"
+ authors = []
+
+ [dependencies]
+ lazy_static1 = { version = "1", package = "lazy_static" }
+ "#)
+ .file("src/lib.rs", "");
+ let p = pb.build();
+
+ assert_that(p.cargo("check"), execs().with_status(101).with_stderr("\
+error: failed to parse manifest at `[..]`
+
+Caused by:
+ the package subkey is not allowed due to CVE-2019-16760 for key `dependencies.lazy_static1`
+"));
+}
Raw
rust-1.2x.0.patch.asc
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEV2nIi/XdPRSiNKes77mGCudSDawFAl2SDasACgkQ77mGCudS
DayqgA/9GVC+nbI7WmB3u2gUYi7WpUP8TgBqXM5HCD3+LiaV2jehIGxgWqGChokh
bvVB4SqiCHGISa9W6juWmbt5/5iImupJnxYB0ax+14hFFk1oR535JqznwkYDStkw
GZdMpGpmbQQraidis//nIYieQNduKMPBMbM5VUWABdcUyq2I0X5PfyrLDOcOQaUW
zCCW0LH2+NKvvhHVoYMnrUuIajPwYF4tLFdLh0IcqeoP/N8YygTN6Pf9yBAJhWNi
ty0TJFmbgAmK1sUgEJnKCk4U78zY63z4p9Op9rc8zk0F6PnQSDXe5gnFvIvCGlxA
90/EU3C1jEVP9Kpxn/gW8xjbugX3pd+/K9lQ55JKJItbqkvXgHHHMAT52ryIVlC8
LLiOLiQ+bhIFJrz198hK/rKV8Sv7UdVG0kBykvmK6i4Mcbc+/B+HX7SNhn+oP32+
UbbttReq0ebnWAhSFnMICIVixNFNvz5T2OiWXxyP2BN4JGfDvUGn/cnVMxGNYV++
i5wWUU1aWoTkLOEQfc7SKitacAuj9DmpVDHeNLNV2oMbnVFDbnFtFkwv12Zczlkc
fiHG1P3AYa0Vv2FrbWtEGVjdI+XXjDYgyGGTbir4nFof6oKeVx4RnaFHT2tvw8BX
kjvUKgdAc57e8ATSaWuegVZqDhL6kJvL59WmYOBhIHHgLh1bZxg=
=86AM
-----END PGP SIGNATURE-----
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment