blob: a87687dce38723f758849528be86cc7f06e0d422 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
From 97b80919e404b0768ea31ae329c3b4da54bed05a Mon Sep 17 00:00:00 2001
From: Josh Triplett <josh@joshtriplett.org>
Date: Thu, 18 Aug 2022 17:17:19 +0200
Subject: [PATCH] CVE-2022-36113: avoid unpacking .cargo-ok from the crate
---
src/cargo/sources/registry/mod.rs | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
gyakovlev: 'sed -i 's|/src/cargo|/src/tools/cargo/src/cargo|g'
diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs
index c17b822fd0..a2863bf78a 100644
--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs
+++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs
@@ -639,6 +639,13 @@ impl<'cfg> RegistrySource<'cfg> {
prefix
)
}
+ // Prevent unpacking the lockfile from the crate itself.
+ if entry_path
+ .file_name()
+ .map_or(false, |p| p == PACKAGE_SOURCE_LOCK)
+ {
+ continue;
+ }
// Unpacking failed
let mut result = entry.unpack_in(parent).map_err(anyhow::Error::from);
if cfg!(windows) && restricted_names::is_windows_reserved_path(&entry_path) {
@@ -654,16 +661,14 @@ impl<'cfg> RegistrySource<'cfg> {
.with_context(|| format!("failed to unpack entry at `{}`", entry_path.display()))?;
}
- // The lock file is created after unpacking so we overwrite a lock file
- // which may have been extracted from the package.
+ // Now that we've finished unpacking, create and write to the lock file to indicate that
+ // unpacking was successful.
let mut ok = OpenOptions::new()
- .create(true)
+ .create_new(true)
.read(true)
.write(true)
.open(&path)
.with_context(|| format!("failed to open `{}`", path.display()))?;
-
- // Write to the lock file to indicate that unpacking was successful.
write!(ok, "ok")?;
Ok(unpack_dir.to_path_buf())
|
