49 lines
2.0 KiB
Diff
49 lines
2.0 KiB
Diff
From 97b80919e404b0768ea31ae329c3b4da54bed05a Mon Sep 17 00:00:00 2001
|
|
From: Josh Triplett <josh@joshtriplett.org>
|
|
Date: Thu, 18 Aug 2022 17:17:19 +0200
|
|
Subject: [PATCH] CVE-2022-36113: avoid unpacking .cargo-ok from the crate
|
|
|
|
---
|
|
src/cargo/sources/registry/mod.rs | 15 ++++++++++-----
|
|
1 file changed, 10 insertions(+), 5 deletions(-)
|
|
gyakovlev: 'sed -i 's|/src/cargo|/src/tools/cargo/src/cargo|g'
|
|
|
|
diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs
|
|
index c17b822fd0..a2863bf78a 100644
|
|
--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs
|
|
+++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs
|
|
@@ -639,6 +639,13 @@ impl<'cfg> RegistrySource<'cfg> {
|
|
prefix
|
|
)
|
|
}
|
|
+ // Prevent unpacking the lockfile from the crate itself.
|
|
+ if entry_path
|
|
+ .file_name()
|
|
+ .map_or(false, |p| p == PACKAGE_SOURCE_LOCK)
|
|
+ {
|
|
+ continue;
|
|
+ }
|
|
// Unpacking failed
|
|
let mut result = entry.unpack_in(parent).map_err(anyhow::Error::from);
|
|
if cfg!(windows) && restricted_names::is_windows_reserved_path(&entry_path) {
|
|
@@ -654,16 +661,14 @@ impl<'cfg> RegistrySource<'cfg> {
|
|
.with_context(|| format!("failed to unpack entry at `{}`", entry_path.display()))?;
|
|
}
|
|
|
|
- // The lock file is created after unpacking so we overwrite a lock file
|
|
- // which may have been extracted from the package.
|
|
+ // Now that we've finished unpacking, create and write to the lock file to indicate that
|
|
+ // unpacking was successful.
|
|
let mut ok = OpenOptions::new()
|
|
- .create(true)
|
|
+ .create_new(true)
|
|
.read(true)
|
|
.write(true)
|
|
.open(&path)
|
|
.with_context(|| format!("failed to open `{}`", path.display()))?;
|
|
-
|
|
- // Write to the lock file to indicate that unpacking was successful.
|
|
write!(ok, "ok")?;
|
|
|
|
Ok(unpack_dir.to_path_buf())
|