SUSE 5146 Published by

A rust, rust1.58, rust1.59 security update has been released for openSUSE Leap 15.3 and 15.4.



openSUSE-SU-2022:0843-1: moderate: Security update for rust, rust1.58, rust1.59


openSUSE Security Update: Security update for rust, rust1.58, rust1.59
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:0843-1
Rating: moderate
References: #1194767
Cross-References: CVE-2022-21658
CVSS scores:
CVE-2022-21658 (NVD) : 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
CVE-2022-21658 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Products:
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for rust, rust1.58, rust1.59 fixes the following issues:

This update provides both rust1.58 and rust1.59.

Changes in rust1.58:

- Add recommends for GCC for installs to be able to link.
- Add suggests for lld/clang which are faster than gcc for linking to
allow users choice on what they use.
- CVE-2022-21658: Resolve race condition in std::fs::remove_dir_all
(bsc#1194767)

Version 1.58.0 (2022-01-13) ==========================

Language
--------
- [Format strings can now capture arguments simply by writing `{ident}` in
the string.][90473] This works in all macros accepting format strings.
Support for this in `panic!` (`panic!("{ident}")`) requires the 2021
edition; panic invocations in previous editions that appear to be trying
to use this will result in a warning lint about not having the intended
effect.
- [`*const T` pointers can now be dereferenced in const contexts.][89551]
- [The rules for when a generic struct implements `Unsize` have been
relaxed.][90417] Compiler
--------
- [Add LLVM CFI support to the Rust compiler][89652]
- [Stabilize -Z strip as -C strip][90058]. Note that while release builds
already don't add debug symbols for the code you compile, the compiled
standard library that ships with Rust includes debug symbols, so you may
want to use the `strip` option to remove these symbols to produce
smaller release binaries. Note that this release only includes support
in rustc, not directly in cargo.
- [Add support for LLVM coverage mapping format versions 5 and 6][91207]
- [Emit LLVM optimization remarks when enabled with `-Cremark`][90833]
- [Update the minimum external LLVM to 12][90175]
- [Add `x86_64-unknown-none` at Tier 3*][89062]
- [Build musl dist artifacts with debuginfo enabled][90733]. When building
release binaries using musl, you may want to use the newly stabilized
strip option to remove these debug symbols, reducing the size of your
binaries.
- [Don't abort compilation after giving a lint error][87337]
- [Error messages point at the source of trait bound obligations in more
places][89580] \* Refer to Rust's [platform support
page][platform-support-doc] for more information on Rust's tiered
platform support.

Libraries
---------

- [All remaining functions in the standard library have `#[must_use]`
annotations where appropriate][89692], producing a warning when ignoring
their return value. This helps catch mistakes such as expecting a
function to mutate a value in place rather than return a new value.
- [Paths are automatically canonicalized on Windows for operations that
support it][89174]
- [Re-enable debug checks for `copy` and `copy_nonoverlapping`][90041]
- [Implement `RefUnwindSafe` for `Rc`][87467]
- [Make RSplit: Clone not require T: Clone][90117]
- [Implement `Termination` for `Result`][88601]. This
allows writing `fn main() -> Result`, for a
program whose successful exits never involve returning from `main` (for
instance, a program that calls `exit`, or that uses `exec` to run
another program).

Stabilized APIs
---------------

- [`Metadata::is_symlink`]
- [`Path::is_symlink`]
- [`{integer}::saturating_div`]
- [`Option::unwrap_unchecked`]
- [`Result::unwrap_unchecked`]
- [`Result::unwrap_err_unchecked`]
- [`NonZero{unsigned}::is_power_of_two`]
- [`File::options`] These APIs are now usable in const contexts:
- [`Duration::new`]
- [`Duration::checked_add`]
- [`Duration::saturating_add`]
- [`Duration::checked_sub`]
- [`Duration::saturating_sub`]
- [`Duration::checked_mul`]
- [`Duration::saturating_mul`]
- [`Duration::checked_div`]
- [`MaybeUninit::as_ptr`]
- [`MaybeUninit::as_mut_ptr`]
- [`MaybeUninit::assume_init`]
- [`MaybeUninit::assume_init_ref`]

Cargo
-----

- [Add --message-format for install command][cargo/10107]
- [Warn when alias shadows external subcommand][cargo/10082]

Rustdoc
-------

- [Show all Deref implementations recursively in rustdoc][90183]
- [Use computed visibility in rustdoc][88447]

Compatibility Notes
-------------------

- [Try all stable method candidates first before trying unstable
ones][90329]. This change ensures that adding new nightly-only methods
to the Rust standard library will not break code invoking methods of the
same name from traits outside the standard library.
- Windows: [`std::process::Command` will no longer search the current
directory for executables.][87704]
- [All proc-macro backward-compatibility lints are now
deny-by-default.][88041]
- [proc_macro: Append .0 to unsuffixed float if it would otherwise become
int token][90297]
- [Refactor weak symbols in std::sys::unix][90846]. This optimizes
accesses to glibc functions, by avoiding the use of dlopen. This does
not increase the [minimum expected version of
glibc](  https://doc.rust-lang.org/nightly/rustc/platform-support.html).
However, software distributions that use symbol versions to detect
library dependencies, and which take weak symbols into account in that
analysis, may detect rust binaries as requiring newer versions of glibc.
- [rustdoc now rejects some unexpected semicolons in doctests][91026]

Version 1.59.0 (2022-02-24) ==========================

Language
--------

- [Stabilize default arguments for const generics][90207]
- [Stabilize destructuring assignment][90521]
- [Relax private in public lint on generic bounds and where clauses of
trait impls][90586]
- [Stabilize asm! and global_asm! for x86, x86_64, ARM, Aarch64, and
RISC-V][91728]

Compiler
--------

- [Stabilize new symbol mangling format, leaving it opt-in
(-Csymbol-mangling-version=v0)][90128]
- [Emit LLVM optimization remarks when enabled with `-Cremark`][90833]
- [Fix sparc64 ABI for aggregates with floating point members][91003]
- [Warn when a `#[test]`-like built-in attribute macro is present multiple
times.][91172]
- [Add support for riscv64gc-unknown-freebsd][91284]
- [Stabilize `-Z emit-future-incompat` as `--json future-incompat`][91535]

Libraries
---------

- [Remove unnecessary bounds for some Hash{Map,Set} methods][91593]

Stabilized APIs
---------------

- [`std::thread::available_parallelism`][available_parallelism]
- [`Result::copied`][result-copied]
- [`Result::cloned`][result-cloned]
- [`arch::asm!`][asm]
- [`arch::global_asm!`][global_asm]
- [`ops::ControlFlow::is_break`][is_break]
- [`ops::ControlFlow::is_continue`][is_continue]
- [`TryFrom for u8`][try_from_char_u8]
- [`char::TryFromCharError`][try_from_char_err] implementing `Clone`,
`Debug`, `Display`, `PartialEq`, `Copy`, `Eq`, `Error`
- [`iter::zip`][zip]
- [`NonZeroU8::is_power_of_two`][is_power_of_two8]
- [`NonZeroU16::is_power_of_two`][is_power_of_two16]
- [`NonZeroU32::is_power_of_two`][is_power_of_two32]
- [`NonZeroU64::is_power_of_two`][is_power_of_two64]
- [`NonZeroU128::is_power_of_two`][is_power_of_two128]
- [`DoubleEndedIterator for ToLowercase`][lowercase]
- [`DoubleEndedIterator for ToUppercase`][uppercase]
- [`TryFrom for [T; N]`][tryfrom_ref_arr]
- [`UnwindSafe for Once`][unwindsafe_once]
- [`RefUnwindSafe for Once`][refunwindsafe_once]
- [armv8 neon intrinsics for aarch64][stdarch/1266] Const-stable:
- [`mem::MaybeUninit::as_ptr`][muninit_ptr]
- [`mem::MaybeUninit::assume_init`][muninit_init]
- [`mem::MaybeUninit::assume_init_ref`][muninit_init_ref]
- [`ffi::CStr::from_bytes_with_nul_unchecked`][cstr_from_bytes]

Cargo
-----

- [Stabilize the `strip` profile option][cargo/10088]
- [Stabilize future-incompat-report][cargo/10165]
- [Support abbreviating `--release` as `-r`][cargo/10133]
- [Support `term.quiet` configuration][cargo/10152]
- [Remove `--host` from cargo {publish,search,login}][cargo/10145]

Compatibility Notes
-------------------

- [Refactor weak symbols in std::sys::unix][90846] This may add new,
versioned, symbols when building with a newer glibc, as the standard
library uses weak linkage rather than dynamically attempting to load
certain symbols at runtime.
- [Deprecate crate_type and crate_name nested inside
`#![cfg_attr]`][83744] This adds a future compatibility lint to
supporting the use of cfg_attr wrapping either crate_type or crate_name
specification within Rust files; it is recommended that users migrate to
setting the equivalent command line flags.
- [Remove effect of `#[no_link]` attribute on name resolution][92034] This
may expose new names, leading to conflicts with preexisting names in a
given namespace and a compilation failure.
- [Cargo will document libraries before binaries.][cargo/10172]
- [Respect doc=false in dependencies, not just the root crate][cargo/10201]
- [Weaken guarantee around advancing underlying iterators in zip][83791]
- [Make split_inclusive() on an empty slice yield an empty output][89825]
- [Update std::env::temp_dir to use GetTempPath2 on Windows when
available.][89999]

Changes in rust wrapper package:

- Update to version 1.59.0 - for details see the rust1.59 package

- Update package description to help users choose what tooling to install.

- Provide rust+cargo by cargo: all cargo package provide this symbol
too. Having the meta package provide it allows OBS to have a generic
prefernece on the meta package for all packages 'just' requiring
rust+cargo.

- Update to version 1.58.0

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.4:

zypper in -t patch openSUSE-SLE-15.4-2022-843=1

- openSUSE Leap 15.3:

zypper in -t patch openSUSE-SLE-15.3-2022-843=1


Package List:

- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

cargo-1.59.0-150300.21.20.1
rust-1.59.0-150300.21.20.1

- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

cargo-1.59.0-150300.21.20.1
cargo1.58-1.58.0-150300.7.3.1
cargo1.58-debuginfo-1.58.0-150300.7.3.1
cargo1.59-1.59.0-150300.7.4.2
cargo1.59-debuginfo-1.59.0-150300.7.4.2
rust-1.59.0-150300.21.20.1
rust1.58-1.58.0-150300.7.3.1
rust1.58-debuginfo-1.58.0-150300.7.3.1
rust1.59-1.59.0-150300.7.4.2
rust1.59-debuginfo-1.59.0-150300.7.4.2

References:

  https://www.suse.com/security/cve/CVE-2022-21658.html
  https://bugzilla.suse.com/1194767