rustc-1.71.1

[ken@…]

This was announced on oss-security on Friday, ​https://www.openwall.com/lists/oss-security/2023/08/03/2 but unless I'm missing something we don't seem to have spotted it.

Release notes at ​https://blog.rust-lang.org/2023/08/03/Rust-1.71.1.html

Cargo (all rust versions before 1.71.1) did not respect the umask during extraction, so if files were writable by any user on the system, and other security measures did not prevent it, anthr local user could replace or tweak the code, potentially achieving code execution the next time the project is run. CVE-2023-38497

To prevent existing cached extractions from being exploitable, the Cargo binary included in Rust 1.71.1 or later will purge the caches it tries to access if they were generated by older Cargo versions.

[Bruce Dubbs]

I cannot find the source at ​https://github.com/rust-lang/rust/releases

But it is at ​https://github.com/rust-lang/rust/tags

The tagged version can be downloaded with ​https://static.rust-lang.org/dist/rustc-1.71.1-src.tar.xz (145 MB)

[Douglas R. Reno]

Version 1.71.1 (2023-08-03)

    Fix CVE-2023-38497: Cargo did not respect the umask when extracting dependencies
    Fix bash completion for users of Rustup
    Do not show suspicious_double_ref_op lint when calling borrow()
    Fix ICE: substitute types before checking inlining compatibility
    Fix ICE: don't use can_eq in derive(..) suggestion for missing method
    Fix building Rust 1.71.0 from the source tarball

[Douglas R. Reno]

While I'm waiting for this to build, I have SA-11.3-074 queued up.

[Douglas R. Reno]

Fixed at 134f1cbadc146c4e97c09551db4b8a6c0a35df58

SA-11.3-074 issued