Opened 3 months ago

Closed 3 months ago

#15000 closed enhancement (fixed)

Update rustc to fix recent vulnerabilities.

Reported by: ken@… Owned by: ken@…
Priority: elevated Milestone: 10.2
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

In https://lore.kernel.org/lkml/20210502093123.GC12293@localhost/ several vulnerabilities in the rust standard library were identified. Distros such as fedora and debian appear to build rust with static libs, and take the view that all programs which use rust need to be recompiled after upgrading the compiler to fix this.

It appears that for the few rust packages which are in blfs that will not be necessary (they do not have problems at runtime it /opt/rustc is switched to a different version and the hashed name of the standard library is thus no-longer available, i.e. we think it is a build-time vulnerability for our packages).

One of the CVEs says it applies to rust before 1.53.0, but the fix has been backported to 1.51.0 (see fedora) and is apparently included in 1.52.0 which should be released in the next 24 hours.

At the moment, patched 1.51.0 builds everything in blfs which uses rust, but using unpatched 1.52.0 would be nicer if it too can build everything.

Change History (8)

comment:1 by ken@…, 3 months ago

Owner: changed from blfs-book to ken@…
Status: newassigned

comment:2 by ken@…, 3 months ago

Current status: using 1.52.0 built with llvm-11.1.0, everything except seamonkey builds. For seamonkey I have not yet managed to find the actual error report, far too many warnings cluttering up the log.

At the moment there are no reports of similar issues (not exactly surprising at this early stage) and the old seamonkey ticket for fixes for newer versions of rust has been closed.

comment:3 by ken@…, 3 months ago

As always, rust errors are hard to find, the Error 101 I got comes later, or much later, and only means "something wrong somewhere".

In this case the first error was:

error: Cannot set `RUSTC_BOOTSTRAP=1` from build script of `encoding_rs v0.8.16`.
note: Crates cannot set `RUSTC_BOOTSTRAP` themselves, as doing so would subvert the stability guarantees of Rust for your project.
help: If you're sure you want to do this in your project, set the environment variable `RUSTC_BOOTSTRAP=encoding_rs` before running cargo instead.

I did not get much further, same error for packed_simd. Now trying a comma-delimited list of values.

comment:4 by ken@…, 3 months ago

Built successfully using

export RUSTC_BOOTSTRAP=encoding_rs,packed_simd

Raised as https://bugzilla.mozilla.org/show_bug.cgi?id=1710154

comment:5 by ken@…, 3 months ago

For anyone still trying to maintain a system older than LFS-9.1, this requires llvm >= 9.0 so you will be out of luck. But it builds ok with llvm-9.0.1 on an old LFS-9.1 system.

comment:7 by ken@…, 3 months ago

I can confirm that llvm-12 builds rustc-1.52.0 without problems.

comment:8 by ken@…, 3 months ago

Resolution: fixed
Status: assignedclosed

The more I think about this, the less I am convinced that 'shared' rust libraries are similar to conventional shared libraries. It seems that whatever code from the standard library is required by a crate is obtained at compile the whether the standard library is static or shared.

Therefore, the safest advice is to update rust and then rebuild everything which uses it.

Advisory 10.1-041 created.

Note: See TracTickets for help on using tickets.