Opened 2 years ago
Closed 2 years ago
#15767 closed enhancement (fixed)
rustc-1.56.1
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | 11.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
CVE-2021-42574 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574 was raised because in certain editors malicious code wrapped in unicode bidi codepoints will appear differently to the reader from what the compiler will process. This is not a rust vulnerability, but rust-1.56.1 was released, with (only) extra lints to prevent the use of bidi codepoints.
Checks were run on all crates at crates.io and no malicious crates were found. Therefore, the BLFS editors do not regard this as a security matter.
However, in the move towards openssl-3.0.0 I discovered a problem in which prevented me (but not others) from downloading certain crates required by cbindgen. Upstream has now fixed this in newer versions of the curl and curl-sys crates, but those will not be picked up until a future rust release which may have other changes that require retesting builds of the packages using rust. Using a sed to change the versions to be downloaded works, and since rustc has to be recompiled it makes sense to pick up the 1.56.1 version.
Fixed in @e7c8506a1891f2883842a384872b828fe013fd71 11.0-198