openSUSE: Security Advisory for rust, rust1.72 (SUSE-SU-2023:3722-1)

2024-03-0400:00:00

plugins.openvas.org

suse-su-2023:3722-1

security advisory

rust

rust1.72

cve-2023-40030

update

vulnerability

greenbone ag

fixes

version 1.72.0

cargo

advisory

tiered platform support

netbsd/aarch64-be

native wasm exceptions

solaris/illumos

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.9%

JSON

The remote host is missing an update for the

# SPDX-FileCopyrightText: 2024 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.833564");
  script_version("2024-05-16T05:05:35+0000");
  script_cve_id("CVE-2023-40030");
  script_tag(name:"cvss_base", value:"6.4");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_tag(name:"last_modification", value:"2024-05-16 05:05:35 +0000 (Thu, 16 May 2024)");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-08-31 14:35:56 +0000 (Thu, 31 Aug 2023)");
  script_tag(name:"creation_date", value:"2024-03-04 07:34:53 +0000 (Mon, 04 Mar 2024)");
  script_name("openSUSE: Security Advisory for rust, rust1.72 (SUSE-SU-2023:3722-1)");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2024 Greenbone AG");
  script_family("SuSE Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/suse", "ssh/login/rpms", re:"ssh/login/release=(openSUSELeap15\.4|openSUSELeap15\.5)");

  script_xref(name:"Advisory-ID", value:"SUSE-SU-2023:3722-1");
  script_xref(name:"URL", value:"https://lists.opensuse.org/archives/list/[email protected]/thread/5GMVLOYUX6AOVYD27ER4N5L33BENLMWG");

  script_tag(name:"summary", value:"The remote host is missing an update for the 'rust, rust1.72'
  package(s) announced via the SUSE-SU-2023:3722-1 advisory.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");

  script_tag(name:"insight", value:"This update for rust, rust1.72 fixes the following issues:

  Changes in rust:

  * Update to version 1.72.0 - for details see the rust1.72 package

  Changes in rust1.72:

  * CVE-2023-40030: fix minor non-exploited issue in cargo (bsc#1214689)

  # Version 1.72.0 (2023-08-24)

  ## Language

  * Replace const eval limit by a lint and add an exponential backoff warning

  * expand: Change how `#![cfg(FALSE)]` behaves on create root

  * Stabilize inline asm for LoongArch64

  * Uplift `clippy::undropped_manually_drops` lint

  * Uplift `clippy::invalid_utf8_in_unchecked` lint

  * Uplift `clippy::cast_ref_to_mut` lint

  * Uplift `clippy::cmp_nan` lint

  * resolve: Remove artificial import ambiguity errors

  * Don't require associated types with Self: Sized bounds in `dyn Trait`
      objects

  ## Compiler

  * Remember names of `cfg`-ed out items to mention them in diagnostics

  * Support for native WASM exceptions

  * Add support for NetBSD/aarch64-be (big-endian arm64).

  * Write to stdout if `-` is given as output file

  * Force all native libraries to be statically linked when linking a static
      binary

  * Add Tier 3 support for `loongarch64-unknown-none*`

  * Prevent `.eh_frame` from being emitted for `-C panic=abort`

  * Support 128-bit enum variant in debuginfo codegen

  * compiler: update solaris/illumos to enable tsan support.

  Refer to Rust's platform support page for more information on Rust's tiered
  platform support.

  ## Libraries

  * Document memory orderings of `thread::{park, unpark}`

  * io: soften at most one write attempt requirement in io::Write::write

  * Specify behavior of HashSet::insert

  * Relax implicit `T: Sized` bounds on `BufReader&amp lt T&amp gt `,
      `BufWriter&amp lt T&amp gt ` and `LineWriter&amp lt T&amp gt `

  * Update runtime guarantee for `select_nth_unstable`

  * Return `Ok` on kill if process has already exited

  * Implement PartialOrd for `Vec`s over different allocators

  * Use 128 bits for TypeId hash

  * Don't drain-on-drop in DrainFilter impls of various collections.

  * Make `{Arc, Rc, Weak}::ptr_eq` ignore pointer metadata

  ## Rustdoc

  * Allow whitespace as path separator like double colon

  * Add search result item types after their name

  * Search for slices and arrays by type with `[]`

  * Clean up type unification and 'unboxing'

  ## Stabilized APIs

  * `impl&amp lt T: Send&amp gt  Sync for mpsc::Sender&amp lt T&amp gt `

  * `impl TryFrom&amp lt &amp amp OsStr&amp gt  for &amp amp str`

  * `String::leak`

  These  ...

  Description truncated. Please see the references for more information.");

  script_tag(name:"affected", value:"'rust, rust1.72' package(s) on openSUSE Leap 15.4, openSUSE Leap 15.5.");

  script_tag(name:"solution", value:"Please install the updated package(s).");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"package");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";
report = "";

if(release == "openSUSELeap15.4") {

  if(!isnull(res = isrpmvuln(pkg:"cargo1.72", rpm:"cargo1.72~1.72.0~150400.9.3.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"cargo1.72-debuginfo", rpm:"cargo1.72-debuginfo~1.72.0~150400.9.3.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust1.72-debuginfo", rpm:"rust1.72-debuginfo~1.72.0~150400.9.3.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"cargo", rpm:"cargo~1.72.0~150400.24.24.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust", rpm:"rust~1.72.0~150400.24.24.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust1.72", rpm:"rust1.72~1.72.0~150400.9.3.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust1.72-test", rpm:"rust1.72-test~1.72.0~150400.9.3.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"cargo1.72", rpm:"cargo1.72~1.72.0~150400.9.3.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"cargo1.72-debuginfo", rpm:"cargo1.72-debuginfo~1.72.0~150400.9.3.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust1.72-debuginfo", rpm:"rust1.72-debuginfo~1.72.0~150400.9.3.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"cargo", rpm:"cargo~1.72.0~150400.24.24.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust", rpm:"rust~1.72.0~150400.24.24.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust1.72", rpm:"rust1.72~1.72.0~150400.9.3.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust1.72-test", rpm:"rust1.72-test~1.72.0~150400.9.3.1", rls:"openSUSELeap15.4"))) {
    report += res;
  }

  if(report != "") {
    security_message(data:report);
  } else if(__pkg_match) {
    exit(99);
  }
  exit(0);
}

if(release == "openSUSELeap15.5") {

  if(!isnull(res = isrpmvuln(pkg:"cargo1.72", rpm:"cargo1.72~1.72.0~150400.9.3.1", rls:"openSUSELeap15.5"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"cargo1.72-debuginfo", rpm:"cargo1.72-debuginfo~1.72.0~150400.9.3.1", rls:"openSUSELeap15.5"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust1.72-debuginfo", rpm:"rust1.72-debuginfo~1.72.0~150400.9.3.1", rls:"openSUSELeap15.5"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"cargo", rpm:"cargo~1.72.0~150400.24.24.1", rls:"openSUSELeap15.5"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust", rpm:"rust~1.72.0~150400.24.24.1", rls:"openSUSELeap15.5"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust1.72", rpm:"rust1.72~1.72.0~150400.9.3.1", rls:"openSUSELeap15.5"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"cargo1.72", rpm:"cargo1.72~1.72.0~150400.9.3.1", rls:"openSUSELeap15.5"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"cargo1.72-debuginfo", rpm:"cargo1.72-debuginfo~1.72.0~150400.9.3.1", rls:"openSUSELeap15.5"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust1.72-debuginfo", rpm:"rust1.72-debuginfo~1.72.0~150400.9.3.1", rls:"openSUSELeap15.5"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"cargo", rpm:"cargo~1.72.0~150400.24.24.1", rls:"openSUSELeap15.5"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust", rpm:"rust~1.72.0~150400.24.24.1", rls:"openSUSELeap15.5"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"rust1.72", rpm:"rust1.72~1.72.0~150400.9.3.1", rls:"openSUSELeap15.5"))) {
    report += res;
  }

  if(report != "") {
    security_message(data:report);
  } else if(__pkg_match) {
    exit(99);
  }
  exit(0);
}

exit(0);