Lucene search

K
suseSuseOPENSUSE-SU-2020:0945-1
HistoryJul 07, 2020 - 12:00 a.m.

Security update for rust, rust-cbindgen (moderate)

2020-07-0700:00:00
lists.opensuse.org
44

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for rust, rust-cbindgen fixes the following issues:

rust was updated for use by Firefox 76ESR.

  • Fixed miscompilations with rustc 1.43 that lead to LTO failures
    (bsc#1173202)

Update to version 1.43.1

  • Updated openssl-src to 1.1.1g for CVE-2020-1967.
  • Fixed the stabilization of AVX-512 features.
  • Fixed cargo package --list not working with unpublished dependencies.

Update to version 1.43.0

  • Language:
  • Fixed using binary operations with &{number} (e.g. &1.0) not having
    the type inferred correctly.
  • Attributes such as #[cfg()] can now be used on if expressions.
  • Syntax only changes:
    • Allow type Foo: Ord syntactically.
    • Fuse associated and extern items up to defaultness.
    • Syntactically allow self in all fn contexts.
    • Merge fn syntax + cleanup item parsing.
    • item macro fragments can be interpolated into traits, impls, and
      extern blocks. For example, you may now write: rust macro_rules! mac_trait { ($i:item) => { trait T { $i } } } mac_trait! { fn foo() {} }
    • These are still rejected semantically, so you will likely receive an
      error but these changes can be seen and parsed by macros and
      conditional compilation.
  • Compiler
  • You can now pass multiple lint flags to rustc to override the previous
    flags.

    For example; rustc -D unused -A unused-variables denies everything in
    the unused lint group except unused-variables which is explicitly
    allowed. However, passing rustc -A unused-variables -D unused denies
    everything in the unused lint group including unused-variables
    since the allow flag is specified before the deny flag (and therefore
    overridden).

  • rustc will now prefer your system MinGW libraries over its bundled
    libraries if they are available on windows-gnu.

  • rustc now buffers errors/warnings printed in JSON.

Libraries:

  • Arc<[T; N]>, Box<[T; N]>, and Rc<[T; N]>, now implement
    TryFrom<Arc<[T]>>,TryFrom<Box<[T]>>, and TryFrom<Rc<[T]>>
    respectively.
    Note These conversions are only available when N is 0..=32.
  • You can now use associated constants on floats and integers directly,
    rather than having to import the module. e.g. You can now write
    u32::MAX or f32::NAN with no imports.
  • u8::is_ascii is now const.
  • String now implements AsMut<str>.
  • Added the primitive module to std and core. This module reexports
    Rust’s primitive types. This is mainly useful in macros where you want
    avoid these types being shadowed.
  • Relaxed some of the trait bounds on HashMap and HashSet.
  • string::FromUtf8Error now implements Clone + Eq.
  • Stabilized APIs
  • Once::is_completed
  • f32::LOG10_2
  • f32::LOG2_10
  • f64::LOG10_2
  • f64::LOG2_10
  • iter::once_with
  • Cargo

    • You can now set config [profile]s in your .cargo/config,
      or through your environment.
    • Cargo will now set CARGO_BIN_EXE_<name> pointing to a binary’s
      executable path when running integration tests or benchmarks. <name>
      is the name of your binary as-is e.g. If you wanted the executable
      path for a binary named my-programyou would use
      env!("CARGO_BIN_EXE_my-program").
  • Misc

    • Certain checks in the const_err lint were deemed unrelated to const
      evaluation, and have been moved to the unconditional_panic and
      arithmetic_overflow lints.
  • Compatibility Notes

    • Having trailing syntax in the assert! macro is now a hard error.
      This has been a warning since 1.36.0.
    • Fixed Self not having the correctly inferred type. This incorrectly
      led to some instances being accepted, and now correctly emits a hard
      error.

Update to version 1.42.0:

  • Language

    • You can now use the slice pattern syntax with subslices.
    • You can now use #[repr(transparent)] on univariant enums. Meaning that
      you can create an enum that has the exact layout and ABI of the type
      it contains.
    • There are some syntax-only changes:
      • default is syntactically allowed before items in trait definitions.
      • Items in impls (i.e. consts, types, and fns) may syntactically leave
        out their bodies in favor of ;.
      • Bounds on associated types in impls are now syntactically allowed
        (e.g. type Foo: Ord;).
      • … (the C-variadic type) may occur syntactically directly as the
        type of any function parameter. These are still rejected
        semantically, so you will likely receive an error but these changes
        can be seen and parsed by procedural macros and conditional
        compilation.
  • Compiler

    • Added tier 2 support for armv7a-none-eabi.
    • Added tier 2 support for riscv64gc-unknown-linux-gnu.
    • Option::{expect,unwrap} and Result::{expect, expect_err, unwrap,
      unwrap_err} now produce panic messages pointing to the location where
      they were called, rather than core’s internals. Refer to Rust’s
      platform support page for more information on Rust’s tiered platform
      support.
  • Libraries

    • iter::Empty<T> now implements Send and Sync for any T.
    • Pin::{map_unchecked, map_unchecked_mut} no longer require the return
      type to implement Sized.
    • io::Cursor now derives PartialEq and Eq.
    • Layout::new is now const.
    • Added Standard Library support for riscv64gc-unknown-linux-gnu.
  • Stabilized APIs

    • CondVar::wait_while
    • CondVar::wait_timeout_while
    • DebugMap::key
    • DebugMap::value
    • ManuallyDrop::take
    • matches!
    • ptr::slice_from_raw_parts_mut
    • ptr::slice_from_raw_parts
  • Cargo

    • You no longer need to include extern crate proc_macro; to be able to
      use proc_macro; in the 2018 edition.
  • Compatibility Notes

    • Error::description has been deprecated, and its use will now produce a
      warning. It’s recommended to use Display/to_string instead.

Update to version 1.41.1:

 - Always check types of static items
 - Always check lifetime bounds of `Copy` impls
 - Fix miscompilation in callers of `Layout::repeat`

Update to version 1.41.0:

  • Language

    • You can now pass type parameters to foreign items when implementing
      traits. E.g. You can now write impl&lt;T&gt; From&lt;Foo&gt; for Vec&lt;T&gt; {}.
    • You can now arbitrarily nest receiver types in the self position.
      E.g. you can now write fn foo(self: Box&lt;Box&lt;Self&gt;&gt;) {}. Previously
      only Self, &Self, &mut Self, Arc&lt;Self&gt;, Rc&lt;Self&gt;, and
      Box&lt;Self&gt; were allowed.
    • You can now use any valid identifier in a format_args macro.
      Previously identifiers starting with an underscore were not allowed.
    • Visibility modifiers (e.g. pub) are now syntactically allowed on
      trait items and enum variants. These are still rejected semantically,
      but can be seen and parsed by procedural macros and conditional
      compilation.
  • Compiler

    • Rustc will now warn if you have unused loop 'labels.
    • Removed support for the i686-unknown-dragonfly target.
    • Added tier 3 support* for the riscv64gc-unknown-linux-gnu target.
    • You can now pass an arguments file passing the @path syntax to
      rustc. Note that the format differs somewhat from what is found in
      other tooling; please see the documentation for more information.
    • You can now provide --extern flag without a path, indicating that it
      is available from the search path or specified with an -L flag.

    Refer to Rust’s [platform support page][forge-platform-support] for more
    information on Rust’s tiered platform support.

  • Libraries

    • The core::panic module is now stable. It was already stable through
      std.
    • NonZero* numerics now implement From&lt;NonZero*&gt; if it’s a smaller
      integer width. E.g. NonZeroU16 now implements From&lt;NonZeroU8&gt;.
    • MaybeUninit&lt;T&gt; now implements fmt::Debug.
  • Stabilized APIs

    • Result::map_or
    • Result::map_or_else
    • std::rc::Weak::weak_count
    • std::rc::Weak::strong_count
    • std::sync::Weak::weak_count
    • std::sync::Weak::strong_count
  • Cargo

    • Cargo will now document all the private items for binary crates by
      default.
    • cargo-install will now reinstall the package if it detects that it
      is out
      of date.
    • Cargo.lock now uses a more git friendly format that should help to
      reduce merge conflicts.
    • You can now override specific dependencies’s build settings. E.g.
      [profile.dev.package.image] opt-level = 2 sets the image crate’s
      optimisation level to 2 for debug builds. You can also use
      [profile.&lt;profile&gt;.build-override] to override build scripts and
      their dependencies.
  • Misc

    • You can now specify edition in documentation code blocks to compile
      the block for that edition. E.g. edition2018 tells rustdoc that the
      code sample should be compiled the 2018 edition of Rust.
    • You can now provide custom themes to rustdoc with --theme, and check
      the current theme with --check-theme.
    • You can use #[cfg(doc)] to compile an item when building
      documentation.
  • Compatibility Notes

    • As previously announced 1.41.0 will be the last tier 1 release for
      32-bit Apple targets. This means that the source code is still
      available to build, but the targets are no longer being tested and
      release binaries for those platforms will no longer be distributed by
      the Rust project. Please refer to the linked blog post for more
      information.
  • Bump version of libssh2 for SLE15; we now need a version with
    libssh2_userauth_publickey_frommemory(), which appeared in libssh2 1.6.0.

Update to version 1.40.0

  • Language

    • You can now use tuple structs and tuple enum variant’s
      constructors in const contexts. e.g. pub struct Point(i32, i32);
      const ORIGIN: Point = { let constructor = Point; constructor(0, 0) };
    • You can now mark structs, enums, and enum variants with the
      #[non_exhaustive] attribute to indicate that there may be variants
      or fields added in the future. For example this requires adding a
      wild-card branch (_ =&gt; {}) to any match statements on a
      non-exhaustive enum.
    • You can now use function-like procedural macros in extern blocks and
      in type positions. e.g. type Generated = macro!();
    • Function-like and attribute procedural macros can now emit
      macro_rules! items, so you can now have your macros generate macros.
    • The meta pattern matcher in macro_rules! now correctly matches the
      modern attribute syntax. For example (#[$m:meta]) now matches
      #[attr], #[attr{tokens}], #[attr[tokens]], and #[attr(tokens)].
  • Compiler

    • Added tier 3 support* for the thumbv7neon-unknown-linux-musleabihf
      target.
    • Added tier 3 support for the aarch64-unknown-none-softfloat target.
    • Added tier 3 support for the mips64-unknown-linux-muslabi64, and
      mips64el-unknown-linux-muslabi64 targets.
  • Libraries

    • The is_power_of_two method on unsigned numeric types is now a
      const function.
  • Stabilized APIs

    • BTreeMap::get_key_value
    • HashMap::get_key_value
    • Option::as_deref_mut
    • Option::as_deref
    • Option::flatten
    • UdpSocket::peer_addr
    • f32::to_be_bytes
    • f32::to_le_bytes
    • f32::to_ne_bytes
    • f64::to_be_bytes
    • f64::to_le_bytes
    • f64::to_ne_bytes
    • f32::from_be_bytes
    • f32::from_le_bytes
    • f32::from_ne_bytes
    • f64::from_be_bytes
    • f64::from_le_bytes
    • f64::from_ne_bytes
    • mem::take
    • slice::repeat
    • todo!
  • Cargo

    • Cargo will now always display warnings, rather than only on fresh
      builds.
    • Feature flags (except --all-features) passed to a virtual workspace
      will now produce an error. Previously these flags were ignored.
    • You can now publish dev-dependencies without including a version.
  • Misc

    • You can now specify the #[cfg(doctest)] attribute to include an item
      only when running documentation tests with rustdoc.
  • Compatibility Notes

    • As previously announced, any previous NLL warnings in the 2015 edition
      are now hard errors.
    • The include! macro will now warn if it failed to include the entire
      file. The include! macro unintentionally only includes the first
      expression in a file, and this can be unintuitive. This will become
      either a hard error in a future release, or the behavior may be fixed
      to include all expressions as expected.
    • Using #[inline] on function prototypes and consts now emits a
      warning under unused_attribute lint. Using #[inline] anywhere else
      inside traits
      or extern blocks now correctly emits a hard error.

Update to version 1.39.0

  • Language

    • You can now create async functions and blocks with async fn, async
      move {}, and async {} respectively, and you can now call .await on
      async expressions.
    • You can now use certain attributes on function, closure, and function
      pointer parameters.
    • You can now take shared references to bind-by-move patterns in the if
      guards of match arms.
  • Compiler

    • Added tier 3 support for the i686-unknown-uefi target.
    • Added tier 3 support for the sparc64-unknown-openbsd target.
    • rustc will now trim code snippets in diagnostics to fit in your
      terminal.
    • You can now pass --show-output argument to test binaries to print the
      output of successful tests.
  • For more details:
    https://github.com/rust-lang/rust/blob/stable/RELEASES.md#version-1390-2019
    -11-07

Update to version 1.38.0

  • Language

    • The #[global_allocator] attribute can now be used in submodules.
    • The #[deprecated] attribute can now be used on macros.
  • Compiler

    • Added pipelined compilation support to rustc. This will improve
      compilation times in some cases.
  • Libraries

    • ascii::EscapeDefault now implements Clone and Display.
    • Derive macros for prelude traits (e.g. Clone, Debug, Hash) are
      now available at the same path as the trait. (e.g. The Clone derive
      macro is available at std::clone::Clone). This also makes all
      built-in macros available in std/core root. e.g.
      std::include_bytes!.
    • str::Chars now implements Debug.
    • slice::{concat, connect, join} now accepts &[T] in addition to
      &T.
    • *const T and *mut T now implement marker::Unpin.
    • Arc&lt;[T]&gt; and Rc&lt;[T]&gt; now implement FromIterator&lt;T&gt;.
    • Added euclidean remainder and division operations (div_euclid,
      rem_euclid) to all numeric primitives. Additionally checked,
      overflowing, and wrapping versions are available for all integer
      primitives.
    • thread::AccessError now implements Clone, Copy, Eq, Error,
      and PartialEq.
    • iter::{StepBy, Peekable, Take} now implement DoubleEndedIterator.
  • Stabilized APIs

    • &lt;*const T&gt;::cast
    • &lt;*mut T&gt;::cast
    • Duration::as_secs_f32
    • Duration::as_secs_f64
    • Duration::div_f32
    • Duration::div_f64
    • Duration::from_secs_f32
    • Duration::from_secs_f64
    • Duration::mul_f32
    • Duration::mul_f64
    • any::type_name
  • Cargo

    • Added pipelined compilation support to cargo.
    • You can now pass the --features option multiple times to enable
      multiple features.
  • Misc

    • rustc will now warn about some incorrect uses of
      mem::{uninitialized, zeroed} that are known to cause undefined
      behaviour.

Update to version 1.37.0

 + Language

   - #[must_use] will now warn if the type is contained in a tuple, Box,
     or an array and unused.
   - You can now use the `cfg` and `cfg_attr` attributes on generic
     parameters.
   - You can now use enum variants through type alias. e.g. You can write
     the following: ``` type MyOption = Option&lt;u8&gt;; fn
     increment_or_zero(x: MyOption) -&gt; u8 { match x { MyOption::Some(y)
     =&gt; y + 1, MyOption::None =&gt; 0, } } ```
   - You can now use `_` as an identifier for consts. e.g. You can write
     `const _: u32 = 5;`.
   - You can now use `#[repr(align(X)]` on enums.
   - The  `?` Kleene macro operator is now available in the 2015 edition.

 + Compiler

   - You can now enable Profile-Guided Optimization with the `-C
     profile-generate` and `-C profile-use` flags. For more information
     on how to use profile guided optimization, please refer to the rustc
     book.
   - The `rust-lldb` wrapper script should now work again.

 + Libraries

   - `mem::MaybeUninit&lt;T&gt;` is now ABI-compatible with `T`.

 + Stabilized APIs

   - BufReader::buffer
   - BufWriter::buffer
   - Cell::from_mut
   - Cell&lt;[T]&gt;::as_slice_of_cells
   - Cell&lt;slice&gt;::as_slice_of_cells
   - DoubleEndedIterator::nth_back
   - Option::xor
   - Wrapping::reverse_bits
   - i128::reverse_bits
   - i16::reverse_bits
   - i32::reverse_bits
   - i64::reverse_bits
   - i8::reverse_bits
   - isize::reverse_bits
   - slice::copy_within
   - u128::reverse_bits
   - u16::reverse_bits
   - u32::reverse_bits
   - u64::reverse_bits
   - u8::reverse_bits
   - usize::reverse_bits

 + Cargo

   - Cargo.lock files are now included by default when publishing
     executable crates with executables.
   - You can now specify `default-run="foo"` in `[package]` to specify
     the default executable to use for `cargo run`.
   - cargo-vendor is now provided as a sub-command of cargo

 + Compatibility Notes

   - Using `...` for inclusive range patterns will now warn by default.
     Please transition your code to using the `..=` syntax for inclusive
     ranges instead.
   - Using a trait object without the `dyn` will now warn by default.
     Please transition your code to use `dyn Trait` for trait objects
     instead. Crab(String), Lobster(String), Person(String), let state =
     Creature::Crab("Ferris"); if let Creature::Crab(name) |
     Creature::Person(name) = state { println!("This creature's name is:
     {}", name); } unsafe { foo() } pub fn new(x: i32, y: i32) -&gt; Self {
     Self(x, y) } pub fn is_origin(&self) -&gt; bool { match self { Self(0,
     0) =&gt; true, _ =&gt; false, } } Self: PartialOrd&lt;Self&gt; // can write
     `Self` instead of `List&lt;T&gt;` Nil, Cons(T, Box&lt;Self&gt;) // likewise here
     fn test(&self) { println!("one"); } //~ ERROR duplicate definitions
     with name `test` fn test(&self) { println!("two"); }
  • Basic procedural macros allowing custom #[derive], aka “macros 1.1”,
    are stable. This allows popular code-generating crates like Serde and
    Diesel to work ergonomically. [RFC 1681].
  • [Tuple structs may be empty. Unary and empty tuple structs may be
    instantiated with curly braces][36868]. Part of [RFC 1506].
  • [A number of minor changes to name resolution have been
    activated][37127]. They add up to more consistent semantics, allowing
    for future evolution of Rust macros. Specified in [RFC 1560], see its
    section on [“changes”] for details of what is different. The breaking
    changes here have been transitioned through the [legacy_imports] lint
    since 1.14, with no known regressions.
  • [In macro_rules, path fragments can now be parsed as type parameter
    bounds][38279]
  • [?Sized can be used in where clauses][37791]
  • [There is now a limit on the size of monomorphized types and it can be
    modified with the #![type_size_limit] crate attribute, similarly to
    the #![recursion_limit] attribute][37789]
  • [On Windows, the compiler will apply dllimport attributes when linking
    to extern functions][37973]. Additional attributes and flags can control
    which library kind is linked and its name. [RFC 1717].
  • [Rust-ABI symbols are no longer exported from cdylibs][38117]
  • [The --test flag works with procedural macro crates][38107]
  • [Fix extern "aapcs" fn ABI][37814]
  • [The -C no-stack-check flag is deprecated][37636]. It does nothing.
  • [The format! expander recognizes incorrect printf and shell-style
    formatting directives and suggests the correct format][37613].
  • [Only report one error for all unused imports in an import list][37456]
  • [Avoid unnecessary mk_ty calls in Ty::super_fold_with][37705]
  • [Avoid more unnecessary mk_ty calls in Ty::super_fold_with][37979]
  • [Don’t clone in UnificationTable::probe][37848]
  • [Remove scope_auxiliary to cut RSS by 10%][37764]
  • [Use small vectors in type walker][37760]
  • [Macro expansion performance was improved][37701]
  • [Change HirVec&lt;P&lt;T&gt;&gt; to HirVec&lt;T&gt; in hir::Expr][37642]
  • [Replace FNV with a faster hash function][37229]
    https://raw.githubusercontent.com/rust-lang/rust/master/RELEASES.md

rust-cbindgen is shipped in version 0.14.1.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.2:

    zypper in -t patch openSUSE-2020-945=1

OSVersionArchitecturePackageVersionFilename
openSUSE Leap15.2i586< - openSUSE Leap 15.2 (i586 x86_64):- openSUSE Leap 15.2 (i586 x86_64):.i586.rpm
openSUSE Leap15.2x86_64< - openSUSE Leap 15.2 (i586 x86_64):- openSUSE Leap 15.2 (i586 x86_64):.x86_64.rpm
openSUSE Leap15.2noarch< - openSUSE Leap 15.2 (noarch):- openSUSE Leap 15.2 (noarch):.noarch.rpm
openSUSE Leap15.2x86_64< - openSUSE Leap 15.2 (x86_64):- openSUSE Leap 15.2 (x86_64):.x86_64.rpm

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P