Patches for CVE-2019-16760

CVE-2019-16760.md

Patches for CVE-2019-16760

This gist contains the patches for CVE-2019-16760 (read the security advisory). The following patches are available:

• rust-1.19.0.patch: patch for Rust 1.19.0 (signature)
• rust-1.2x.0.patch: patch for Rust 1.20.0 to Rust 1.25.0 (signature)

The patches are meant to be applied on top of a source tarball of Rust, and they contain both the fix to the vulnerability and a test to ensure they work. Running Cargo's test suite should also execute the new test.

The patches are released under both the MIT license and the Apache 2.0 license, and signatures from the Rust Security Team's GPG key are provided. This gist was created by a member of the Rust Security team, and it is linked in the security advisory as the official source for the patches.

rust-1.19.0.patch

diff --git a/src/tools/cargo/src/cargo/util/toml.rs b/src/tools/cargo/src/cargo/util/toml.rs
--- a/src/tools/cargo/src/cargo/util/toml.rs
+++ b/src/tools/cargo/src/cargo/util/toml.rs
@@ -169,7 +169,15 @@ impl<'de> de::Deserialize<'de> for TomlDependency {
                 where V: de::MapAccess<'de>
             {
                 let mvd = de::value::MapAccessDeserializer::new(map);
-                DetailedTomlDependency::deserialize(mvd).map(TomlDependency::Detailed)
+                let dep = DetailedTomlDependency::deserialize(mvd).map(TomlDependency::Detailed);
+                if let Ok(&TomlDependency::Detailed(ref dep)) = dep.as_ref() {
+                    if dep.package.is_some() {
+                        return Err(<V::Error as de::Error>::custom(
+                            "the package subkey is not allowed due to CVE-2019-16760"
+                        ));
+                    }
+                }
+                dep
             }
         }
 
@@ -187,6 +195,7 @@ pub struct DetailedTomlDependency {
     git: Option<String>,
     branch: Option<String>,
     tag: Option<String>,
+    package: Option<String>,
     rev: Option<String>,
     features: Option<Vec<String>>,
     optional: Option<bool>,
diff --git a/src/tools/cargo/tests/cve_2019_16760.rs b/src/tools/cargo/tests/cve_2019_16760.rs
new file mode 100644
--- /dev/null
+++ b/src/tools/cargo/tests/cve_2019_16760.rs
@@ -0,0 +1,28 @@
+extern crate cargotest;
+extern crate hamcrest;
+
+use cargotest::support::{project, execs};
+use hamcrest::assert_that;
+
+#[test]
+fn test_cve_2019_16760() {
+    let pb = project("foo")
+        .file("Cargo.toml", r#"
+            [package]
+            name = "foo"
+            version = "0.0.0"
+            authors = []
+
+            [dependencies]
+            lazy_static1 = { version = "1", package = "lazy_static" }
+        "#)
+        .file("src/lib.rs", "");
+    let p = pb.build();
+
+    assert_that(p.cargo("check"), execs().with_status(101).with_stderr("\
+error: failed to parse manifest at `[..]`
+
+Caused by:
+  the package subkey is not allowed due to CVE-2019-16760 for key `dependencies.lazy_static1`
+"));
+}
 

rust-1.19.0.patch.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEV2nIi/XdPRSiNKes77mGCudSDawFAl2SDVUACgkQ77mGCudS
DawFtw/+Izd+WevY6f+vZSYEvgxVlJ/3Ebdv14NQReiLgTBk+zAc0eTQLPHEj92+
lIiheh4IBA5xbzg6x4vXLsfk3KjKh8FeKq/Am5i9ZqHG0QTFxsJeyAUBCnnuf2v+
zZ95O37/cGC92/MA3RGO8SJ3Fdr21G3Fp6aKhhB2gCt1wI/yxNmf9WZm/RQ4C5ir
ORKKqJ9wlEB4VwekHjZ53khtBRKRgImJzPLdBnKhImMmaBkZWJssZ/Dtgub9lB91
dh3gx+WCqihuJZ0+gmkIHkyeWRfS75lT4PLWB0ppNVlvN8Twlaq52wb0++K/KcnH
IH5brdr2RR3m84lddkzKS7s+AMUXR3I4iHUP+QQYjcTSyV+q4kodf3MGQdG8YA8C
E+eodS6XoY+7cfLP8XYvzIz1w7aXJwkbkvy9bLdqLQ8uXldR0rhD/mnEANjP4XDG
ymBnzY+bBbtkTQxyVuIdcAh6VXDjHm5YnUi8uoy9DjwZMF9C+uSJyQxzx4rMt7Eo
bRWu+VdJrXcs5dQVwnjAMCZf+Tzmx/Z8/8eOVkqM30nJfn+m26DZCPOzRiDmswiC
G/HU6u4ji5wCQ77hq5tCOeUVROkTH5IGC99XkFCGYzfePIyucj941q0OajWF213V
NsG7vpzYG0eET4YtHG9gTcRk54zYmMBODyhJcrSD3xs3rBC8E+k=
=vOYF
-----END PGP SIGNATURE-----

rust-1.2x.0.patch

diff --git a/src/tools/cargo/src/cargo/util/toml/mod.rs b/src/tools/cargo/src/cargo/util/toml/mod.rs
--- a/src/tools/cargo/src/cargo/util/toml/mod.rs
+++ b/src/tools/cargo/src/cargo/util/toml/mod.rs
@@ -169,7 +169,15 @@ impl<'de> de::Deserialize<'de> for TomlDependency {
                 where V: de::MapAccess<'de>
             {
                 let mvd = de::value::MapAccessDeserializer::new(map);
-                DetailedTomlDependency::deserialize(mvd).map(TomlDependency::Detailed)
+                let dep = DetailedTomlDependency::deserialize(mvd).map(TomlDependency::Detailed);
+                if let Ok(&TomlDependency::Detailed(ref dep)) = dep.as_ref() {
+                    if dep.package.is_some() {
+                        return Err(<V::Error as de::Error>::custom(
+                            "the package subkey is not allowed due to CVE-2019-16760"
+                        ));
+                    }
+                }
+                dep
             }
         }
 
@@ -187,6 +195,7 @@ pub struct DetailedTomlDependency {
     git: Option<String>,
     branch: Option<String>,
     tag: Option<String>,
+    package: Option<String>,
     rev: Option<String>,
     features: Option<Vec<String>>,
     optional: Option<bool>,
diff --git a/src/tools/cargo/tests/cve_2019_16760.rs b/src/tools/cargo/tests/cve_2019_16760.rs
new file mode 100644
--- /dev/null
+++ b/src/tools/cargo/tests/cve_2019_16760.rs
@@ -0,0 +1,28 @@
+extern crate cargotest;
+extern crate hamcrest;
+
+use cargotest::support::{project, execs};
+use hamcrest::assert_that;
+
+#[test]
+fn test_cve_2019_16760() {
+    let pb = project("foo")
+        .file("Cargo.toml", r#"
+            [package]
+            name = "foo"
+            version = "0.0.0"
+            authors = []
+
+            [dependencies]
+            lazy_static1 = { version = "1", package = "lazy_static" }
+        "#)
+        .file("src/lib.rs", "");
+    let p = pb.build();
+
+    assert_that(p.cargo("check"), execs().with_status(101).with_stderr("\
+error: failed to parse manifest at `[..]`
+
+Caused by:
+  the package subkey is not allowed due to CVE-2019-16760 for key `dependencies.lazy_static1`
+"));
+}
 

rust-1.2x.0.patch.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEV2nIi/XdPRSiNKes77mGCudSDawFAl2SDasACgkQ77mGCudS
DayqgA/9GVC+nbI7WmB3u2gUYi7WpUP8TgBqXM5HCD3+LiaV2jehIGxgWqGChokh
bvVB4SqiCHGISa9W6juWmbt5/5iImupJnxYB0ax+14hFFk1oR535JqznwkYDStkw
GZdMpGpmbQQraidis//nIYieQNduKMPBMbM5VUWABdcUyq2I0X5PfyrLDOcOQaUW
zCCW0LH2+NKvvhHVoYMnrUuIajPwYF4tLFdLh0IcqeoP/N8YygTN6Pf9yBAJhWNi
ty0TJFmbgAmK1sUgEJnKCk4U78zY63z4p9Op9rc8zk0F6PnQSDXe5gnFvIvCGlxA
90/EU3C1jEVP9Kpxn/gW8xjbugX3pd+/K9lQ55JKJItbqkvXgHHHMAT52ryIVlC8
LLiOLiQ+bhIFJrz198hK/rKV8Sv7UdVG0kBykvmK6i4Mcbc+/B+HX7SNhn+oP32+
UbbttReq0ebnWAhSFnMICIVixNFNvz5T2OiWXxyP2BN4JGfDvUGn/cnVMxGNYV++
i5wWUU1aWoTkLOEQfc7SKitacAuj9DmpVDHeNLNV2oMbnVFDbnFtFkwv12Zczlkc
fiHG1P3AYa0Vv2FrbWtEGVjdI+XXjDYgyGGTbir4nFof6oKeVx4RnaFHT2tvw8BX
kjvUKgdAc57e8ATSaWuegVZqDhL6kJvL59WmYOBhIHHgLh1bZxg=
=86AM
-----END PGP SIGNATURE-----