[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#53461] [address@hidden: Rust CVE]
From: |
Maxim Cournoyer |
Subject: |
[bug#53461] [address@hidden: Rust CVE] |
Date: |
Mon, 24 Jan 2022 16:31:25 -0500 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
Leo Famulari <leo@famulari.name> writes:
> On Sat, Jan 22, 2022 at 10:33:52PM -0500, Maxim Cournoyer wrote:
>> The rust-1.57 variable should probably be made private or hidden now.
>>
>> Also, unless we rebuild all crates with rust-1.58, it seems to me like
>> we won't be addressing the problem, as the CVE touches the
>> 'remove_dir_all' procedure part of the standard library of Rust (and we
>> all know Rust likes to build things statically).
>>
>> Am I missing something?
>
> I don't know about Rust things! I just forwarded this message from the
> private list to the public list.
OK! I just asked in #rust and they confirmed what I thought (all crates
-- well the ones using 'std::fs::remove_dir_all' but we can't easily
know) needs to be rebuilt if we are to patch that CVE.
Maxim