advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard
verified publisher icon rustsec

Add `cargo` CVEs 2022-36113 & 2022-36114

Open pinkforest opened this issue 3 years ago • 2 comments

Background

Cargo has new CVEs: https://blog.rust-lang.org/2022/09/14/cargo-cves.html

There was a fix here: https://github.com/rust-lang/cargo/pull/11088 that targeted beta five days ago

It is possible there is a backport to 1.64.0 release

One problem is the GHSA went out before there was actionable fix and GHSA also targeted this against the cargo crate itself

Cargo is also used as a library so beyond the cargo binary itself GHSA targets the library

Real question here is..

Beyond the usual rust release CVEs e.g. cargo binary -

We hold should maybe add RustSec light up the cargo crate as a library re: CVE's ?

I haven't had time to go dig deep on this yet but if someone wants to take a stab at it..

Ref: https://github.com/rust-lang/wg-security-response/issues/10 - best to hold up merging for actionable fix maybe

pinkforest avatar Sep 19 '22 12:09 pinkforest

I don't see why we could not add an advisory for cargo "the crate", and one for cargo the tool (in rust/cargo/), they are meant to be used in different contexts.

amousset avatar Feb 25 '23 20:02 amousset

The advisories under crates and rust are also versioned differently:

  • crates is versioned according to the crate release, e.g. 0.64 for cargo
  • rust is versioned according to Rust release (e.g. 1.64.0)

tarcieri avatar Feb 25 '23 21:02 tarcieri