SUSE-CU-2023:3092-1: Security update of bci/rust

Fri Sep 22 07:05:02 UTC 2023

SUSE Container Update Advisory: bci/rust
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3092-1
Container Tags        : bci/rust:1.71 , bci/rust:1.71-2.2.1 , bci/rust:oldstable , bci/rust:oldstable-2.2.1
Container Release     : 2.1
Severity              : important
Type                  : security
References            : 1213817 CVE-2023-38497 
-----------------------------------------------------------------

The container bci/rust was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2978-1
Released:    Wed Jul 26 09:56:57 2023
Summary:     Recommended update for rust, rust1.71
Type:        recommended
Severity:    moderate
References:  
This update for rust and rust1.71 fixes the following issues:

This update ships rust1.71.

Version 1.71.0 (2023-07-13)
==========================

Language
--------

- Stabilize `raw-dylib`, `link_ordinal`, `import_name_type` and `-Cdlltool`.
- Uplift `clippy::{drop,forget}_{ref,copy}` lints.
- Type inference is more conservative around constrained vars.
- Use fulfillment to check `Drop` impl compatibility

Compiler
--------

- Evaluate place expression in `PlaceMention`
  making `let _ =` patterns more consistent with respect to the borrow checker.
- Add `--print deployment-target` flag for Apple targets.
- Stabilize `extern 'C-unwind'` and friends.
  The existing `extern 'C'` etc. may change behavior for cross-language unwinding in a future release.
- Update the version of musl used on `*-linux-musl` targets to 1.2.3
  enabling [time64](https://musl.libc.org/time64.html) on 32-bit systems.
- Stabilize `debugger_visualizer`
  for embedding metadata like Microsoft's Natvis.
- Enable flatten-format-args by default.
- Make `Self` respect tuple constructor privacy.
- Improve niche placement by trying two strategies and picking the better result.
- Use `apple-m1` as the target CPU for `aarch64-apple-darwin`.
- Add Tier 3 support for the `x86_64h-apple-darwin` target.
- Promote `loongarch64-unknown-linux-gnu` to Tier 2 with host tools.

Refer to Rust's [platform support page][platform-support-doc]
for more information on Rust's tiered platform support.

Libraries
---------

- Rework handling of recursive panics.
  Additional panics are allowed while unwinding, as long as they are caught before escaping
  a `Drop` implementation, but panicking within a panic hook is now an immediate abort.
- Loosen `From<&[T]> for Box<[T]>` bound to `T: Clone`.
- Remove unnecessary `T: Send` bound
  in `Error for mpsc::SendError<T>` and `TrySendError<T>`.
- Fix docs for `alloc::realloc`
  to match `Layout` requirements that the size must not exceed `isize::MAX`.
- Document `const {}` syntax for `std::thread_local`.
  This syntax was stabilized in Rust 1.59, but not previously mentioned in release notes.

Stabilized APIs
---------------

- `CStr::is_empty`](https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#method.is_empty)
- `BuildHasher::hash_one`](https://doc.rust-lang.org/stable/std/hash/trait.BuildHasher.html#method.hash_one)
- `NonZeroI*::is_positive`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.is_positive)
- `NonZeroI*::is_negative`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.is_negative)
- `NonZeroI*::checked_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.checked_neg)
- `NonZeroI*::overflowing_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.overflowing_neg)
- `NonZeroI*::saturating_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.saturating_neg)
- `NonZeroI*::wrapping_neg`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#method.wrapping_neg)
- `Neg for NonZeroI*`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#impl-Neg-for-NonZeroI32)
- `Neg for &NonZeroI*`](https://doc.rust-lang.org/stable/std/num/struct.NonZeroI32.html#impl-Neg-for-%26NonZeroI32)
- `From<[T; N]> for (T...)`](https://doc.rust-lang.org/stable/std/primitive.array.html#impl-From%3C%5BT;+1%5D%3E-for-(T,))
  (array to N-tuple for N in 1..=12)
- `From<(T...)> for [T; N]`](https://doc.rust-lang.org/stable/std/primitive.array.html#impl-From%3C(T,)%3E-for-%5BT;+1%5D)
  (N-tuple to array for N in 1..=12)
- `windows::io::AsHandle for Box<T>`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Box%3CT%3E)
- `windows::io::AsHandle for Rc<T>`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Rc%3CT%3E)
- `windows::io::AsHandle for Arc<T>`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsHandle.html#impl-AsHandle-for-Arc%3CT%3E)
- `windows::io::AsSocket for Box<T>`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Box%3CT%3E)
- `windows::io::AsSocket for Rc<T>`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Rc%3CT%3E)
- `windows::io::AsSocket for Arc<T>`](https://doc.rust-lang.org/stable/std/os/windows/io/trait.AsSocket.html#impl-AsSocket-for-Arc%3CT%3E)

These APIs are now stable in const contexts:

- `<*const T>::read`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read)
- `<*const T>::read_unaligned`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read_unaligned)
- `<*mut T>::read`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read-1)
- `<*mut T>::read_unaligned`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.read_unaligned-1)
- `ptr::read`](https://doc.rust-lang.org/stable/std/ptr/fn.read.html)
- `ptr::read_unaligned`](https://doc.rust-lang.org/stable/std/ptr/fn.read_unaligned.html)
- `<[T]>::split_at`](https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_at)

Cargo
-----

- Allow named debuginfo options in `Cargo.toml`.
- Add `workspace_default_members` to the output of `cargo metadata`.
- `cargo add` now considers `rust-version` when selecting packages.
- Automatically inherit workspace fields when running `cargo new`/`cargo init`.

Rustdoc
-------

- Add a new `rustdoc::unescaped_backticks` lint for broken inline code.
- Support strikethrough with single tildes.](https://github.com/rust-lang/rust/pull/111152/) (`~~old~~` vs. `~new~`)

Misc
----

Compatibility Notes
-------------------

- Remove structural match from `TypeId`.
  Code that uses a constant `TypeId` in a pattern will potentially be broken.
  Known cases have already been fixed -- in particular, users of the `log`
  crate's `kv_unstable` feature should update to `log v0.4.18` or later.
- Add a `sysroot` crate to represent the standard library crates.
  This does not affect stable users, but may require adjustment in tools that build their own standard library.
- Cargo optimizes its usage under `rustup`. When
  Cargo detects it will run `rustc` pointing to a rustup proxy, it'll try bypassing the proxy and
  use the underlying binary directly. There are assumptions around the interaction with rustup and
  `RUSTUP_TOOLCHAIN`. However, it's not expected to affect normal users.
- When querying a package, Cargo tries only the original name, all hyphens, and all underscores to
  handle misspellings. Previously, Cargo tried each
  combination of hyphens and underscores, causing excessive requests to crates.io.
- Cargo now disallows `RUSTUP_HOME` and
  `RUSTUP_TOOLCHAIN` in the `[env]` configuration
  table. This is considered to be not a use case Cargo would like to support, since it will likely
  cause problems or lead to confusion.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3251-1
Released:    Tue Aug  8 22:15:14 2023
Summary:     Security update for rust1.71
Type:        security
Severity:    important
References:  1213817,CVE-2023-38497
This update for rust1.71 fixes the following issues:

Update to version 1.71.1:

- CVE-2023-38497: Fixed privilege escalation with Cargo not respecting umask when extracting dependencies (bsc#1213817).

The following package changes have been done:

- rust1.71-1.71.1-150400.9.6.1 added
- cargo1.71-1.71.1-150400.9.6.1 added
- container:sles15-image-15.0.0-36.5.34 updated
- cargo1.70-1.70.0-150400.9.3.1 removed
- rust1.70-1.70.0-150400.9.3.1 removed