From 97b80919e404b0768ea31ae329c3b4da54bed05a Mon Sep 17 00:00:00 2001 From: Josh Triplett Date: Thu, 18 Aug 2022 17:17:19 +0200 Subject: [PATCH] CVE-2022-36113: avoid unpacking .cargo-ok from the crate --- src/cargo/sources/registry/mod.rs | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) gyakovlev: 'sed -i 's|/src/cargo|/src/tools/cargo/src/cargo|g' diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs index c17b822fd0..a2863bf78a 100644 --- a/src/tools/cargo/src/cargo/sources/registry/mod.rs +++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs @@ -639,6 +639,13 @@ impl<'cfg> RegistrySource<'cfg> { prefix ) } + // Prevent unpacking the lockfile from the crate itself. + if entry_path + .file_name() + .map_or(false, |p| p == PACKAGE_SOURCE_LOCK) + { + continue; + } // Unpacking failed let mut result = entry.unpack_in(parent).map_err(anyhow::Error::from); if cfg!(windows) && restricted_names::is_windows_reserved_path(&entry_path) { @@ -654,16 +661,14 @@ impl<'cfg> RegistrySource<'cfg> { .with_context(|| format!("failed to unpack entry at `{}`", entry_path.display()))?; } - // The lock file is created after unpacking so we overwrite a lock file - // which may have been extracted from the package. + // Now that we've finished unpacking, create and write to the lock file to indicate that + // unpacking was successful. let mut ok = OpenOptions::new() - .create(true) + .create_new(true) .read(true) .write(true) .open(&path) .with_context(|| format!("failed to open `{}`", path.display()))?; - - // Write to the lock file to indicate that unpacking was successful. write!(ok, "ok")?; Ok(unpack_dir.to_path_buf())