diff --git a/CVE-2024-24575.patch b/CVE-2024-24575.patch deleted file mode 100644 index 82eb0430c08bbe1c05b6cd5335f4a37854b33e0e..0000000000000000000000000000000000000000 --- a/CVE-2024-24575.patch +++ /dev/null @@ -1,50 +0,0 @@ -From c9d31b711e8906cf248566f43142f20b03e20cbf Mon Sep 17 00:00:00 2001 -From: Edward Thomson -Date: Fri, 17 Nov 2023 16:54:47 +0000 -Subject: [PATCH] revparse: fix parsing bug for trailing `@` - -Origin: https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf - -When parsing a revspec that ends with a trailing `@`, explicitly stop -parsing. Introduce a sentinel variable to explicitly stop parsing. - -Prior to this, we would set `spec` to `HEAD`, but were looping on the -value of `spec[pos]`, so we would continue walking the (new) `spec` -at offset `pos`, looking for a NUL. This is obviously an out-of-bounds -read. - -Credit to Michael Rodler (@f0rki) and Amazon AWS Security. ---- - vendor/libgit2-sys/libgit2/src/libgit2/revparse.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c b/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c -index 964afe378da..06d92f82bf2 100644 ---- a/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c -+++ b/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c -@@ -701,6 +701,7 @@ static int revparse( - git_object *base_rev = NULL; - - bool should_return_reference = true; -+ bool parsed = false; - - GIT_ASSERT_ARG(object_out); - GIT_ASSERT_ARG(reference_out); -@@ -710,7 +711,7 @@ static int revparse( - *object_out = NULL; - *reference_out = NULL; - -- while (spec[pos]) { -+ while (!parsed && spec[pos]) { - switch (spec[pos]) { - case '^': - should_return_reference = false; -@@ -817,6 +818,8 @@ static int revparse( - break; - } else if (spec[pos+1] == '\0') { - spec = "HEAD"; -+ identifier_len = 4; -+ parsed = true; - break; - } - /* fall through */ diff --git a/CVE-2024-24577.patch b/CVE-2024-24577.patch deleted file mode 100644 index f69477e0901cf92494dd1dcdc3611d122c83e740..0000000000000000000000000000000000000000 --- a/CVE-2024-24577.patch +++ /dev/null @@ -1,51 +0,0 @@ -From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001 -From: Edward Thomson -Date: Sat, 16 Dec 2023 11:19:07 +0000 -Subject: [PATCH] index: correct index has_dir_name check - -Origin: https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3 - -`has_dir_name` is used to check for directory/file collisions, -and attempts to determine whether the index contains a file with -a directory name that is a proper subset of the new index entry -that we're trying to add. - -To determine directory name, the function would walk the path string -backwards to identify a `/`, stopping at the end of the string. However, -the function assumed that the strings did not start with a `/`. If the -paths contain only a single `/` at the beginning of the string, then the -function would continue the loop, erroneously, when they should have -stopped at the first character. - -Correct the order of the tests to terminate properly. - -Credit to Michael Rodler (@f0rki) and Amazon AWS Security. - ---- - vendor/libgit2-sys/libgit2/src/libgit2/index.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/vendor/libgit2-sys/libgit2/src/libgit2/index.c b/vendor/libgit2-sys/libgit2/src/libgit2/index.c -index 7ebe075..7862273 100644 ---- a/vendor/libgit2-sys/libgit2/src/libgit2/index.c -+++ b/vendor/libgit2-sys/libgit2/src/libgit2/index.c -@@ -1155,10 +1155,14 @@ static int has_dir_name(git_index *index, - size_t len, pos; - - for (;;) { -- if (*--slash == '/') -- break; -+ slash--; -+ - if (slash <= entry->path) - return 0; -+ -+ -+ if (*slash == '/') -+ break; - } - len = slash - name; - --- -2.23.0 - diff --git a/rust.spec b/rust.spec index dae778133aceb0608cd7eeb5a83d86b81999aa32..170dc5b3e22138066b2ac434f5e401ee387bfacb 100644 --- a/rust.spec +++ b/rust.spec @@ -1,7 +1,7 @@ -%global bootstrap_rust 1.75.0 -%global bootstrap_cargo 1.75.0 -%global bootstrap_channel 1.75.0 -%global bootstrap_date 2023-12-28 +%global bootstrap_rust 1.76.0 +%global bootstrap_cargo 1.76.0 +%global bootstrap_channel 1.76.0 +%global bootstrap_date 2024-02-08 %bcond_with llvm_static %bcond_with bundled_llvm %bcond_without bundled_libgit2 @@ -10,7 +10,7 @@ %bcond_without analyzer Name: rust -Version: 1.76.0 +Version: 1.77.0 Release: 1 Summary: The Rust Programming Language License: Apache-2.0 OR MIT @@ -23,13 +23,11 @@ Source3: cargo-config Source4: cargo-config.sh Source5: cargo-config.csh -Patch0000: rustc-1.76.0-disable-libssh2.patch +Patch0000: rustc-1.77.0-disable-libssh2.patch # By default, rust tries to use "rust-lld" as a linker for some targets. Patch0001: 0001-Use-lld-provided-by-system.patch # Set a substitute-path in rust-gdb for standard library sources. Patch0002: rustc-1.70.0-rust-gdb-substitute-path.patch -Patch0003: CVE-2024-24575.patch -Patch0004: CVE-2024-24577.patch %{lua: function rust_triple(arch) local abi = "gnu" @@ -236,12 +234,10 @@ Man pages and other related help documents for rust. %prep # download source0 and gpg check -cd %{_sourcedir} -rm -f %{SOURCE0} -wget https://user-repo.openeuler.openatom.cn/lfs-tar/rust/rustc-%{version}-src.tar.xz +wget -qO %{SOURCE0} https://user-repo.openeuler.openatom.cn/lfs-tar/rust/rustc-%{version}-src.tar.xz gpg --import %{SOURCE2} gpg --verify %{SOURCE1} %{SOURCE0} -cd - + %ifarch %{bootstrap_arches} %setup -q -n %{bootstrap_root} -T -b %{bootstrap_source} ./install.sh --components=cargo,rustc,rust-std-%{rust_triple} \ @@ -258,8 +254,6 @@ sed -i.try-python -e '/^try python3 /i try "%{python}" "$@"' ./configure %endif %patch -P 0001 -p1 %patch -P 0002 -p1 -%patch -P 0003 -p1 -%patch -P 0004 -p1 rm -rf vendor/curl-sys*/curl/ rm -rf vendor/jemalloc-sys/jemalloc/ rm -rf vendor/libffi-sys*/libffi/ @@ -490,6 +484,9 @@ export %{rust_env} %{_mandir}/man1/cargo*.1* %changelog +* Wed Apr 03 2024 wangkai <13474090681@163.com> - 1.77.0-1 +- Update to 1.77.0 + * Tue Feb 20 2024 wangkai <13474090681@163.com> - 1.76.0-1 - Update to 1.76.0 diff --git a/rustc-1.76.0-src.tar.xz.asc b/rustc-1.76.0-src.tar.xz.asc deleted file mode 100644 index 70cbdc72b9da3e8ad16ff6b7e126d4820bea271a..0000000000000000000000000000000000000000 --- a/rustc-1.76.0-src.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -wsFcBAABCgAQBQJlxNqSCRCFq5bm+hvl/gAA8kIP/ib21y3Rg18POvESXFDPmXAT -blvZsJwR4GsPcUeT2cUYEsWqrtEjoEjMPDumhaSJY4nt6wuAdpCSDf9RQxFSn5vW -Um68Q4dMqmIA2BOIbgDYIBwMUm+Q/ft+1eaKvitJSldqJCTFVXCee1MxeHpE9HSb -2sBC1sGD0aPecMJ9gnSYo57O9rAtItfWroek8KJ+NOxWABHkbRxhx4wSTK4mPy1i -DAtL4VYXomN3OvU1JiunAKhyuIttnrkH92x+YeUlNwOeLTECfLp8sq9yD0hgAkdW -b12ARrQCnBV3HwrgQNIw78ypPOSDYj4B++NB5F2j3wMCyIs6j/891F14ugzLEHuO -b1sjw/xW12kgUbRoyoW/5o60qE18QxgKaxNfgRme/XEF7hBxwFhOcc3BrBTvcA70 -enFXpiqswpdvAMpW/YNEwT+Zm0UnWmsU9NXSB4cc8otL9Hj4oYyfX1q6XgmuyupL -jNXSd5evfTEjqcnpHFe0pnNJEExET7EQsEWFgn9J4K7hymSu/bliHMBIx+DAA4Ry -IMBP51oj+o+I8E84z9LDlBshGvcJvYsAXMrbpHonng7u9smitSA+oAy54qevS8+9 -kK+UYY95Pl++BxdAFemsldoC0KkKJXGxK0FR2o1ttAA1I+uXrJLJXg8/K7binCeW -A7AXRJdE/spq/O9snPcA -=lnbm ------END PGP SIGNATURE----- diff --git a/rustc-1.76.0-disable-libssh2.patch b/rustc-1.77.0-disable-libssh2.patch similarity index 44% rename from rustc-1.76.0-disable-libssh2.patch rename to rustc-1.77.0-disable-libssh2.patch index 2c6fba2aaaef4b3791aefbbe3898f6f7f167d41f..859fecb7018c134dca64ce1bb18123ca4f061ce2 100644 --- a/rustc-1.76.0-disable-libssh2.patch +++ b/rustc-1.77.0-disable-libssh2.patch @@ -1,6 +1,7 @@ ---- rustc-beta-src/src/tools/cargo/Cargo.lock.orig 2024-01-07 18:12:08.000000000 -0800 -+++ rustc-beta-src/src/tools/cargo/Cargo.lock 2024-01-09 15:25:51.519781381 -0800 -@@ -2071,7 +2071,6 @@ +diff -up rustc-beta-src/src/tools/cargo/Cargo.lock.orig rustc-beta-src/src/tools/cargo/Cargo.lock +--- rustc-beta-src/src/tools/cargo/Cargo.lock.orig 2024-02-14 14:06:05.881165093 +0100 ++++ rustc-beta-src/src/tools/cargo/Cargo.lock 2024-02-14 14:06:27.169456166 +0100 +@@ -2072,7 +2072,6 @@ checksum = "ee4126d8b4ee5c9d9ea891dd875c dependencies = [ "cc", "libc", @@ -8,7 +9,7 @@ "libz-sys", "openssl-sys", "pkg-config", -@@ -2113,20 +2112,6 @@ +@@ -2113,20 +2112,6 @@ dependencies = [ "pkg-config", "vcpkg", ] @@ -29,14 +30,15 @@ [[package]] name = "libz-sys" ---- rustc-beta-src/src/tools/cargo/Cargo.toml.orig 2024-01-09 15:23:02.369032291 -0800 -+++ rustc-beta-src/src/tools/cargo/Cargo.toml 2024-01-09 15:24:44.015679666 -0800 -@@ -40,7 +40,7 @@ +diff -up rustc-beta-src/src/tools/cargo/Cargo.toml.orig rustc-beta-src/src/tools/cargo/Cargo.toml +--- rustc-beta-src/src/tools/cargo/Cargo.toml.orig 2024-02-14 14:06:10.400226884 +0100 ++++ rustc-beta-src/src/tools/cargo/Cargo.toml 2024-02-14 14:06:51.225785086 +0100 +@@ -44,7 +44,7 @@ curl = "0.4.44" curl-sys = "0.4.70" - filetime = "0.2.22" + filetime = "0.2.23" flate2 = { version = "1.0.28", default-features = false, features = ["zlib"] } --git2 = "0.18.1" -+git2 = { version = "0.18.1", default-features = false, features = ["https"] } +-git2 = "0.18.2" ++git2 = { version = "0.18.2", default-features = false, features = ["https"] } git2-curl = "0.19.0" - gix = { version = "0.56.0", default-features = false, features = ["blocking-http-transport-curl", "progress-tree", "revision"] } - gix-features-for-configuration-only = { version = "0.35.0", package = "gix-features", features = [ "parallel" ] } + gix = { version = "0.57.1", default-features = false, features = ["blocking-http-transport-curl", "progress-tree", "revision"] } + gix-features-for-configuration-only = { version = "0.37.1", package = "gix-features", features = [ "parallel" ] } diff --git a/rustc-1.76.0-src.tar.xz b/rustc-1.77.0-src.tar.xz similarity index 100% rename from rustc-1.76.0-src.tar.xz rename to rustc-1.77.0-src.tar.xz diff --git a/rustc-1.77.0-src.tar.xz.asc b/rustc-1.77.0-src.tar.xz.asc new file mode 100644 index 0000000000000000000000000000000000000000..44f12326ef24c83340f55f5ac6131929e7af42d8 --- /dev/null +++ b/rustc-1.77.0-src.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +wsFcBAABCgAQBQJl/CkOCRCFq5bm+hvl/gAAuN4P/AxpjflIRg2vOkzczcrTlQYU +fe9c75ru0IH5RpKZ4sTVaG+qoJqsTD/08Dzv06KzNqiShXFBGsSaZ3f46n7jZW8f +bYQFNeCU8jz2DxxvoAty38Zlk5ib/38Cu95ckSoXBDuycXrFTY9ojc6NWSu2vNE4 +JXv2yRkW6hiNdO87/KV5H8eshklOGudWVkcoRRZw91X2DopsdqTMiCHzPOWGK3J1 +mdz9DjkVj6DKDetrbuX/7N1zosI49Zmg5Eb15JE30pG43l7pyCfKtB2IKpLmugNn +hSi9QqpL0/qKHWVNJ2E2ZkVrCtdX8crxlN8iE/U+VNVa7ZpzsIv7w7SYI4e15HEd +pPWfurYy0gKNpOABiROebqfAfPgDUyU9sufvDnQJD5jv0LWqrBibm2fekIc4xC1B +hvXU46xfXiVqwIgR5FjmwVEwphZoGmju4WrMLQ/bVjfMC8MInISQv4MiFw/0JY/B +f0ePnVQ2kRU/ls1VxidXnKalTNSoR1ORGVDNR3wJV0Ju9xROzWWO0b9p4m5ciyO+ +uwMTQcyxyCtNfnxpXTB3XY2YD1ZjqIzop9D3+aRMajxa/PmlxhgXveUjDUc6tc+v +9rQODuxbKHKbg4BlVrtMWIVDV0zArASTuTI3u74+aPCht7Dq3AsnWHhAydeGKwoT +hM+dv4sh161mi7G6WMgN +=eWLu +-----END PGP SIGNATURE-----