[1.96] Fix CVE-2026-5222 and CVE-2026-5223#17030
Conversation
Cargo has historically not allowed creating .crate packages containing symlinks. (It packages the symlink target in place of the symlink, instead.) So, any package containing a symlink would have to be hand-constructed. Such packages are also not allowed on crates.io, so it could only come from an alternate registry. Rather than dealing with symlink traversal attacks when unpacking a crate, just prohibit symlinks entirely. In the process, also prohibit other kinds of unusual entries. As an exception, allow character devices but warn about them, because some exist in crates on crates.io.
|
r? @weihanglo rustbot has assigned @weihanglo. Use Why was this reviewer chosen?The reviewer was selected based on:
|
|
|
@emilyalbini would you have time doing a backport in rust-lang/rust? |
|
@weihanglo it's going to be included in the stable PR by @cuviper |
|
Can you also make a branch with these fixes for 1.97-beta? The submodule is currently at commit 4d1f984. |
|
You are the one that normally creates the branch. That is handled in https://forge.rust-lang.org/release/process.html#updating-the-base-of-the-beta-and-stable-branches. |
|
Do you need the branch before that is run? |
|
Yes, I updated the rust-lang/rust branches already. Here I mean a cargo branch ( |
|
Oh I see, that did create |
|
Sure, posted #17032. |
[stable] prepare Rust 1.96.0 https://forge.rust-lang.org/release/process.html#stable-pr - Update cargo for CVE-2026-5222 and CVE-2026-5223 (rust-lang/cargo#17030) - Sync relnotes for 1.96.0 - Bump to stable release r? cuviper
See the advisories for CVE-2026-5222 and CVE-2026-5223.
The first commit has been reviewed privately by @ehuss, @weihanglo and myself. The second commit has been reviewed privately by @arlosi.