Debian Package Tracker
Register | Log in
Subscribe

cargo

Rust package manager

Choose email to subscribe with

general
  • source: cargo (main)
  • version: 0.66.0+ds1-1
  • maintainer: Rust Maintainers (archive) (DMD)
  • uploaders: Vasudev Kamath [DMD] – Luca Bruno [DMD] – Ximin Luo [DMD] – Angus Lees [DMD]
  • arch: all any
  • std-ver: 4.2.1
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 0.35.0-2~deb9u2
  • o-o-sec: 0.43.1-3~deb9u1
  • oldstable: 0.43.1-3~deb10u1
  • stable: 0.47.0-3
  • testing: 0.66.0+ds1-1
  • unstable: 0.66.0+ds1-1
versioned links
  • 0.35.0-2~deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.35.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.43.1-3~deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.43.1-3~deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.47.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.66.0+ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • cargo (2 bugs: 0, 1, 1, 0)
  • cargo-doc (2 bugs: 0, 2, 0, 0)
action needed
A new upstream version is available: 0.69.0 high
A new upstream version 0.69.0 is available, you should consider packaging it.
Created: 2022-12-16 Last update: 2023-03-29 13:32
debian/patches: 1 patch with invalid metadata, 11 patches to forward upstream high

Among the 13 debian patches available in version 0.66.0+ds1-1 of the package, we noticed the following issues:

  • 1 patch with invalid metadata that ought to be fixed.
  • 11 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2023-02-27 20:59
Does not build reproducibly during testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2023-01-20 Last update: 2023-03-29 15:42
8 new commits since last upload, is it time to release? normal
vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:
commit 4855d12f9d91860a7b79b919deba1f08a19879aa
Author: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Date:   Wed Jan 11 18:55:48 2023 +0100

    bump version to 0.66.0+ds1-1
    
    Signed-off-by: Fabian Grünbichler <debian@fabian.gruenbichler.email>

commit 70bdb1bfa856db01fb5db7b20a757d2247a91c29
Author: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Date:   Wed Jan 11 19:10:20 2023 +0100

    update d/copyright
    
    for newly added, vendored dependencies
    
    Signed-off-by: Fabian Grünbichler <debian@fabian.gruenbichler.email>

commit 1520c2f6fcd6635d981efe711f18680715a923e9
Merge: 43d600468a 219e736326
Author: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Date:   Thu Jan 12 15:39:19 2023 +0100

    Update upstream source from tag 'upstream/0.66.0+ds1'
    
    Update to upstream version '0.66.0+ds1'
    with Debian dir 1eb4fb8eeb65bb50b9f85a4fc4d6a3d47395bc12

commit 219e7363266c99449e0b6e631b331223ec928c7a
Merge: a9f67d5777 4bc8f24d3e
Author: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Date:   Thu Jan 12 15:38:52 2023 +0100

    New upstream version 0.66.0+ds1

commit 43d600468a6af77de5e61ce14569fc0ee1331a35
Author: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Date:   Wed Jan 11 18:41:56 2023 +0100

    update unsuspicious files
    
    for dependencies pulled in by the CVE fix
    
    Signed-off-by: Fabian Grünbichler <debian@fabian.gruenbichler.email>

commit 4c7a4b8cb95f8822fd06838e6039e269db717e74
Author: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date:   Wed Jan 11 10:50:21 2023 +0100

    apply CVE fix for tarball generation
    
    the fix updates and adds dependencies which we need to vendor.
    
    Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

commit e3191111227fe933f83c88719e646c333103afd0
Author: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date:   Wed Jan 11 11:04:09 2023 +0100

    adjust CVE patches for src:cargo
    
    Cargo.toml files are not normalized here, since they are not obtained from
    crates.io but from the upstream tarball. The bundled cargo-test-support crate
    also needs to be adjusted.
    
    Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

commit c08743d18400e90c6c6c3f327c01f7b8d3bc50fa
Author: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date:   Wed Jan 11 10:50:07 2023 +0100

    add CVE-2022-46176 fix
    
    Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Created: 2023-01-12 Last update: 2023-03-21 22:10
lintian reports 23 warnings normal
Lintian reports 23 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2023-01-10 Last update: 2023-02-18 12:36
RFH: The maintainer is looking for help with this package. normal
The current maintainer is looking for someone who can help with the maintenance of this package. If you are interested in this package, please consider helping out. One way you can help is offer to be a co-maintainer or triage bugs in the BTS. Please see bug number #860116 for more information.
Created: 2017-12-02 Last update: 2017-12-02 00:25
Multiarch hinter reports 1 issue(s) low
There are issues with the multiarch metadata for this package.
  • cargo-doc could be marked Multi-Arch: foreign
Created: 2016-09-14 Last update: 2023-03-29 15:44
3 low-priority security issues in bullseye low

There are 3 open security issues in bullseye.

3 issues left for the package maintainer to handle:
  • CVE-2022-36113: (needs triaging) Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write "ok" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. Mitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.
  • CVE-2022-36114: (needs triaging) Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here.
  • CVE-2022-46176: (needs triaging) Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-09-16 Last update: 2023-03-27 11:06
Build log checks report 2 warnings low
Build log checks report 2 warnings
Created: 2020-12-06 Last update: 2021-10-24 10:05
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.2.1).
Created: 2018-12-23 Last update: 2023-01-13 01:13
news
[rss feed]
  • [2023-01-18] cargo 0.66.0+ds1-1 MIGRATED to testing (Debian testing watch)
  • [2023-01-12] Accepted cargo 0.66.0+ds1-1 (source) into unstable (Fabian Gruenbichler)
  • [2023-01-12] cargo 0.66.0-1 MIGRATED to testing (Debian testing watch)
  • [2023-01-09] Accepted cargo 0.66.0-1 (source) into unstable (Fabian Gruenbichler)
  • [2022-12-09] cargo 0.63.1-3 MIGRATED to testing (Debian testing watch)
  • [2022-12-07] Accepted cargo 0.63.1-3 (source) into unstable (Fabian Gruenbichler) (signed by: Jochen Sprickerhof)
  • [2022-11-19] Accepted cargo 0.63.1-2 (source) into unstable (Fabian Gruenbichler) (signed by: Sylvestre Ledru)
  • [2022-11-16] Accepted cargo 0.63.1-1 (source) into unstable (Fabian Gruenbichler) (signed by: Sylvestre Ledru)
  • [2022-05-06] cargo 0.57.0-7 MIGRATED to testing (Debian testing watch)
  • [2022-05-02] Accepted cargo 0.57.0-7 (source) into unstable (Peter Michael Green)
  • [2022-04-10] Accepted cargo 0.57.0-6 (source) into experimental (Peter Michael Green)
  • [2022-03-09] Accepted cargo 0.57.0-5 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
  • [2022-03-07] Accepted cargo 0.57.0-4 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
  • [2021-10-29] cargo 0.57.0-3 MIGRATED to testing (Debian testing watch)
  • [2021-10-24] Accepted cargo 0.57.0-3 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
  • [2021-10-24] Accepted cargo 0.57.0-2 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
  • [2021-10-24] Accepted cargo 0.57.0-1 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
  • [2020-12-13] cargo 0.47.0-3 MIGRATED to testing (Debian testing watch)
  • [2020-12-08] Accepted cargo 0.47.0-3 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
  • [2020-12-08] Accepted cargo 0.47.0-2 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
  • [2020-12-06] Accepted cargo 0.47.0-1 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
  • [2020-12-03] cargo 0.43.1-4 MIGRATED to testing (Debian testing watch)
  • [2020-11-28] Accepted cargo 0.43.1-4 (source) into unstable (Jan Niehusmann)
  • [2020-10-02] Accepted cargo 0.47.0-1~exp1 (source) into experimental (Ximin Luo) (signed by: infinity0@debian.org)
  • [2020-09-17] Accepted cargo 0.43.1-3~deb9u1 (source) into oldstable (Emilio Pozuelo Monfort)
  • [2020-09-15] Accepted cargo 0.43.1-3~deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Emilio Pozuelo Monfort)
  • [2020-04-25] cargo 0.43.1-3 MIGRATED to testing (Debian testing watch)
  • [2020-04-20] Accepted cargo 0.43.1-3 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
  • [2020-04-20] Accepted cargo 0.43.1-2 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
  • [2020-04-18] Accepted cargo 0.43.1-1 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
  • 1
  • 2
bugs [bug history graph]
  • all: 4
  • RC: 0
  • I&N: 3
  • M&W: 1
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (0, 23)
  • buildd: logs, checks, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 0.68.0+ds0ubuntu1-0ubuntu1
  • 2 bugs
  • patches for 0.68.0+ds0ubuntu1-0ubuntu1

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing