cargo - Debian Package Tracker

general

source: cargo (main)
version: 0.66.0+ds1-1
maintainer: Rust Maintainers (archive) (DMD)
uploaders: Vasudev Kamath [DMD] – Luca Bruno [DMD] – Ximin Luo [DMD] – Angus Lees [DMD]
arch: all any
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.43.1-3~deb10u1
oldstable: 0.47.0-3
stable: 0.66.0+ds1-1
testing: 0.66.0+ds1-1
unstable: 0.66.0+ds1-1

versioned links

0.35.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.43.1-3~deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.47.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.66.0+ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

cargo (3 bugs: 0, 2, 1, 0)
cargo-doc (2 bugs: 0, 2, 0, 0)

action needed

A new upstream version is available: 0.73.1 high

A new upstream version 0.73.1 is available, you should consider packaging it.

Created: 2022-12-16 Last update: 2023-10-08 02:39

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:03:50
Last run: 2023-10-04T21:57:52.000Z
Previous status: pass

testing: fail (log)
The tests ran in 0:03:18
Last run: 2023-10-02T18:14:03.000Z
Previous status: fail

stable: pass (log)
The tests ran in 0:03:25
Last run: 2023-09-19T20:25:06.000Z
Previous status: pass

Created: 2023-08-08 Last update: 2023-10-08 02:27

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2023-38497: Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.

Created: 2023-08-05 Last update: 2023-08-17 09:26

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2023-38497: Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.

Created: 2023-08-05 Last update: 2023-08-17 09:26

debian/patches: 1 patch with invalid metadata, 11 patches to forward upstream high

Among the 13 debian patches available in version 0.66.0+ds1-1 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.
11 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-02-27 20:59

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2023-01-20 Last update: 2023-10-07 22:00

10 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit b2d5a606fe97ae2f9ede2463fa28adb5ae2870fc
Merge: 4855d12f9d bac0ad2d5b
Author: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Date:   Sun Apr 23 18:37:00 2023 +0000

    merge request rust-team/cargo!19
    
    d/bin/cargo: handle LTO options from `DEB_BUILD_OPTIONS`

commit bac0ad2d5b64bd9d8878dca43055d4ad02e99237
Author: Zixing Liu <liushuyu011@gmail.com>
Date:   Sun Apr 23 18:36:59 2023 +0000

    d/bin/cargo: handle LTO options from DEB_BUILD_OPTIONS ...
    
    this make cargo wrapper switch on or off LTO phase based on
    DEB_BUILD_OPTIONS set by the debhelper program

commit 4855d12f9d91860a7b79b919deba1f08a19879aa
Author: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Date:   Wed Jan 11 18:55:48 2023 +0100

    bump version to 0.66.0+ds1-1
    
    Signed-off-by: Fabian Grünbichler <debian@fabian.gruenbichler.email>

commit 70bdb1bfa856db01fb5db7b20a757d2247a91c29
Author: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Date:   Wed Jan 11 19:10:20 2023 +0100

    update d/copyright
    
    for newly added, vendored dependencies
    
    Signed-off-by: Fabian Grünbichler <debian@fabian.gruenbichler.email>

commit 1520c2f6fcd6635d981efe711f18680715a923e9
Merge: 43d600468a 219e736326
Author: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Date:   Thu Jan 12 15:39:19 2023 +0100

    Update upstream source from tag 'upstream/0.66.0+ds1'
    
    Update to upstream version '0.66.0+ds1'
    with Debian dir 1eb4fb8eeb65bb50b9f85a4fc4d6a3d47395bc12

commit 219e7363266c99449e0b6e631b331223ec928c7a
Merge: a9f67d5777 4bc8f24d3e
Author: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Date:   Thu Jan 12 15:38:52 2023 +0100

    New upstream version 0.66.0+ds1

commit 43d600468a6af77de5e61ce14569fc0ee1331a35
Author: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Date:   Wed Jan 11 18:41:56 2023 +0100

    update unsuspicious files
    
    for dependencies pulled in by the CVE fix
    
    Signed-off-by: Fabian Grünbichler <debian@fabian.gruenbichler.email>

commit 4c7a4b8cb95f8822fd06838e6039e269db717e74
Author: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date:   Wed Jan 11 10:50:21 2023 +0100

    apply CVE fix for tarball generation
    
    the fix updates and adds dependencies which we need to vendor.
    
    Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

commit e3191111227fe933f83c88719e646c333103afd0
Author: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date:   Wed Jan 11 11:04:09 2023 +0100

    adjust CVE patches for src:cargo
    
    Cargo.toml files are not normalized here, since they are not obtained from
    crates.io but from the upstream tarball. The bundled cargo-test-support crate
    also needs to be adjusted.
    
    Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

commit c08743d18400e90c6c6c3f327c01f7b8d3bc50fa
Author: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date:   Wed Jan 11 10:50:07 2023 +0100

    add CVE-2022-46176 fix
    
    Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

Created: 2023-01-12 Last update: 2023-09-30 23:23

lintian reports 23 warnings normal

Lintian reports 23 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-01-10 Last update: 2023-02-18 12:36

RFH: The maintainer is looking for help with this package. normal

The current maintainer is looking for someone who can help with the maintenance of this package. If you are interested in this package, please consider helping out. One way you can help is offer to be a co-maintainer or triage bugs in the BTS. Please see bug number #860116 for more information.

Created: 2017-12-02 Last update: 2017-12-02 00:25

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

cargo-doc could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2023-10-08 02:42

4 low-priority security issues in bullseye low

There are 4 open security issues in bullseye.

4 issues left for the package maintainer to handle:

CVE-2022-36113: (needs triaging) Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write "ok" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. Mitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.
CVE-2022-36114: (needs triaging) Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here.
CVE-2022-46176: (needs triaging) Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible.
CVE-2023-38497: (needs triaging) Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-09-16 Last update: 2023-08-17 09:26

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2023-38497: (needs triaging) Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.

You can find information about how to handle this issue in the security team's documentation.

Created: 2023-08-05 Last update: 2023-08-17 09:26

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2020-12-06 Last update: 2021-10-24 10:05

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.2.1).

Created: 2018-12-23 Last update: 2023-01-13 01:13

testing migrations

This package will soon be part of the auto-libgit2 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2023-01-18] cargo 0.66.0+ds1-1 MIGRATED to testing (Debian testing watch)
[2023-01-12] Accepted cargo 0.66.0+ds1-1 (source) into unstable (Fabian Gruenbichler)
[2023-01-12] cargo 0.66.0-1 MIGRATED to testing (Debian testing watch)
[2023-01-09] Accepted cargo 0.66.0-1 (source) into unstable (Fabian Gruenbichler)
[2022-12-09] cargo 0.63.1-3 MIGRATED to testing (Debian testing watch)
[2022-12-07] Accepted cargo 0.63.1-3 (source) into unstable (Fabian Gruenbichler) (signed by: Jochen Sprickerhof)
[2022-11-19] Accepted cargo 0.63.1-2 (source) into unstable (Fabian Gruenbichler) (signed by: Sylvestre Ledru)
[2022-11-16] Accepted cargo 0.63.1-1 (source) into unstable (Fabian Gruenbichler) (signed by: Sylvestre Ledru)
[2022-05-06] cargo 0.57.0-7 MIGRATED to testing (Debian testing watch)
[2022-05-02] Accepted cargo 0.57.0-7 (source) into unstable (Peter Michael Green)
[2022-04-10] Accepted cargo 0.57.0-6 (source) into experimental (Peter Michael Green)
[2022-03-09] Accepted cargo 0.57.0-5 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
[2022-03-07] Accepted cargo 0.57.0-4 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
[2021-10-29] cargo 0.57.0-3 MIGRATED to testing (Debian testing watch)
[2021-10-24] Accepted cargo 0.57.0-3 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
[2021-10-24] Accepted cargo 0.57.0-2 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
[2021-10-24] Accepted cargo 0.57.0-1 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
[2020-12-13] cargo 0.47.0-3 MIGRATED to testing (Debian testing watch)
[2020-12-08] Accepted cargo 0.47.0-3 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
[2020-12-08] Accepted cargo 0.47.0-2 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
[2020-12-06] Accepted cargo 0.47.0-1 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
[2020-12-03] cargo 0.43.1-4 MIGRATED to testing (Debian testing watch)
[2020-11-28] Accepted cargo 0.43.1-4 (source) into unstable (Jan Niehusmann)
[2020-10-02] Accepted cargo 0.47.0-1~exp1 (source) into experimental (Ximin Luo) (signed by: infinity0@debian.org)
[2020-09-17] Accepted cargo 0.43.1-3~deb9u1 (source) into oldstable (Emilio Pozuelo Monfort)
[2020-09-15] Accepted cargo 0.43.1-3~deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Emilio Pozuelo Monfort)
[2020-04-25] cargo 0.43.1-3 MIGRATED to testing (Debian testing watch)
[2020-04-20] Accepted cargo 0.43.1-3 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
[2020-04-20] Accepted cargo 0.43.1-2 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)
[2020-04-18] Accepted cargo 0.43.1-1 (source) into unstable (Ximin Luo) (signed by: infinity0@debian.org)

bugs [bug history graph]

all: 8
RC: 2
I&N: 5
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 23)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci