openSUSE Security Update: Security update for rust, rust1.58, rust1.59
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:0843-1
Rating:             moderate
References:         #1194767 
Cross-References:   CVE-2022-21658
CVSS scores:
                    CVE-2022-21658 (NVD) : 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
                    CVE-2022-21658 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Products:
                    openSUSE Leap 15.3
                    openSUSE Leap 15.4
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for rust, rust1.58, rust1.59 fixes the following issues:

   This update provides both rust1.58 and rust1.59.

   Changes in rust1.58:

   - Add recommends for GCC for installs to be able to link.
   - Add suggests for lld/clang which are faster than gcc for linking to
     allow users choice on what they use.
   - CVE-2022-21658: Resolve race condition in std::fs::remove_dir_all
     (bsc#1194767)

   Version 1.58.0 (2022-01-13) ==========================

   Language
   --------
   - [Format strings can now capture arguments simply by writing `{ident}` in
     the string.][90473] This works in all macros accepting format strings.
     Support for this in `panic!` (`panic!("{ident}")`) requires the 2021
     edition; panic invocations in previous editions that appear to be trying
     to use this will result in a warning lint about not having the intended
     effect.
   - [`*const T` pointers can now be dereferenced in const contexts.][89551]
   - [The rules for when a generic struct implements `Unsize` have been
     relaxed.][90417] Compiler
   --------
   - [Add LLVM CFI support to the Rust compiler][89652]
   - [Stabilize -Z strip as -C strip][90058]. Note that while release builds
     already don't add debug symbols for the code you compile, the compiled
     standard library that ships with Rust includes debug symbols, so you may
     want to use the `strip` option to remove these symbols to produce
     smaller release binaries. Note that this release only includes support
     in rustc, not directly in cargo.
   - [Add support for LLVM coverage mapping format versions 5 and 6][91207]
   - [Emit LLVM optimization remarks when enabled with `-Cremark`][90833]
   - [Update the minimum external LLVM to 12][90175]
   - [Add `x86_64-unknown-none` at Tier 3*][89062]
   - [Build musl dist artifacts with debuginfo enabled][90733]. When building
     release binaries using musl, you may want to use the newly stabilized
     strip option to remove these debug symbols, reducing the size of your
     binaries.
   - [Don't abort compilation after giving a lint error][87337]
   - [Error messages point at the source of trait bound obligations in more
     places][89580] \* Refer to Rust's [platform support
     page][platform-support-doc] for more information on Rust's tiered
     platform support.

   Libraries
   ---------

   - [All remaining functions in the standard library have `#[must_use]`
     annotations where appropriate][89692], producing a warning when ignoring
     their return value. This helps catch mistakes such as expecting a
     function to mutate a value in place rather than return a new value.
   - [Paths are automatically canonicalized on Windows for operations that
     support it][89174]
   - [Re-enable debug checks for `copy` and `copy_nonoverlapping`][90041]
   - [Implement `RefUnwindSafe` for `Rc`][87467]
   - [Make RSplit: Clone not require T: Clone][90117]
   - [Implement `Termination` for `Result`][88601]. This
     allows writing `fn main() -> Result`, for a
     program whose successful exits never involve returning from `main` (for
     instance, a program that calls `exit`, or that uses `exec` to run
     another program).

   Stabilized APIs
   ---------------

   - [`Metadata::is_symlink`]
   - [`Path::is_symlink`]
   - [`{integer}::saturating_div`]
   - [`Option::unwrap_unchecked`]
   - [`Result::unwrap_unchecked`]
   - [`Result::unwrap_err_unchecked`]
   - [`NonZero{unsigned}::is_power_of_two`]
   - [`File::options`] These APIs are now usable in const contexts:
   - [`Duration::new`]
   - [`Duration::checked_add`]
   - [`Duration::saturating_add`]
   - [`Duration::checked_sub`]
   - [`Duration::saturating_sub`]
   - [`Duration::checked_mul`]
   - [`Duration::saturating_mul`]
   - [`Duration::checked_div`]
   - [`MaybeUninit::as_ptr`]
   - [`MaybeUninit::as_mut_ptr`]
   - [`MaybeUninit::assume_init`]
   - [`MaybeUninit::assume_init_ref`]

   Cargo
   -----

   - [Add --message-format for install command][cargo/10107]
   - [Warn when alias shadows external subcommand][cargo/10082]

   Rustdoc
   -------

   - [Show all Deref implementations recursively in rustdoc][90183]
   - [Use computed visibility in rustdoc][88447]

   Compatibility Notes
   -------------------

   - [Try all stable method candidates first before trying unstable
     ones][90329]. This change ensures that adding new nightly-only methods
     to the Rust standard library will not break code invoking methods of the
     same name from traits outside the standard library.
   - Windows: [`std::process::Command` will no longer search the current
     directory for executables.][87704]
   - [All proc-macro backward-compatibility lints are now
     deny-by-default.][88041]
   - [proc_macro: Append .0 to unsuffixed float if it would otherwise become
     int token][90297]
   - [Refactor weak symbols in std::sys::unix][90846]. This optimizes
     accesses to glibc functions, by avoiding the use of dlopen. This does
     not increase the [minimum expected version of
     glibc](https://doc.rust-lang.org/nightly/rustc/platform-support.html).
     However, software distributions that use symbol versions to detect
     library dependencies, and which take weak symbols into account in that
     analysis, may detect rust binaries as requiring newer versions of glibc.
   - [rustdoc now rejects some unexpected semicolons in doctests][91026]

   Version 1.59.0 (2022-02-24) ==========================

   Language
   --------

   - [Stabilize default arguments for const generics][90207]
   - [Stabilize destructuring assignment][90521]
   - [Relax private in public lint on generic bounds and where clauses of
     trait impls][90586]
   - [Stabilize asm! and global_asm! for x86, x86_64, ARM, Aarch64, and
     RISC-V][91728]

   Compiler
   --------

   - [Stabilize new symbol mangling format, leaving it opt-in
     (-Csymbol-mangling-version=v0)][90128]
   - [Emit LLVM optimization remarks when enabled with `-Cremark`][90833]
   - [Fix sparc64 ABI for aggregates with floating point members][91003]
   - [Warn when a `#[test]`-like built-in attribute macro is present multiple
     times.][91172]
   - [Add support for riscv64gc-unknown-freebsd][91284]
   - [Stabilize `-Z emit-future-incompat` as `--json future-incompat`][91535]

   Libraries
   ---------

   - [Remove unnecessary bounds for some Hash{Map,Set} methods][91593]

   Stabilized APIs
   ---------------

   - [`std::thread::available_parallelism`][available_parallelism]
   - [`Result::copied`][result-copied]
   - [`Result::cloned`][result-cloned]
   - [`arch::asm!`][asm]
   - [`arch::global_asm!`][global_asm]
   - [`ops::ControlFlow::is_break`][is_break]
   - [`ops::ControlFlow::is_continue`][is_continue]
   - [`TryFrom for u8`][try_from_char_u8]
   - [`char::TryFromCharError`][try_from_char_err] implementing `Clone`,
     `Debug`, `Display`, `PartialEq`, `Copy`, `Eq`, `Error`
   - [`iter::zip`][zip]
   - [`NonZeroU8::is_power_of_two`][is_power_of_two8]
   - [`NonZeroU16::is_power_of_two`][is_power_of_two16]
   - [`NonZeroU32::is_power_of_two`][is_power_of_two32]
   - [`NonZeroU64::is_power_of_two`][is_power_of_two64]
   - [`NonZeroU128::is_power_of_two`][is_power_of_two128]
   - [`DoubleEndedIterator for ToLowercase`][lowercase]
   - [`DoubleEndedIterator for ToUppercase`][uppercase]
   - [`TryFrom<&mut [T]> for [T; N]`][tryfrom_ref_arr]
   - [`UnwindSafe for Once`][unwindsafe_once]
   - [`RefUnwindSafe for Once`][refunwindsafe_once]
   - [armv8 neon intrinsics for aarch64][stdarch/1266] Const-stable:
   - [`mem::MaybeUninit::as_ptr`][muninit_ptr]
   - [`mem::MaybeUninit::assume_init`][muninit_init]
   - [`mem::MaybeUninit::assume_init_ref`][muninit_init_ref]
   - [`ffi::CStr::from_bytes_with_nul_unchecked`][cstr_from_bytes]

   Cargo
   -----

   - [Stabilize the `strip` profile option][cargo/10088]
   - [Stabilize future-incompat-report][cargo/10165]
   - [Support abbreviating `--release` as `-r`][cargo/10133]
   - [Support `term.quiet` configuration][cargo/10152]
   - [Remove `--host` from cargo {publish,search,login}][cargo/10145]

   Compatibility Notes
   -------------------

   - [Refactor weak symbols in std::sys::unix][90846] This may add new,
     versioned, symbols when building with a newer glibc, as the standard
     library uses weak linkage rather than dynamically attempting to load
     certain symbols at runtime.
   - [Deprecate crate_type and crate_name nested inside
     `#![cfg_attr]`][83744] This adds a future compatibility lint to
     supporting the use of cfg_attr wrapping either crate_type or crate_name
     specification within Rust files; it is recommended that users migrate to
     setting the equivalent command line flags.
   - [Remove effect of `#[no_link]` attribute on name resolution][92034] This
     may expose new names, leading to conflicts with preexisting names in a
     given namespace and a compilation failure.
   - [Cargo will document libraries before binaries.][cargo/10172]
   - [Respect doc=false in dependencies, not just the root crate][cargo/10201]
   - [Weaken guarantee around advancing underlying iterators in zip][83791]
   - [Make split_inclusive() on an empty slice yield an empty output][89825]
   - [Update std::env::temp_dir to use GetTempPath2 on Windows when
     available.][89999]

   Changes in rust wrapper package:

   - Update to version 1.59.0 - for details see the rust1.59 package

   - Update package description to help users choose what tooling to install.

   - Provide rust+cargo by cargo: all cargo package provide this symbol
     too. Having the meta package provide it allows OBS to have a generic
     prefernece on the meta package for all packages 'just' requiring
     rust+cargo.

   - Update to version 1.58.0


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.4:

      zypper in -t patch openSUSE-SLE-15.4-2022-843=1

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2022-843=1



Package List:

   - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

      cargo-1.59.0-150300.21.20.1
      rust-1.59.0-150300.21.20.1

   - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

      cargo-1.59.0-150300.21.20.1
      cargo1.58-1.58.0-150300.7.3.1
      cargo1.58-debuginfo-1.58.0-150300.7.3.1
      cargo1.59-1.59.0-150300.7.4.2
      cargo1.59-debuginfo-1.59.0-150300.7.4.2
      rust-1.59.0-150300.21.20.1
      rust1.58-1.58.0-150300.7.3.1
      rust1.58-debuginfo-1.58.0-150300.7.3.1
      rust1.59-1.59.0-150300.7.4.2
      rust1.59-debuginfo-1.59.0-150300.7.4.2


References:

   https://www.suse.com/security/cve/CVE-2022-21658.html
   https://bugzilla.suse.com/1194767