Auto merge of #11556 - pietroalbini:cve-2022-46176, r=weihanglo

Add fix for CVE-2022-46176 r? `@ehuss`
rust-lang · Jan 10, 2023 · 0849a28 · 0849a28
2 parents 247b22f + d992ab4
commit 0849a28
Show file tree

Hide file tree

Showing 11 changed files with 903 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -119,6 +119,13 @@
 - Added documentation of config option `registries.crates-io.protocol`.
   [#11350](https://github.com/rust-lang/cargo/pull/11350)
 
+## Cargo 1.66.1 (2023-01-10)
+
+### Fixed
+- [CVE-2022-46176](https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j):
+  Added validation of SSH host keys for git URLs.
+  See [the docs](https://doc.rust-lang.org/cargo/appendix/git-authentication.html#ssh-known-hosts) for more information on how to configure the known host keys.
+
 ## Cargo 1.66 (2022-12-15)
 [08250398...rust-1.66.0](https://github.com/rust-lang/cargo/compare/08250398...rust-1.66.0)
 

diff --git a/Cargo.toml b/Cargo.toml
@@ -16,6 +16,7 @@ name = "cargo"
 path = "src/cargo/lib.rs"
 
 [dependencies]
+base64 = "0.13.1"
 bytesize = "1.0"
 cargo-platform = { path = "crates/cargo-platform", version = "0.1.2" }
 cargo-util = { path = "crates/cargo-util", version = "0.2.3" }
@@ -27,10 +28,11 @@ pretty_env_logger = { version = "0.4", optional = true }
 anyhow = "1.0.47"
 filetime = "0.2.9"
 flate2 = { version = "1.0.3", default-features = false, features = ["zlib"] }
-git2 = "0.15.0"
-git2-curl = "0.16.0"
+git2 = "0.16.0"
+git2-curl = "0.17.0"
 glob = "0.3.0"
 hex = "0.4"
+hmac = "0.12.1"
 home = "0.5"
 http-auth = { version = "0.1.6", default-features = false }
 humantime = "2.0.0"
@@ -42,7 +44,7 @@ jobserver = "0.1.24"
 lazycell = "1.2.0"
 libc = "0.2"
 log = "0.4.6"
-libgit2-sys = "0.14.0"
+libgit2-sys = "0.14.1"
 memchr = "2.1.3"
 opener = "0.5"
 os_info = "3.5.0"
@@ -55,6 +57,7 @@ serde = { version = "1.0.123", features = ["derive"] }
 serde_ignored = "0.1.0"
 serde_json = { version = "1.0.30", features = ["raw_value"] }
 serde-value = "0.7.0"
+sha1 = "0.10.5"
 shell-escape = "0.1.4"
 strip-ansi-escapes = "0.1.0"
 tar = { version = "0.4.38", default-features = false }

diff --git a/crates/cargo-test-support/Cargo.toml b/crates/cargo-test-support/Cargo.toml
@@ -17,7 +17,7 @@ filetime = "0.2"
 flate2 = { version = "1.0", default-features = false, features = ["zlib"] }
 pasetors = { version = "0.6.4", features = ["v3", "paserk", "std", "serde"] }
 time = { version = "0.3", features = ["parsing", "formatting"]}
-git2 = "0.15.0"
+git2 = "0.16.0"
 glob = "0.3"
 itertools = "0.10.0"
 lazy_static = "1.0"