On Mon Jun 15, 2026 at 3:00 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS 
PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <[email protected]>
>
> This patch applies the upstream fix as referenced in [2], using the commit 
> shown in [1].
>
> [1] 
> https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f
> [2] https://security-tracker.debian.org/tracker/CVE-2026-5222
>
> Signed-off-by: Anil Dongare <[email protected]>
> ---

Hello,

Looks like this CVE impact wrynose. Can you send a fix there, and then,
ping here?

I suspect the same goes to the patch 2/2.

Thanks!

>  .../rust/files/CVE-2026-5222.patch            | 92 +++++++++++++++++++
>  meta/recipes-devtools/rust/rust-source.inc    |  1 +
>  2 files changed, 93 insertions(+)
>  create mode 100644 meta/recipes-devtools/rust/files/CVE-2026-5222.patch
>
> diff --git a/meta/recipes-devtools/rust/files/CVE-2026-5222.patch 
> b/meta/recipes-devtools/rust/files/CVE-2026-5222.patch
> new file mode 100644
> index 0000000000..50ba608c1c
> --- /dev/null
> +++ b/meta/recipes-devtools/rust/files/CVE-2026-5222.patch
> @@ -0,0 +1,92 @@
> +From c4d63a44234de22dc745231c416b80ed848d997f Mon Sep 17 00:00:00 2001
> +From: Arlo Siemsen <[email protected]>
> +Date: Mon, 25 May 2026 09:49:43 +0200
> +Subject: [PATCH] CVE-2026-5222: avoid stripping .git suffix when for non git
> + registries
> +
> +CVE: CVE-2026-5222
> +Upstream-Status: Backport 
> [https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f]
> +
> +(cherry picked from commit c4d63a44234de22dc745231c416b80ed848d997f)
> +Signed-off-by: Anil Dongare <[email protected]>
> +---
> + src/tools/cargo/src/cargo/sources/git/source.rs |  7 +++++++
> + src/tools/cargo/src/cargo/util/canonical_url.rs | 44 
> +++++++++++++------------
> + 2 files changed, 31 insertions(+), 20 deletions(-)
> +
> +diff --git a/src/tools/cargo/src/cargo/sources/git/source.rs 
> b/src/tools/cargo/src/cargo/sources/git/source.rs
> +index a75c1ec..1c8dbc8 100644
> +--- a/src/tools/cargo/src/cargo/sources/git/source.rs
> ++++ b/src/tools/cargo/src/cargo/sources/git/source.rs
> +@@ -377,6 +377,13 @@ mod test {
> +         assert_eq!(ident1, ident2);
> +     }
> + 
> ++    #[test]
> ++    fn test_canonicalize_idents_does_not_strip_dot_git_for_sparse() {
> ++        let ident1 = ident(&src("sparse+https://crates.io/fake-registry";));
> ++        let ident2 = 
> ident(&src("sparse+https://crates.io/fake-registry.git";));
> ++        assert_ne!(ident1, ident2);
> ++    }
> ++
> +     fn src(s: &str) -> SourceId {
> +         SourceId::for_git(&s.into_url().unwrap(), 
> GitReference::DefaultBranch).unwrap()
> +     }
> +diff --git a/src/tools/cargo/src/cargo/util/canonical_url.rs 
> b/src/tools/cargo/src/cargo/util/canonical_url.rs
> +index 7516e03..2716d2d 100644
> +--- a/src/tools/cargo/src/cargo/util/canonical_url.rs
> ++++ b/src/tools/cargo/src/cargo/util/canonical_url.rs
> +@@ -33,27 +33,31 @@ impl CanonicalUrl {
> +             url.path_segments_mut().unwrap().pop_if_empty();
> +         }
> + 
> +-        // For GitHub URLs specifically, just lower-case everything. GitHub
> +-        // treats both the same, but they hash differently, and we're gonna 
> be
> +-        // hashing them. This wants a more general solution, and also we're
> +-        // almost certainly not using the same case conversion rules that 
> GitHub
> +-        // does. (See issue #84)
> +-        if url.host_str() == Some("github.com") {
> +-            url = format!("https{}", &url[url::Position::AfterScheme..])
> +-                .parse()
> +-                .unwrap();
> +-            let path = url.path().to_lowercase();
> +-            url.set_path(&path);
> +-        }
> ++        // Perform further canonicalization specific to git registries, 
> which
> ++        // do not contain a `+` specifier.
> ++        if !url.scheme().contains('+') {
> ++            // For GitHub URLs specifically, just lower-case everything. 
> GitHub
> ++            // treats both the same, but they hash differently, and we're 
> gonna be
> ++            // hashing them. This wants a more general solution, and also 
> we're
> ++            // almost certainly not using the same case conversion rules 
> that GitHub
> ++            // does. (See issue #84)
> ++            if url.host_str() == Some("github.com") {
> ++                url = format!("https{}", &url[url::Position::AfterScheme..])
> ++                    .parse()
> ++                    .unwrap();
> ++                let path = url.path().to_lowercase();
> ++                url.set_path(&path);
> ++            }
> + 
> +-        // Repos can generally be accessed with or without `.git` extension.
> +-        let needs_chopping = url.path().ends_with(".git");
> +-        if needs_chopping {
> +-            let last = {
> +-                let last = 
> url.path_segments().unwrap().next_back().unwrap();
> +-                last[..last.len() - 4].to_owned()
> +-            };
> +-            url.path_segments_mut().unwrap().pop().push(&last);
> ++            // Repos can generally be accessed with or without `.git` 
> extension.
> ++            let needs_chopping = url.path().ends_with(".git");
> ++            if needs_chopping {
> ++                let last = {
> ++                    let last = 
> url.path_segments().unwrap().next_back().unwrap();
> ++                    last[..last.len() - 4].to_owned()
> ++                };
> ++                url.path_segments_mut().unwrap().pop().push(&last);
> ++            }
> +         }
> + 
> +         Ok(CanonicalUrl(url))
> +-- 
> +2.44.4
> diff --git a/meta/recipes-devtools/rust/rust-source.inc 
> b/meta/recipes-devtools/rust/rust-source.inc
> index 5b433ceae7..963b5debcd 100644
> --- a/meta/recipes-devtools/rust/rust-source.inc
> +++ b/meta/recipes-devtools/rust/rust-source.inc
> @@ -13,6 +13,7 @@ SRC_URI += 
> "https://static.rust-lang.org/dist/rustc-${RUST_VERSION}-src.tar.xz;n
>              
> file://0001-Handle-vendored-sources-when-remapping-paths.patch;patchdir=${RUSTSRC}
>  \
>              file://repro-issue-fix-with-v175.patch;patchdir=${RUSTSRC} \
>              
> file://0001-cargo-do-not-write-host-information-into-compilation.patch;patchdir=${RUSTSRC}
>  \
> +            file://CVE-2026-5222.patch;patchdir=${RUSTSRC} \
>  "
>  SRC_URI[rust.sha256sum] = 
> "4526f786d673e4859ff2afa0bab2ba13c918b796519a25c1acce06dba9542340"
>  


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239307): 
https://lists.openembedded.org/g/openembedded-core/message/239307
Mute This Topic: https://lists.openembedded.org/mt/119814866/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

  • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Yoann Congal via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
      • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org

Reply via email to