Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[nightly] Fix CVE-2024-43402 #129962

Merged
merged 1 commit into from
Sep 4, 2024
Merged

[nightly] Fix CVE-2024-43402 #129962

merged 1 commit into from
Sep 4, 2024

Conversation

pietroalbini
Copy link
Member

Include the for CVE-2024-43402 in nightly. See GHSA-2xg3-7mm6-98jj for more information about it.

r? @ghost

@rustbot rustbot added O-windows Operating system: Windows S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Sep 4, 2024
@pietroalbini
Copy link
Member Author

@bors r=Amanieu p=500 rollup=never

@bors
Copy link
Collaborator

bors commented Sep 4, 2024

📌 Commit c811d31 has been approved by Amanieu

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Sep 4, 2024
@bors
Copy link
Collaborator

bors commented Sep 4, 2024

⌛ Testing commit c811d31 with merge 4ac7bcb...

@bors
Copy link
Collaborator

bors commented Sep 4, 2024

☀️ Test successful - checks-actions
Approved by: Amanieu
Pushing 4ac7bcb to master...

@bors bors added the merged-by-bors This PR was explicitly merged by bors. label Sep 4, 2024
@bors bors merged commit 4ac7bcb into rust-lang:master Sep 4, 2024
7 checks passed
@rustbot rustbot added this to the 1.83.0 milestone Sep 4, 2024
@bors bors mentioned this pull request Sep 4, 2024
Closed
@pietroalbini pietroalbini deleted the pa-cve-2024-43402-nightly branch September 4, 2024 21:44
@rust-timer
Copy link
Collaborator

Finished benchmarking commit (4ac7bcb): comparison URL.

Overall result: ✅ improvements - no action needed

@rustbot label: -perf-regression

Instruction count

This is a highly reliable metric that was used to determine the overall result at the top of this comment.

mean range count
Regressions ❌
(primary)		 - - 0
Regressions ❌
(secondary)		 - - 0
Improvements ✅
(primary)		 - - 0
Improvements ✅
(secondary)		 -5.0% [-5.0%, -5.0%] 1
All ❌✅ (primary) - - 0

Max RSS (memory usage)

Results (secondary -2.7%)

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

mean range count
Regressions ❌
(primary)		 - - 0
Regressions ❌
(secondary)		 - - 0
Improvements ✅
(primary)		 - - 0
Improvements ✅
(secondary)		 -2.7% [-2.9%, -2.6%] 2
All ❌✅ (primary) - - 0

Cycles

This benchmark run did not return any relevant results for this metric.

Binary size

Results (secondary -0.1%)

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

mean range count
Regressions ❌
(primary)		 - - 0
Regressions ❌
(secondary)		 - - 0
Improvements ✅
(primary)		 - - 0
Improvements ✅
(secondary)		 -0.1% [-0.1%, -0.1%] 1
All ❌✅ (primary) - - 0

Bootstrap: 751.345s -> 751.188s (-0.02%)
Artifact size: 340.69 MiB -> 340.71 MiB (0.01%)

@tgross35 tgross35 mentioned this pull request Sep 4, 2024
Merged
squeek502 added a commit to squeek502/zig that referenced this pull request Mar 26, 2025
@squeek502
Add test to ensure the BatBadBut mitigation handles trailing . and …
832f597 
…space safely

Context:
- https://blog.rust-lang.org/2024/09/04/cve-2024-43402.html
- rust-lang/rust#129962

Note that the Rust test case for this checks that it executes the batch file successfully with the proper mitigation in place, while the Zig test case expects a FileNotFound error. This is because of a PATHEXT optimization that Zig does, and that Rust doesn't do because Rust doesn't do PATHEXT appending (it only appends .exe specifically). See the added comment for more details.
@squeek502 squeek502 mentioned this pull request Mar 26, 2025
Merged
alexrp pushed a commit to ziglang/zig that referenced this pull request Mar 26, 2025
@squeek502 @alexrp
Add test to ensure the BatBadBut mitigation handles trailing . and …
63014d3 
…space safely

Context:
- https://blog.rust-lang.org/2024/09/04/cve-2024-43402.html
- rust-lang/rust#129962

Note that the Rust test case for this checks that it executes the batch file successfully with the proper mitigation in place, while the Zig test case expects a FileNotFound error. This is because of a PATHEXT optimization that Zig does, and that Rust doesn't do because Rust doesn't do PATHEXT appending (it only appends .exe specifically). See the added comment for more details.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
merged-by-bors This PR was explicitly merged by bors. O-windows Operating system: Windows S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
1.83.0
Development

Successfully merging this pull request may close these issues.
5 participants
@pietroalbini @bors @rust-timer @rustbot @ChrisDenton