The Rust team has published a new point release of Rust, 1.34.2. Rust is a programming language that is empowering everyone to build reliable and efficient software.
If you have a previous version of Rust installed via rustup, getting Rust 1.34.2 is as easy as:
$ rustup update stable
If you don't have it already, you can get rustup
from the
appropriate page on our website.
What's in 1.34.2 stable
Sean McArthur reported a security vulnerability affecting the standard
library that caused the Error::downcast
family of methods
to perform unsound casts when a manual implementation of the
Error::type_id
method returned the wrong
TypeId
, leading to security issues such as out of bounds
reads/writes/etc.
The Error::type_id
method was recently stabilized as part
of Rust 1.34.0. This point release destabilizes it, preventing any code on
the stable and beta channels to implement or use it, awaiting future plans that
will be discussed in issue #60784.
An in-depth explanation of this issue was posted in yesterday's security advisory. The assigned CVE for the vulnerability is CVE-2019-12083.