Debian Patches

Status for cargo/0.66.0+ds1-1

Patch Description Author Forwarded Bugs Origin Last update
2003-workaround-qemu-vfork-command-not-found.patch no
2200-workaround-x32-test.patch yes upstream
2002_disable-net-tests.patch Disable network tests Ximin Luo <> invalid
disable-fs-specific-test.patch =================================================================== no
0003-tests-add-missing-cross-disabled-checks.patch [PATCH] tests: add missing cross disabled checks
cross_conmpile::alternate states it should only be used in test cases
after checking cross_compile::disabled(), which is missing here. these
tests fail despite setting CFG_DISABLE_CROSS_TESTS on i386, since both
the host and the alternate cross target would be i686 in that case.
=?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= no 2022-11-19
cve/CVE-2022-46176-01-validate-ssh-host.keys.patch This patch is based on the upstream commit described below, adapted for use
in the Debian package by Peter Michael Green.

commit 1387fd4105b242fa2d24ad99d10a5b1af23f293e

Validate SSH host keys

Eric Huss <> no 2022-12-07
cve/CVE-2022-46176-02-add-support-for-deserializing-vec-value-string.patch commit 9f62f8440e9e542f27d60c75be38ac51186c6c32

Add support for deserializing Vec<Value<String>> in config.

This adds the ability to track the definition location of a string
in a TOML array.

diff --git a/src/cargo/util/config/ b/src/cargo/util/config/
index 6fddc7e71f..1408f15b57 100644
Eric Huss <> no 2022-12-09
cve/CVE-2022-46176-03-support-configuring-ssh-known-hosts.patch commit 026bda3fb5eddac0df111ee150706f756558a7b3

Support configuring ssh known-hosts via cargo config.

diff --git a/src/cargo/sources/git/ b/src/cargo/sources/git/
index 875dcf63f3..7efea43c3b 100644
Eric Huss <> no 2022-12-09
cve/CVE-2022-46176-04-add-some-known-hosts-tests-and-fix-comma-bug.patch commit 302a543ddf3b7621c2f10623862029d35fae7e3c

Add some known_hosts tests.

This also fixes a bug with the host matching when there are comma-separated hosts.

diff --git a/src/cargo/sources/git/ b/src/cargo/sources/git/
index 7efea43c3b..58e64e7913 100644
Eric Huss <> no 2022-12-12
cve/CVE-2022-46176-05-remove-let-else.patch commit cf716fc3c2b0785013b321f08d6cf9e277f89c84

Remove let-else, just use ? propagation.

Co-authored-by: Weihang Lo <>

diff --git a/src/cargo/sources/git/ b/src/cargo/sources/git/
index 58e64e7913..f272195306 100644
Eric Huss <> no 2022-12-13
cve/CVE-2022-46176-06-add-test-for-config-value-in-toml-array.patch commit 018403ceaf71e205dbec64698bb864f5e094aec8

Add test for config Value in TOML array.

diff --git a/tests/testsuite/ b/tests/testsuite/
index b1d07bb405..d1487833f7 100644
Eric Huss <> no 2022-12-14
cve/CVE-2022-46176-07-support-hashed-hostnames.patch This patch is based on the upstream commit described below, adapted for use
in the Debian package by Peter Michael Green.

commit 67ae2dcafea5955824b1f390568a5fa109424987

ssh known_hosts: support hashed hostnames

Eric Huss <> no 2022-12-28
cve/CVE-2022-46176-08-eliminate-let-else.patch This patch eliminates let-else usage in the code introduced
to fix CVE-2022-46176 as that construct is not stabalised in
the version of rustc currently in Debian.

It was written specifical for Debian by Peter Michael Green.


All known versions for source package 'cargo'