Rust 1.58.1 fixes dangerous race condition

Vulnerability would allow an attacker to trick a privileged program into deleting files and directories that the attacker otherwise could not access or delete.

This point release arriving January 20, 2022, just days after Rust 1.58, fixes a race condition in the std::fs::remove_dir_all standard library function. This vulnerability is tracked at CVE-2022-21658 and there was an advisory published. An attacker could use this security issue to trick a privileged program into deleting files and directories that the attacker otherwise could not access or delete. Rust versions 1.0 through 1.58 are affected by this vulnerability. Users are advised to update their toolchains and build programs with the updated compiler.

Rust 1.58.1 also addresses several regressions in diagnostics and tools introduced in Rust 1.58:

  • The non_send_fields_in_send_ty Clippy lint was found to have too many false positives and has been moved to the experimental lints group called “nursery”.
  • The useless_format Clippy lint was updated to handle captured identifiers in format strings, introduced in Rust 1.58.
  • A regression in Rustfmt preventing generated files from being formatted when passed through the standard input has been fixed.
  • An incorrect error message displayed by rustc in some cases has been fixed.