Source: rust-cargo X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for rust-cargo. CVE-2022-36113[0]: | Cargo is a package manager for the rust programming language. After a | package is downloaded, Cargo extracts its source code in the ~/.cargo | folder on disk, making it available to the Rust projects it builds. To | record when an extraction is successful, Cargo writes "ok" to the | .cargo-ok file at the root of the extracted source code once it | extracted all the files. It was discovered that Cargo allowed packages | to contain a .cargo-ok symbolic link, which Cargo would extract. Then, | when Cargo attempted to write "ok" into .cargo-ok, it would actually | replace the first two bytes of the file the symlink pointed to with | ok. This would allow an attacker to corrupt one file on the machine | using Cargo to extract the package. Note that by design Cargo allows | code execution at build time, due to build scripts and procedural | macros. The vulnerabilities in this advisory allow performing a subset | of the possible damage in a harder to track down way. Your | dependencies must still be trusted if you want to be protected from | attacks, as it's possible to perform the same attacks with build | scripts and procedural macros. The vulnerability is present in all | versions of Cargo. Rust 1.64, to be released on September 22nd, will | include a fix for it. Since the vulnerability is just a more limited | way to accomplish what a malicious build scripts or procedural macros | can do, we decided not to publish Rust point releases backporting the | security fix. Patch files are available for Rust 1.63.0 are available | in the wg-security-response repository for people building their own | toolchain. Mitigations We recommend users of alternate registries to | exercise care in which package they download, by only including | trusted dependencies in their projects. Please note that even with | these vulnerabilities fixed, by design Cargo allows arbitrary code | execution at build time thanks to build scripts and procedural macros: | a malicious dependency will be able to cause damage regardless of | these vulnerabilities. crates.io implemented server-side checks to | reject these kinds of packages years ago, and there are no packages on | crates.io exploiting these vulnerabilities. crates.io users still need | to exercise care in choosing their dependencies though, as remote code | execution is allowed by design there as well. https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j https://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a CVE-2022-36114[1]: | Cargo is a package manager for the rust programming language. It was | discovered that Cargo did not limit the amount of data extracted from | compressed archives. An attacker could upload to an alternate registry | a specially crafted package that extracts way more data than its size | (also known as a "zip bomb"), exhausting the disk space on the machine | using Cargo to download the package. Note that by design Cargo allows | code execution at build time, due to build scripts and procedural | macros. The vulnerabilities in this advisory allow performing a subset | of the possible damage in a harder to track down way. Your | dependencies must still be trusted if you want to be protected from | attacks, as it's possible to perform the same attacks with build | scripts and procedural macros. The vulnerability is present in all | versions of Cargo. Rust 1.64, to be released on September 22nd, will | include a fix for it. Since the vulnerability is just a more limited | way to accomplish what a malicious build scripts or procedural macros | can do, we decided not to publish Rust point releases backporting the | security fix. Patch files are available for Rust 1.63.0 are available | in the wg-security-response repository for people building their own | toolchain. We recommend users of alternate registries to excercise | care in which package they download, by only including trusted | dependencies in their projects. Please note that even with these | vulnerabilities fixed, by design Cargo allows arbitrary code execution | at build time thanks to build scripts and procedural macros: a | malicious dependency will be able to cause damage regardless of these | vulnerabilities. crates.io implemented server-side checks to reject | these kinds of packages years ago, and there are no packages on | crates.io exploiting these vulnerabilities. crates.io users still need | to excercise care in choosing their dependencies though, as the same | concerns about build scripts and procedural macros apply here. https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-36113 https://www.cve.org/CVERecord?id=CVE-2022-36113 [1] https://security-tracker.debian.org/tracker/CVE-2022-36114 https://www.cve.org/CVERecord?id=CVE-2022-36114 Please adjust the affected versions in the BTS as needed.
