Source: cargo Version: 0.66.0+ds1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: clone -1 -2 Control: reassign -2 src:rust-cargo 0.66.0-4 Control: retitle -2 rust-cargo: CVE-2023-38497
Hi, The following vulnerability was published for cargo. CVE-2023-38497[0]: | Cargo downloads the Rust project’s dependencies and compiles the | project. Cargo prior to version 0.72.2, bundled with Rust prior to | version 1.71.1, did not respect the umask when extracting crate | archives on UNIX-like systems. If the user downloaded a crate | containing files writeable by any local user, another local user | could exploit this to change the source code compiled and executed | by the current user. To prevent existing cached extractions from | being exploitable, the Cargo binary version 0.72.2 included in Rust | 1.71.1 or later will purge caches generated by older Cargo versions | automatically. As a workaround, configure one's system to prevent | other local users from accessing the Cargo directory, usually | located in `~/.cargo`. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-38497 https://www.cve.org/CVERecord?id=CVE-2023-38497 [1] https://www.openwall.com/lists/oss-security/2023/08/03/2 [2] https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497 [3] https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
