Source: cargo X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for cargo. CVE-2023-40030[0]: | Cargo downloads a Rust project’s dependencies and compiles the | project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not | escape Cargo feature names when including them in the report | generated by `cargo build --timings`. A malicious package included | as a dependency may inject nearly arbitrary HTML here, potentially | leading to cross-site scripting if the report is subsequently | uploaded somewhere. The vulnerability affects users relying on | dependencies from git, local paths, or alternative registries. Users | who solely depend on crates.io are unaffected. Rust 1.60.0 | introduced `cargo build --timings`, which produces a report of how | long the different steps of the build process took. It includes | lists of Cargo features for each crate. Prior to Rust 1.72, Cargo | feature names were allowed to contain almost any characters (with | some exceptions as used by the feature syntax), but it would produce | a future incompatibility warning about them since Rust 1.49. | crates.io is far more stringent about what it considers a valid | feature name and has not allowed such feature names. As the feature | names were included unescaped in the timings report, they could be | used to inject Javascript into the page, for example with a feature | name like `features = ["<img src='' onerror=alert(0)"]`. If this | report were subsequently uploaded to a domain that uses credentials, | the injected Javascript could access resources from the website | visitor. This issue was fixed in Rust 1.72 by turning the future | incompatibility warning into an error. Users should still exercise | care in which package they download, by only including trusted | dependencies in their projects. Please note that even with these | vulnerabilities fixed, by design Cargo allows arbitrary code | execution at build time thanks to build scripts and procedural | macros: a malicious dependency will be able to cause damage | regardless of these vulnerabilities. crates.io has server-side | checks preventing this attack, and there are no packages on | crates.io exploiting these vulnerabilities. crates.io users still | need to excercise care in choosing their dependencies though, as | remote code execution is allowed by design there as well. https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p https://github.com/rust-lang/cargo/pull/12291 https://github.com/rust-lang/cargo/commit/9835622853f08be9a4b58ebe29dcec8f43b64b33 (0.75.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40030 https://www.cve.org/CVERecord?id=CVE-2023-40030 Please adjust the affected versions in the BTS as needed.
