[Pkg-rust-maintainers] Bug#1059306: rust-cargo: CVE-2023-40030

[Moritz Mühlenhoff]

Source: rust-cargo
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for rust-cargo.

CVE-2023-40030[0]:
| Cargo downloads a Rust project’s dependencies and compiles the
| project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not
| escape Cargo feature names when including them in the report
| generated by `cargo build --timings`. A malicious package included
| as a dependency may inject nearly arbitrary HTML here, potentially
| leading to cross-site scripting if the report is subsequently
| uploaded somewhere. The vulnerability affects users relying on
| dependencies from git, local paths, or alternative registries. Users
| who solely depend on crates.io are unaffected.  Rust 1.60.0
| introduced `cargo build --timings`, which produces a report of how
| long the different steps of the build process took. It includes
| lists of Cargo features for each crate. Prior to Rust 1.72, Cargo
| feature names were allowed to contain almost any characters (with
| some exceptions as used by the feature syntax), but it would produce
| a future incompatibility warning about them since Rust 1.49.
| crates.io is far more stringent about what it considers a valid
| feature name and has not allowed such feature names. As the feature
| names were included unescaped in the timings report, they could be
| used to inject Javascript into the page, for example with a feature
| name like `features = ["<img src='' onerror=alert(0)"]`. If this
| report were subsequently uploaded to a domain that uses credentials,
| the injected Javascript could access resources from the website
| visitor.  This issue was fixed in Rust 1.72 by turning the future
| incompatibility warning into an error. Users should still exercise
| care in which package they download, by only including trusted
| dependencies in their projects. Please note that even with these
| vulnerabilities fixed, by design Cargo allows arbitrary code
| execution at build time thanks to build scripts and procedural
| macros: a malicious dependency will be able to cause damage
| regardless of these vulnerabilities. crates.io has server-side
| checks preventing this attack, and there are no packages on
| crates.io exploiting these vulnerabilities. crates.io users still
| need to excercise care in choosing their dependencies though, as
| remote code execution is allowed by design there as well.

https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p
https://github.com/rust-lang/cargo/pull/12291
https://github.com/rust-lang/cargo/commit/9835622853f08be9a4b58ebe29dcec8f43b64b33 (0.75.0)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-40030
    https://www.cve.org/CVERecord?id=CVE-2023-40030

Please adjust the affected versions in the BTS as needed.