[Pkg-rust-maintainers] Bug#1021143: rust-cargo: CVE-2022-36113 CVE-2022-36114

Sun Oct 2 19:14:52 BST 2022

Source: rust-cargo
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for rust-cargo.

CVE-2022-36113[0]:
| Cargo is a package manager for the rust programming language. After a
| package is downloaded, Cargo extracts its source code in the ~/.cargo
| folder on disk, making it available to the Rust projects it builds. To
| record when an extraction is successful, Cargo writes "ok" to the
| .cargo-ok file at the root of the extracted source code once it
| extracted all the files. It was discovered that Cargo allowed packages
| to contain a .cargo-ok symbolic link, which Cargo would extract. Then,
| when Cargo attempted to write "ok" into .cargo-ok, it would actually
| replace the first two bytes of the file the symlink pointed to with
| ok. This would allow an attacker to corrupt one file on the machine
| using Cargo to extract the package. Note that by design Cargo allows
| code execution at build time, due to build scripts and procedural
| macros. The vulnerabilities in this advisory allow performing a subset
| of the possible damage in a harder to track down way. Your
| dependencies must still be trusted if you want to be protected from
| attacks, as it's possible to perform the same attacks with build
| scripts and procedural macros. The vulnerability is present in all
| versions of Cargo. Rust 1.64, to be released on September 22nd, will
| include a fix for it. Since the vulnerability is just a more limited
| way to accomplish what a malicious build scripts or procedural macros
| can do, we decided not to publish Rust point releases backporting the
| security fix. Patch files are available for Rust 1.63.0 are available
| in the wg-security-response repository for people building their own
| toolchain. Mitigations We recommend users of alternate registries to
| exercise care in which package they download, by only including
| trusted dependencies in their projects. Please note that even with
| these vulnerabilities fixed, by design Cargo allows arbitrary code
| execution at build time thanks to build scripts and procedural macros:
| a malicious dependency will be able to cause damage regardless of
| these vulnerabilities. crates.io implemented server-side checks to
| reject these kinds of packages years ago, and there are no packages on
| crates.io exploiting these vulnerabilities. crates.io users still need
| to exercise care in choosing their dependencies though, as remote code
| execution is allowed by design there as well.

https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j
https://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a

CVE-2022-36114[1]:
| Cargo is a package manager for the rust programming language. It was
| discovered that Cargo did not limit the amount of data extracted from
| compressed archives. An attacker could upload to an alternate registry
| a specially crafted package that extracts way more data than its size
| (also known as a "zip bomb"), exhausting the disk space on the machine
| using Cargo to download the package. Note that by design Cargo allows
| code execution at build time, due to build scripts and procedural
| macros. The vulnerabilities in this advisory allow performing a subset
| of the possible damage in a harder to track down way. Your
| dependencies must still be trusted if you want to be protected from
| attacks, as it's possible to perform the same attacks with build
| scripts and procedural macros. The vulnerability is present in all
| versions of Cargo. Rust 1.64, to be released on September 22nd, will
| include a fix for it. Since the vulnerability is just a more limited
| way to accomplish what a malicious build scripts or procedural macros
| can do, we decided not to publish Rust point releases backporting the
| security fix. Patch files are available for Rust 1.63.0 are available
| in the wg-security-response repository for people building their own
| toolchain. We recommend users of alternate registries to excercise
| care in which package they download, by only including trusted
| dependencies in their projects. Please note that even with these
| vulnerabilities fixed, by design Cargo allows arbitrary code execution
| at build time thanks to build scripts and procedural macros: a
| malicious dependency will be able to cause damage regardless of these
| vulnerabilities. crates.io implemented server-side checks to reject
| these kinds of packages years ago, and there are no packages on
| crates.io exploiting these vulnerabilities. crates.io users still need
| to excercise care in choosing their dependencies though, as the same
| concerns about build scripts and procedural macros apply here.

https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp
https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-36113
    https://www.cve.org/CVERecord?id=CVE-2022-36113
[1] https://security-tracker.debian.org/tracker/CVE-2022-36114
    https://www.cve.org/CVERecord?id=CVE-2022-36114

Please adjust the affected versions in the BTS as needed.