[Pkg-rust-maintainers] Bug#1043553: cargo: CVE-2023-38497

Salvatore Bonaccorso carnil at debian.org
Sat Aug 12 22:11:04 BST 2023


Source: cargo
Version: 0.66.0+ds1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:rust-cargo 0.66.0-4
Control: retitle -2 rust-cargo: CVE-2023-38497

Hi,

The following vulnerability was published for cargo.

CVE-2023-38497[0]:
| Cargo downloads the Rust project’s dependencies and compiles the
| project. Cargo prior to version 0.72.2, bundled with Rust prior to
| version 1.71.1, did not respect the umask when extracting crate
| archives on UNIX-like systems. If the user downloaded a crate
| containing files writeable by any local user, another local user
| could exploit this to change the source code compiled and executed
| by the current user. To prevent existing cached extractions from
| being exploitable, the Cargo binary version 0.72.2 included in Rust
| 1.71.1 or later will purge caches generated by older Cargo versions
| automatically. As a workaround, configure one's system to prevent
| other local users from accessing the Cargo directory, usually
| located in `~/.cargo`.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-38497
    https://www.cve.org/CVERecord?id=CVE-2023-38497
[1] https://www.openwall.com/lists/oss-security/2023/08/03/2
[2] https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497
[3] https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore


More information about the Pkg-rust-maintainers mailing list