add CVE-2023-38497 blog post

pietroalbini · pietroalbini · commit cc119c08473c · 2023-08-03T10:10:30.000+02:00
diff --git a/posts/2023-08-03-cve-2023-38497.md b/posts/2023-08-03-cve-2023-38497.md
@@ -0,0 +1,83 @@
+---
+layout: post
+title: "Security advisory for Cargo (CVE-2023-38497)"
+author: The Rust Security Response WG
+---
+
+> This is a cross-post of [the official security advisory][advisory]. The
+> official advisory contains a signed version with our PGP key, as well.
+
+[advisory]: TODO
+
+The Rust Security Response WG was notified that Cargo did not respect the umask
+when extracting crate archives on UNIX-like systems. If the user downloaded a
+crate containing files writeable by any local user, another local user could
+exploit this to change the source code compiled and executed by the current
+user.
+
+This vulnerability has been assigned CVE-2023-38497.
+
+## Overview
+
+In UNIX-like systems, each file has three sets of permissions: for the user
+owning the file, for the group owning the file, and for all other local users.
+The "[umask][1]" is configured on most systems to limit those permissions
+during file creation, removing dangerous ones. For example, the default umask
+on macOS and most Linux distributions only allow the user owning a file to
+write to it, preventing the group owning it or other local users from doing the
+same.
+
+When a dependency is downloaded by Cargo, its source code has to be extracted
+on disk to allow the Rust compiler to read as part of the build. To improve
+performance, this extraction only happens the first time a dependency is used,
+caching the pre-extracted files for future invocations.
+
+Unfortunately, it was discovered that Cargo did not respect the umask during
+extraction, and propagated the permissions stored in the crate archive as-is.
+If an archive contained files writeable by any user on the system (and the
+system configuration didn't prevent writes through other security measures),
+another local user on the system could replace or tweak the source code of a
+dependency, potentially achieving code execution the next time the project is
+compiled.
+
+## Affected Versions
+
+All Rust versions before 1.71.1 on UNIX-like systems (like macOS and Linux) are
+affected. Note that additional system-dependent security measures configured on
+the local system might prevent the vulnerability from being exploited.
+
+Users on Windows and other non-UNIX-like systems are not affected.
+
+## Mitigations
+
+We recommend all users to update to Rust 1.71.1, which will be released later
+today, as it fixes the vulnerability by respecting the umask when extracting
+crate archives. If you build your own toolchain, patches for 1.71.0 source
+tarballs are [available here][2].
+
+To prevent existing cached extractions from being exploitable, the Cargo binary
+included in Rust 1.71.1 or later will purge the caches it tries to access if
+they were generated by older Cargo versions.
+
+If you cannot update to Rust 1.71.1, we recommend configuring your system to
+prevent other local users from accessing the Cargo directory, usually located
+in `~/.cargo`:
+
+```
+chmod go= ~/.cargo
+```
+
+## Acknowledgments
+
+We want to thank Addison Crump for responsibly disclosing this to us according
+to the [Rust security policy][3].
+
+We also want to thank the members of the Rust project who helped us disclose
+the vulnerability: Weihang Lo for developing the fix; Eric Huss for reviewing
+the fix; Pietro Albini for writing this advisory; Pietro Albini, Manish
+Goregaokar and Josh Stone for coordinating this disclosure; Josh Triplett, Arlo
+Siemen, Scott Schafer, and Jacob Finkelman for advising during the disclosure.
+
+[1]: https://en.wikipedia.org/wiki/Umask
+[2]: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497
+[3]: https://www.rust-lang.org/policies/security
