Skip to content

Commit cc119c0

Browse files
committed
add CVE-2023-38497 blog post
1 parent fed5cae commit cc119c0

File tree

1 file changed

+83
-0
lines changed

1 file changed

+83
-0
lines changed

posts/2023-08-03-cve-2023-38497.md

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
---
2+
layout: post
3+
title: "Security advisory for Cargo (CVE-2023-38497)"
4+
author: The Rust Security Response WG
5+
---
6+
7+
> This is a cross-post of [the official security advisory][advisory]. The
8+
> official advisory contains a signed version with our PGP key, as well.
9+
10+
[advisory]: TODO
11+
12+
The Rust Security Response WG was notified that Cargo did not respect the umask
13+
when extracting crate archives on UNIX-like systems. If the user downloaded a
14+
crate containing files writeable by any local user, another local user could
15+
exploit this to change the source code compiled and executed by the current
16+
user.
17+
18+
This vulnerability has been assigned CVE-2023-38497.
19+
20+
## Overview
21+
22+
In UNIX-like systems, each file has three sets of permissions: for the user
23+
owning the file, for the group owning the file, and for all other local users.
24+
The "[umask][1]" is configured on most systems to limit those permissions
25+
during file creation, removing dangerous ones. For example, the default umask
26+
on macOS and most Linux distributions only allow the user owning a file to
27+
write to it, preventing the group owning it or other local users from doing the
28+
same.
29+
30+
When a dependency is downloaded by Cargo, its source code has to be extracted
31+
on disk to allow the Rust compiler to read as part of the build. To improve
32+
performance, this extraction only happens the first time a dependency is used,
33+
caching the pre-extracted files for future invocations.
34+
35+
Unfortunately, it was discovered that Cargo did not respect the umask during
36+
extraction, and propagated the permissions stored in the crate archive as-is.
37+
If an archive contained files writeable by any user on the system (and the
38+
system configuration didn't prevent writes through other security measures),
39+
another local user on the system could replace or tweak the source code of a
40+
dependency, potentially achieving code execution the next time the project is
41+
compiled.
42+
43+
## Affected Versions
44+
45+
All Rust versions before 1.71.1 on UNIX-like systems (like macOS and Linux) are
46+
affected. Note that additional system-dependent security measures configured on
47+
the local system might prevent the vulnerability from being exploited.
48+
49+
Users on Windows and other non-UNIX-like systems are not affected.
50+
51+
## Mitigations
52+
53+
We recommend all users to update to Rust 1.71.1, which will be released later
54+
today, as it fixes the vulnerability by respecting the umask when extracting
55+
crate archives. If you build your own toolchain, patches for 1.71.0 source
56+
tarballs are [available here][2].
57+
58+
To prevent existing cached extractions from being exploitable, the Cargo binary
59+
included in Rust 1.71.1 or later will purge the caches it tries to access if
60+
they were generated by older Cargo versions.
61+
62+
If you cannot update to Rust 1.71.1, we recommend configuring your system to
63+
prevent other local users from accessing the Cargo directory, usually located
64+
in `~/.cargo`:
65+
66+
```
67+
chmod go= ~/.cargo
68+
```
69+
70+
## Acknowledgments
71+
72+
We want to thank Addison Crump for responsibly disclosing this to us according
73+
to the [Rust security policy][3].
74+
75+
We also want to thank the members of the Rust project who helped us disclose
76+
the vulnerability: Weihang Lo for developing the fix; Eric Huss for reviewing
77+
the fix; Pietro Albini for writing this advisory; Pietro Albini, Manish
78+
Goregaokar and Josh Stone for coordinating this disclosure; Josh Triplett, Arlo
79+
Siemen, Scott Schafer, and Jacob Finkelman for advising during the disclosure.
80+
81+
[1]: https://en.wikipedia.org/wiki/Umask
82+
[2]: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497
83+
[3]: https://www.rust-lang.org/policies/security

0 commit comments

Comments
 (0)