|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Security advisory for Cargo (CVE-2023-38497)" |
| 4 | +author: The Rust Security Response WG |
| 5 | +--- |
| 6 | + |
| 7 | +> This is a cross-post of [the official security advisory][advisory]. The |
| 8 | +> official advisory contains a signed version with our PGP key, as well. |
| 9 | +
|
| 10 | +[advisory]: TODO |
| 11 | + |
| 12 | +The Rust Security Response WG was notified that Cargo did not respect the umask |
| 13 | +when extracting crate archives on UNIX-like systems. If the user downloaded a |
| 14 | +crate containing files writeable by any local user, another local user could |
| 15 | +exploit this to change the source code compiled and executed by the current |
| 16 | +user. |
| 17 | + |
| 18 | +This vulnerability has been assigned CVE-2023-38497. |
| 19 | + |
| 20 | +## Overview |
| 21 | + |
| 22 | +In UNIX-like systems, each file has three sets of permissions: for the user |
| 23 | +owning the file, for the group owning the file, and for all other local users. |
| 24 | +The "[umask][1]" is configured on most systems to limit those permissions |
| 25 | +during file creation, removing dangerous ones. For example, the default umask |
| 26 | +on macOS and most Linux distributions only allow the user owning a file to |
| 27 | +write to it, preventing the group owning it or other local users from doing the |
| 28 | +same. |
| 29 | + |
| 30 | +When a dependency is downloaded by Cargo, its source code has to be extracted |
| 31 | +on disk to allow the Rust compiler to read as part of the build. To improve |
| 32 | +performance, this extraction only happens the first time a dependency is used, |
| 33 | +caching the pre-extracted files for future invocations. |
| 34 | + |
| 35 | +Unfortunately, it was discovered that Cargo did not respect the umask during |
| 36 | +extraction, and propagated the permissions stored in the crate archive as-is. |
| 37 | +If an archive contained files writeable by any user on the system (and the |
| 38 | +system configuration didn't prevent writes through other security measures), |
| 39 | +another local user on the system could replace or tweak the source code of a |
| 40 | +dependency, potentially achieving code execution the next time the project is |
| 41 | +compiled. |
| 42 | + |
| 43 | +## Affected Versions |
| 44 | + |
| 45 | +All Rust versions before 1.71.1 on UNIX-like systems (like macOS and Linux) are |
| 46 | +affected. Note that additional system-dependent security measures configured on |
| 47 | +the local system might prevent the vulnerability from being exploited. |
| 48 | + |
| 49 | +Users on Windows and other non-UNIX-like systems are not affected. |
| 50 | + |
| 51 | +## Mitigations |
| 52 | + |
| 53 | +We recommend all users to update to Rust 1.71.1, which will be released later |
| 54 | +today, as it fixes the vulnerability by respecting the umask when extracting |
| 55 | +crate archives. If you build your own toolchain, patches for 1.71.0 source |
| 56 | +tarballs are [available here][2]. |
| 57 | + |
| 58 | +To prevent existing cached extractions from being exploitable, the Cargo binary |
| 59 | +included in Rust 1.71.1 or later will purge the caches it tries to access if |
| 60 | +they were generated by older Cargo versions. |
| 61 | + |
| 62 | +If you cannot update to Rust 1.71.1, we recommend configuring your system to |
| 63 | +prevent other local users from accessing the Cargo directory, usually located |
| 64 | +in `~/.cargo`: |
| 65 | + |
| 66 | +``` |
| 67 | +chmod go= ~/.cargo |
| 68 | +``` |
| 69 | + |
| 70 | +## Acknowledgments |
| 71 | + |
| 72 | +We want to thank Addison Crump for responsibly disclosing this to us according |
| 73 | +to the [Rust security policy][3]. |
| 74 | + |
| 75 | +We also want to thank the members of the Rust project who helped us disclose |
| 76 | +the vulnerability: Weihang Lo for developing the fix; Eric Huss for reviewing |
| 77 | +the fix; Pietro Albini for writing this advisory; Pietro Albini, Manish |
| 78 | +Goregaokar and Josh Stone for coordinating this disclosure; Josh Triplett, Arlo |
| 79 | +Siemen, Scott Schafer, and Jacob Finkelman for advising during the disclosure. |
| 80 | + |
| 81 | +[1]: https://en.wikipedia.org/wiki/Umask |
| 82 | +[2]: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497 |
| 83 | +[3]: https://www.rust-lang.org/policies/security |
0 commit comments