rustdoc in versions of Rust through 1.26 loads plugins by default from the world writable directory, /tmp/rustdoc/plugins/. An attacker could exploit this by writing a malicious library to this directory allowing for invocations of rustdoc to execute arbitrary code.
IMO this has low impact. rustdoc will only load external libraries if given the --plugins option, and /tmp/rustdoc/plugins/ is only used if not given a --plugin-path. Both of these plugin options are deprecated and print warnings as such when you use them.
$ rustdoc foo/src/lib.rs --plugin-path /dev/null
WARNING: the 'plugin-path' flag is considered deprecated
WARNING: please see https://github.com/rust-lang/rust/issues/44136
Name: Lubomir Rintel (Red Hat)
Created rust tracking bugs for this issue:
Affects: epel-7 [bug 1599104]
Affects: fedora-all [bug 1599103]
Igor, why did you close this? Bug 1599104 for epel7 is still in testing.
(long bodhi time to stable, and I accidentally reset it with 1.27.2)
Now epel7 is on stable too.