rustdoc in versions of Rust through 1.26 loads plugins by default from the world writable directory, /tmp/rustdoc/plugins/. An attacker could exploit this by writing a malicious library to this directory allowing for invocations of rustdoc to execute arbitrary code.
IMO this has low impact. rustdoc will only load external libraries if given the --plugins option, and /tmp/rustdoc/plugins/ is only used if not given a --plugin-path. Both of these plugin options are deprecated and print warnings as such when you use them. $ rustdoc foo/src/lib.rs --plugin-path /dev/null WARNING: the 'plugin-path' flag is considered deprecated WARNING: please see https://github.com/rust-lang/rust/issues/44136
External Reference: https://groups.google.com/forum/#!topic/rustlang-security-announcements/4ybxYLTtXuM
Acknowledgments: Name: Lubomir Rintel (Red Hat)
Created rust tracking bugs for this issue: Affects: epel-7 [bug 1599104] Affects: fedora-all [bug 1599103]
Igor, why did you close this? Bug 1599104 for epel7 is still in testing. (long bodhi time to stable, and I accidentally reset it with 1.27.2)
Now epel7 is on stable too.
Upstream fix applied in rust 1.27.1: https://github.com/rust-lang/rust/commit/0d2d842eec9e35dd25bbdd0304ec9e08d320d29d rustdoc's plugins feature was removed completely in rust 1.29.0: https://github.com/rust-lang/rust/pull/52194 https://github.com/rust-lang/rust/commit/c946c2539e9690fab5dbf7ac217ec696ac263cf3
The rust version shipped by Developers Toolset on Red Hat Enterprise Linux is affected by this issue. The fix was made available through the following errata: https://access.redhat.com/errata/RHEA-2018:3584