Bug 2228038 (CVE-2023-38497) - CVE-2023-38497 rust-cargo: cargo does not respect the umask when extracting dependencies
Summary: CVE-2023-38497 rust-cargo: cargo does not respect the umask when extracting d...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-38497
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2228132 2228133 2228134 2228135 2228136 2228137 2228138 2228139 2228140 2228141 2229138 2229139 2229140 2229141
Blocks: 2227802
TreeView+ depends on / blocked
 
Reported: 2023-08-01 07:58 UTC by Marian Rehak
Modified: 2024-05-28 14:05 UTC (History)
9 users (show)

Fixed In Version: rust 1.71.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the rust-cargo package. Cargo, as bundled with the Rust compiler, did not respect the umask when extracting dependency tarballs and caching the extraction for future builds. If a dependency contained files with 0777 permissions, another local user could edit the cache of the extracted source code, potentially executing arbitrary code with the privileges of the user running Cargo during the next build.
Clone Of:
Environment:
Last Closed: 2023-08-15 04:20:08 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4634 0 None None None 2023-08-14 14:17:35 UTC
Red Hat Product Errata RHSA-2023:4635 0 None None None 2023-08-14 14:29:39 UTC
Red Hat Product Errata RHSA-2023:4651 0 None None None 2023-08-15 00:10:33 UTC
Red Hat Product Errata RHSA-2024:3418 0 None None None 2024-05-28 14:05:49 UTC
Red Hat Product Errata RHSA-2024:3428 0 None None None 2024-05-28 13:35:22 UTC

Description Marian Rehak 2023-08-01 07:58:46 UTC
Cargo, as bundled with the Rust compiler, did not respect the umask when extracting dependency tarballs and caching the extraction for future builds. If a dependency contained files with 0777 permissions, another local user could edit the cache of the extracted source code, potentially executing arbitrary code with the privileges of the user running Cargo during the next build.

Comment 10 Marian Rehak 2023-08-04 11:01:30 UTC
Created rust tracking bugs for this issue:

Affects: epel-7 [bug 2229138]
Affects: fedora-37 [bug 2229139]
Affects: fedora-38 [bug 2229140]


Created rust-cargo tracking bugs for this issue:

Affects: fedora-all [bug 2229141]

Comment 12 errata-xmlrpc 2023-08-14 14:17:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4634 https://access.redhat.com/errata/RHSA-2023:4634

Comment 13 errata-xmlrpc 2023-08-14 14:29:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4635 https://access.redhat.com/errata/RHSA-2023:4635

Comment 14 errata-xmlrpc 2023-08-15 00:10:32 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2023:4651 https://access.redhat.com/errata/RHSA-2023:4651

Comment 15 Product Security DevOps Team 2023-08-15 04:20:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-38497

Comment 16 errata-xmlrpc 2024-05-28 13:35:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:3428 https://access.redhat.com/errata/RHSA-2024:3428

Comment 17 errata-xmlrpc 2024-05-28 14:05:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3418 https://access.redhat.com/errata/RHSA-2024:3418


Note You need to log in before you can comment on or make changes to this bug.