Cargo, as bundled with the Rust compiler, did not respect the umask when extracting dependency tarballs and caching the extraction for future builds. If a dependency contained files with 0777 permissions, another local user could edit the cache of the extracted source code, potentially executing arbitrary code with the privileges of the user running Cargo during the next build.
Created rust tracking bugs for this issue: Affects: epel-7 [bug 2229138] Affects: fedora-37 [bug 2229139] Affects: fedora-38 [bug 2229140] Created rust-cargo tracking bugs for this issue: Affects: fedora-all [bug 2229141]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:4634 https://access.redhat.com/errata/RHSA-2023:4634
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:4635 https://access.redhat.com/errata/RHSA-2023:4635
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2023:4651 https://access.redhat.com/errata/RHSA-2023:4651
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-38497
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:3428 https://access.redhat.com/errata/RHSA-2024:3428
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:3418 https://access.redhat.com/errata/RHSA-2024:3418