Debian Bug report logs -
#1021142
cargo: CVE-2022-36113 CVE-2022-36114
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
:
Bug#1021142
; Package src:cargo
.
(Sun, 02 Oct 2022 18:15:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
.
(Sun, 02 Oct 2022 18:15:16 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cargo
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for cargo.
CVE-2022-36113[0]:
| Cargo is a package manager for the rust programming language. After a
| package is downloaded, Cargo extracts its source code in the ~/.cargo
| folder on disk, making it available to the Rust projects it builds. To
| record when an extraction is successful, Cargo writes "ok" to the
| .cargo-ok file at the root of the extracted source code once it
| extracted all the files. It was discovered that Cargo allowed packages
| to contain a .cargo-ok symbolic link, which Cargo would extract. Then,
| when Cargo attempted to write "ok" into .cargo-ok, it would actually
| replace the first two bytes of the file the symlink pointed to with
| ok. This would allow an attacker to corrupt one file on the machine
| using Cargo to extract the package. Note that by design Cargo allows
| code execution at build time, due to build scripts and procedural
| macros. The vulnerabilities in this advisory allow performing a subset
| of the possible damage in a harder to track down way. Your
| dependencies must still be trusted if you want to be protected from
| attacks, as it's possible to perform the same attacks with build
| scripts and procedural macros. The vulnerability is present in all
| versions of Cargo. Rust 1.64, to be released on September 22nd, will
| include a fix for it. Since the vulnerability is just a more limited
| way to accomplish what a malicious build scripts or procedural macros
| can do, we decided not to publish Rust point releases backporting the
| security fix. Patch files are available for Rust 1.63.0 are available
| in the wg-security-response repository for people building their own
| toolchain. Mitigations We recommend users of alternate registries to
| exercise care in which package they download, by only including
| trusted dependencies in their projects. Please note that even with
| these vulnerabilities fixed, by design Cargo allows arbitrary code
| execution at build time thanks to build scripts and procedural macros:
| a malicious dependency will be able to cause damage regardless of
| these vulnerabilities. crates.io implemented server-side checks to
| reject these kinds of packages years ago, and there are no packages on
| crates.io exploiting these vulnerabilities. crates.io users still need
| to exercise care in choosing their dependencies though, as remote code
| execution is allowed by design there as well.
https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h4-hm5j
https://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a
CVE-2022-36114[1]:
| Cargo is a package manager for the rust programming language. It was
| discovered that Cargo did not limit the amount of data extracted from
| compressed archives. An attacker could upload to an alternate registry
| a specially crafted package that extracts way more data than its size
| (also known as a "zip bomb"), exhausting the disk space on the machine
| using Cargo to download the package. Note that by design Cargo allows
| code execution at build time, due to build scripts and procedural
| macros. The vulnerabilities in this advisory allow performing a subset
| of the possible damage in a harder to track down way. Your
| dependencies must still be trusted if you want to be protected from
| attacks, as it's possible to perform the same attacks with build
| scripts and procedural macros. The vulnerability is present in all
| versions of Cargo. Rust 1.64, to be released on September 22nd, will
| include a fix for it. Since the vulnerability is just a more limited
| way to accomplish what a malicious build scripts or procedural macros
| can do, we decided not to publish Rust point releases backporting the
| security fix. Patch files are available for Rust 1.63.0 are available
| in the wg-security-response repository for people building their own
| toolchain. We recommend users of alternate registries to excercise
| care in which package they download, by only including trusted
| dependencies in their projects. Please note that even with these
| vulnerabilities fixed, by design Cargo allows arbitrary code execution
| at build time thanks to build scripts and procedural macros: a
| malicious dependency will be able to cause damage regardless of these
| vulnerabilities. crates.io implemented server-side checks to reject
| these kinds of packages years ago, and there are no packages on
| crates.io exploiting these vulnerabilities. crates.io users still need
| to excercise care in choosing their dependencies though, as the same
| concerns about build scripts and procedural macros apply here.
https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp
https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-36113
https://www.cve.org/CVERecord?id=CVE-2022-36113
[1] https://security-tracker.debian.org/tracker/CVE-2022-36114
https://www.cve.org/CVERecord?id=CVE-2022-36114
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 02 Oct 2022 18:51:23 GMT) (full text, mbox, link).
Marked as found in versions cargo/0.57.0-7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 02 Oct 2022 18:51:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Oct 3 13:21:36 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.