Debian Bug report logs -
#1059305
cargo: CVE-2023-40030
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
:
Bug#1059305
; Package src:cargo
.
(Fri, 22 Dec 2023 13:30:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
.
(Fri, 22 Dec 2023 13:30:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cargo
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for cargo.
CVE-2023-40030[0]:
| Cargo downloads a Rust project’s dependencies and compiles the
| project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not
| escape Cargo feature names when including them in the report
| generated by `cargo build --timings`. A malicious package included
| as a dependency may inject nearly arbitrary HTML here, potentially
| leading to cross-site scripting if the report is subsequently
| uploaded somewhere. The vulnerability affects users relying on
| dependencies from git, local paths, or alternative registries. Users
| who solely depend on crates.io are unaffected. Rust 1.60.0
| introduced `cargo build --timings`, which produces a report of how
| long the different steps of the build process took. It includes
| lists of Cargo features for each crate. Prior to Rust 1.72, Cargo
| feature names were allowed to contain almost any characters (with
| some exceptions as used by the feature syntax), but it would produce
| a future incompatibility warning about them since Rust 1.49.
| crates.io is far more stringent about what it considers a valid
| feature name and has not allowed such feature names. As the feature
| names were included unescaped in the timings report, they could be
| used to inject Javascript into the page, for example with a feature
| name like `features = ["<img src='' onerror=alert(0)"]`. If this
| report were subsequently uploaded to a domain that uses credentials,
| the injected Javascript could access resources from the website
| visitor. This issue was fixed in Rust 1.72 by turning the future
| incompatibility warning into an error. Users should still exercise
| care in which package they download, by only including trusted
| dependencies in their projects. Please note that even with these
| vulnerabilities fixed, by design Cargo allows arbitrary code
| execution at build time thanks to build scripts and procedural
| macros: a malicious dependency will be able to cause damage
| regardless of these vulnerabilities. crates.io has server-side
| checks preventing this attack, and there are no packages on
| crates.io exploiting these vulnerabilities. crates.io users still
| need to excercise care in choosing their dependencies though, as
| remote code execution is allowed by design there as well.
https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p
https://github.com/rust-lang/cargo/pull/12291
https://github.com/rust-lang/cargo/commit/9835622853f08be9a4b58ebe29dcec8f43b64b33 (0.75.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-40030
https://www.cve.org/CVERecord?id=CVE-2023-40030
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 22 Dec 2023 20:09:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Dec 23 08:18:49 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.