CVE-2023-38497: Cargo not respecting umask when extracting crate archives
The Rust Security Response WG was notified that Cargo did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user.
This vulnerability has been assigned CVE-2023-38497.
References
- en.wikipedia.org/wiki/Umask
- github.com/advisories/GHSA-j3xp-wfr4-hx87
- github.com/rust-lang/cargo
- github.com/rust-lang/cargo/commit/d78bbf4bde3c6b95caca7512f537c6f9721426ff
- github.com/rust-lang/cargo/pull/12443
- github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87
- github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGKE6PGM4HIQUHPJRBQAHMELINSGN4H4
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMEXGUGPW5OBSQA6URTBNDSU3RAEFOZ4
- nvd.nist.gov/vuln/detail/CVE-2023-38497
- www.rust-lang.org/policies/security
Detect and mitigate CVE-2023-38497 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →