Advisories for Cargo/Uu_install package

2026

install: TOCTOU symlink race (unlink-then-create without O_EXCL) allows arbitrary file overwrite

copy_file in install/src/install.rs removes the destination then recreates it by pathname via File::create / fs::copy without O_EXCL/create_new. Between the unlink and the recreate, a local attacker with write access to the destination directory can drop in a symlink and redirect the write. Impact: when install runs privileged into an attacker-writable directory (staging/build paths), the race allows redirecting writes to arbitrary files and overwriting sensitive system files (/etc/passwd, /etc/shadow). Recommendation: create …

install -D: symlink race in directory creation allows arbitrary file overwrite

The -D path runs fs::create_dir_all on a pathname then later opens the destination via path-based File::create/fs::copy, neither anchored to a directory fd. Between the two, an attacker can replace a path component with a symlink, redirecting the write. Impact: an attacker with concurrent write access to the destination tree can redirect a privileged install -D to an arbitrary location, enabling arbitrary file overwrite with attacker-controlled content. Recommendation: use dirfd-based traversal …