CVE-2023-38497
Published: 3 August 2023
Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.
Notes
| Author | Note |
|---|---|
| sbeattie | cargo in mantic was merged into rustc |
| alexmurray | requires an update to the tar rust dependency (tar 0.4.39) - this is packaged as rust-tar in Ubuntu but only the rust-cargo package appears to use this - rustc and cargo both vendor a copy of this package |
| litios | a workaround for this issue is to prevent access to the ~/.cargo directory to other users. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
cargo Launchpad, Ubuntu, Debian |
bionic |
Released
(0.66.0+ds0ubuntu0.libgit2-0ubuntu0.18.04.1~esm1)
Available with Ubuntu Pro |
| focal |
Released
(0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2+esm1)
Available with Ubuntu Pro |
|
| jammy |
Released
(0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2+esm1)
Available with Ubuntu Pro |
|
| lunar |
Ignored
(end of life, was needed)
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Released
(0.72.2)
|
|
| xenial |
Released
(0.47.0-1~exp1ubuntu1~16.04.1+esm1)
Available with Ubuntu Pro |
|
|
rust-cargo Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of standard support)
|
| focal |
Does not exist
|
|
| jammy |
Released
(0.57.0-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
| lunar |
Ignored
(end of life, was needed)
|
|
| mantic |
Needed
|
|
| noble |
Needed
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
|
rustc Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cargo used from system)
|
| focal |
Not vulnerable
(cargo used from system)
|
|
| jammy |
Not vulnerable
(cargo used from system)
|
|
| lunar |
Not vulnerable
(cargo used from system)
|
|
| mantic |
Needed
|
|
| noble |
Needed
|
|
| trusty |
Not vulnerable
(cargo used from system)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(cargo used from system)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.3 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
References
- https://github.com/alexcrichton/tar-rs/commit/1fd8b4ef309087d138c55aab7b38ad7e15993c96
- https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87
- https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497
- https://ubuntu.com/security/notices/USN-6275-1
- https://www.cve.org/CVERecord?id=CVE-2023-38497
- NVD
- Launchpad
- Debian