Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-38497

Published: 3 August 2023

Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.

Notes

AuthorNote
sbeattie
cargo in mantic was merged into rustc
alexmurray
requires an update to the tar rust dependency (tar 0.4.39) - this
is packaged as rust-tar in Ubuntu but only the rust-cargo package appears to
use this - rustc and cargo both vendor a copy of this package
litios
a workaround for this issue is to prevent access to the ~/.cargo
directory to other users.

Priority

Medium

Cvss 3 Severity Score

7.3

Score breakdown

Status

Package Release Status
rust-cargo
Launchpad, Ubuntu, Debian
trusty Ignored
(end of standard support)
xenial Ignored
(end of standard support)
bionic Ignored
(end of standard support)
focal Does not exist

upstream Needs triage

jammy
Released (0.57.0-1ubuntu0.1~esm1)
Available with Ubuntu Pro
mantic Needed

lunar Ignored
(end of life, was needed)
rustc
Launchpad, Ubuntu, Debian
trusty Not vulnerable
(cargo used from system)
xenial Not vulnerable
(cargo used from system)
bionic Not vulnerable
(cargo used from system)
focal Not vulnerable
(cargo used from system)
jammy Not vulnerable
(cargo used from system)
lunar Not vulnerable
(cargo used from system)
upstream Needs triage

mantic Needed

cargo
Launchpad, Ubuntu, Debian
trusty Ignored
(end of standard support)
lunar Ignored
(end of life, was needed)
upstream
Released (0.72.2)
bionic
Released (0.66.0+ds0ubuntu0.libgit2-0ubuntu0.18.04.1~esm1)
Available with Ubuntu Pro
focal
Released (0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2+esm1)
Available with Ubuntu Pro
jammy
Released (0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2+esm1)
Available with Ubuntu Pro
xenial
Released (0.47.0-1~exp1ubuntu1~16.04.1+esm1)
Available with Ubuntu Pro
mantic Does not exist

Severity score breakdown

Parameter Value
Base score 7.3
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H