911685 – (CVE-2023-38497) <dev-lang/rust-1.71.1 <dev-lang/rust-bin-1.71.1: Cargo does not respect umask

Bug 911685 (CVE-2023-38497) - <dev-lang/rust-1.71.1 <dev-lang/rust-bin-1.71.1: Cargo does not respect umask

Summary: <dev-lang/rust-1.71.1 <dev-lang/rust-bin-1.71.1: Cargo does not respect umask

Status:	RESOLVED FIXED

Alias:	CVE-2023-38497

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://blog.rust-lang.org/2023/08/03...
Whiteboard:	B3 [glsa+]
Keywords:	PullRequest

Depends on:	913962
Blocks:
	Show dependency tree

Reported:	2023-08-04 01:16 UTC by Sam James
Modified:	2024-09-22 06:10 UTC (History)
CC List:	6 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/35291
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-08-04 01:16:41 UTC

From https://blog.rust-lang.org/2023/08/03/Rust-1.71.1.html:
"""
Rust 1.71.1 fixes Cargo not respecting the umask when extracting dependencies, which could allow a local attacker to edit the cache of extracted source code belonging to another local user, potentially executing code as another user. This security vulnerability is tracked as CVE-2023-38497, and you can read more about it on the advisory we published earlier today. We recommend all users to update their toolchain as soon as possible.
"""

See also: https://blog.rust-lang.org/2023/08/03/cve-2023-38497.html.

Comment 1 Sam James archtester

2023-08-04 01:17:00 UTC

Note that may need to backport https://github.com/rust-lang/rust/pull/114440 as well...

Comment 2 Sam James archtester

2023-08-04 16:48:11 UTC

commit 9bd0a1774d10a17f7a311813b314fee6953eb49d
Author: WANG Xuerui <xen0n@gentoo.org>
Date:   Fri Aug 4 15:20:57 2023 +0800

    sys-devel/rust-std: add 1.71.1

    Closes: https://github.com/gentoo/gentoo/pull/32170
    Signed-off-by: WANG Xuerui <xen0n@gentoo.org>

commit 1ee36a35ed4404e95cb88a69e745580f2a5d0c73
Author: WANG Xuerui <xen0n@gentoo.org>
Date:   Fri Aug 4 15:19:58 2023 +0800

    virtual/rust: add 1.71.1

    Signed-off-by: WANG Xuerui <xen0n@gentoo.org>

commit d7081c418d324fefef6d2e671bd92a84091f989c
Author: WANG Xuerui <xen0n@gentoo.org>
Date:   Fri Aug 4 15:19:28 2023 +0800

    dev-lang/rust: add 1.71.1

    Signed-off-by: WANG Xuerui <xen0n@gentoo.org>

commit e73ed087dff62bccf07ccb56a8025940701efaa2
Author: WANG Xuerui <xen0n@gentoo.org>
Date:   Fri Aug 4 15:06:57 2023 +0800

    dev-lang/rust-bin: add 1.71.1

    Signed-off-by: WANG Xuerui <xen0n@gentoo.org>

Comment 3 Hans de Graaff gentoo-dev

2024-02-10 15:46:06 UTC

commit d4946c5f8d3fa1aec5e5d4d3f64971d89958fde3
Author: Matt Turner <mattst88@gentoo.org>
Date:   Wed Jan 24 12:17:38 2024 -0500

    dev-lang/rust: Drop old versions

Comment 4 Larry the Git Cow gentoo-dev

2024-09-02 19:20:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42baae9085f015e58b8b203f01352292e344f334

commit 42baae9085f015e58b8b203f01352292e344f334
Author:     Randy Barlow <randy@electronsweatshop.com>
AuthorDate: 2024-02-13 02:47:59 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2024-09-02 19:20:03 +0000

    dev-lang/rust-bin: Drop 1.71.0
    
    Bug: https://bugs.gentoo.org/911685
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
    Closes: https://github.com/gentoo/gentoo/pull/35291
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 dev-lang/rust-bin/Manifest               |  38 -----
 dev-lang/rust-bin/rust-bin-1.71.0.ebuild | 230 -------------------------------
 2 files changed, 268 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55048ab03a23fbbc307a68aae4e3a9e74dc458af

commit 55048ab03a23fbbc307a68aae4e3a9e74dc458af
Author:     Randy Barlow <randy@electronsweatshop.com>
AuthorDate: 2024-02-13 02:46:58 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2024-09-02 19:19:26 +0000

    dev-lang/rust: Drop 1.71.0
    
    Bug: https://bugs.gentoo.org/911685
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 dev-lang/rust/Manifest           |   2 -
 dev-lang/rust/rust-1.71.0.ebuild | 748 ---------------------------------------
 2 files changed, 750 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f10f1d386570ffe99f0f69468c8d44db91b36bc6

commit f10f1d386570ffe99f0f69468c8d44db91b36bc6
Author:     Randy Barlow <randy@electronsweatshop.com>
AuthorDate: 2024-02-13 02:43:57 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2024-09-02 19:18:49 +0000

    virtual/rust: Drop 1.71.0
    
    Bug: https://bugs.gentoo.org/911685
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 virtual/rust/rust-1.71.0-r2.ebuild | 23 -----------------------
 1 file changed, 23 deletions(-)

Comment 5 Larry the Git Cow gentoo-dev

2024-09-22 06:09:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=99ed81387ba7dbcd82799c29cbe519ef1febcf69

commit 99ed81387ba7dbcd82799c29cbe519ef1febcf69
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 06:09:00 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 06:09:09 +0000

    [ GLSA 202409-07 ] Rust: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/890371
    Bug: https://bugs.gentoo.org/911685
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-07.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)