Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 929036 (CVE-2024-24576)

Summary: dev-lang/rust, dev-lang/rust-bin: Untrusted command sanitation leading to code execution on Windows
Product: Gentoo Security Reporter: Randy Barlow <randy>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: randy
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Randy Barlow 2024-04-10 01:17:35 UTC 
Today Rust 1.77.2 was released to address a security flaw. The flaw relates to how Command input is sanitized in the standard library for Windows build targets.

Gentoo does not ship the Windows build targets as part of its ebuilds, and thus is not vulnerable to this CVE.

For more information, see the Rust blog: https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html

Reproducible: Always
Comment 1 Randy Barlow 2024-04-10 01:18:56 UTC 
We can close this ticket as INVALID. I filed it at the suggestion of our pal Sam James so that we can have a documented record describing why we don't need to bump the version in Gentoo.