929036 – (CVE-2024-24576) dev-lang/rust, dev-lang/rust-bin: Untrusted command sanitation leading to code execution on Windows

Bug 929036 (CVE-2024-24576) - dev-lang/rust, dev-lang/rust-bin: Untrusted command sanitation leading to code execution on Windows

Summary: dev-lang/rust, dev-lang/rust-bin: Untrusted command sanitation leading to cod...

Status:	RESOLVED INVALID

Alias:	CVE-2024-24576

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2024-04-10 01:17 UTC by Randy Barlow
Modified:	2024-04-10 02:32 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Randy Barlow 2024-04-10 01:17:35 UTC

Today Rust 1.77.2 was released to address a security flaw. The flaw relates to how Command input is sanitized in the standard library for Windows build targets.

Gentoo does not ship the Windows build targets as part of its ebuilds, and thus is not vulnerable to this CVE.

For more information, see the Rust blog: https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html

Reproducible: Always

Comment 1 Randy Barlow 2024-04-10 01:18:56 UTC

We can close this ticket as INVALID. I filed it at the suggestion of our pal Sam James so that we can have a documented record describing why we don't need to bump the version in Gentoo.