[Bugs] [Bug 13236] New: cargo 0.47.0 CVEs found

[bugzilla]

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13236

          Platform: ---
            Bug ID: 13236
           Summary: cargo 0.47.0 CVEs found
    Classification: ROSA-based products
           Product: Certified ROSA distros
           Version: Chrome
          Hardware: All
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
  Target Milestone: ---
             Group: ROSA-plus-NTCIT
             Flags: secteam_verified?

Please patch CVEs for package cargo version 0.47.0  
INFO (CVEs are): CVE-2022-36113
        Cargo is a package manager for the rust programming language. After a
package is downloaded, Cargo extracts its source code in the ~/.cargo folder on
disk, making it available to the Rust projects it builds. To record when an
extraction is successful, Cargo writes  to the .cargo-ok file at the root of
the extracted source code once it extracted all the files. It was discovered
that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo
would extract. Then, when Cargo attempted to write  into .cargo-ok, it would
actually replace the first two bytes of the file the symlink pointed to with
ok. This would allow an attacker to corrupt one file on the machine using Cargo
to extract the package. Note that by design Cargo allows code execution at
build time, due to build scripts and procedural macros. The vulnerabilities in
this advisory allow performing a subset of the possible damage in a harder to
track down way. Your dependencies must still be trusted if you want to be
protected from attacks, as it's possible to perform the same attacks with build
scripts and procedural macros. The vulnerability is present in all versions of
Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it.
Since the vulnerability is just a more limited way to accomplish what a
malicious build scripts or procedural macros can do, we decided not to publish
Rust point releases backporting the security fix. Patch files are available for
Rust 1.63.0 are available in the wg-security-response repository for people
building their own toolchain. Mitigations We recommend users of alternate
registries to exercise care in which package they download, by only including
trusted dependencies in their projects. Please note that even with these
vulnerabilities fixed, by design Cargo allows arbitrary code execution at build
time thanks to build scripts and procedural macros: a malicious dependency will
be able to cause damage regardless of these vulnerabilities. crates.io
implemented server-side checks to reject these kinds of packages years ago, and
there are no packages on crates.io exploiting these vulnerabilities. crates.io
users still need to exercise care in choosing their dependencies though, as
remote code execution is allowed by design there as well. 
        https://nvd.nist.gov/vuln/detail/CVE-2022-36113 
        HIGH 
        CVE-2022-36114 
        Cargo is a package manager for the rust programming language. It was
discovered that Cargo did not limit the amount of data extracted from
compressed archives. An attacker could upload to an alternate registry a
specially crafted package that extracts way more data than its size ,
exhausting the disk space on the machine using Cargo to download the package.
Note that by design Cargo allows code execution at build time, due to build
scripts and procedural macros. The vulnerabilities in this advisory allow
performing a subset of the possible damage in a harder to track down way. Your
dependencies must still be trusted if you want to be protected from attacks, as
it's possible to perform the same attacks with build scripts and procedural
macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be
released on September 22nd, will include a fix for it. Since the vulnerability
is just a more limited way to accomplish what a malicious build scripts or
procedural macros can do, we decided not to publish Rust point releases
backporting the security fix. Patch files are available for Rust 1.63.0 are
available in the wg-security-response repository for people building their own
toolchain. We recommend users of alternate registries to excercise care in
which package they download, by only including trusted dependencies in their
projects. Please note that even with these vulnerabilities fixed, by design
Cargo allows arbitrary code execution at build time thanks to build scripts and
procedural macros: a malicious dependency will be able to cause damage
regardless of these vulnerabilities. crates.io implemented server-side checks
to reject these kinds of packages years ago, and there are no packages on
crates.io exploiting these vulnerabilities. crates.io users still need to
excercise care in choosing their dependencies though, as the same concerns
about build scripts and procedural macros apply here. 
 https://nvd.nist.gov/vuln/detail/CVE-2022-36114 
 MEDIUM 
dependencies though, as the same concerns about build scripts and procedural
macros apply here. 
 https://nvd.nist.gov/vuln/detail/CVE-2022-36114 
 MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230426/a5034b27/attachment-0001.html>