CVE-2023-38497: Cargo not respecting umask when extracting crate archives
First published: Tue Aug 01 2023(Updated: )
A flaw was found in the rust-cargo package. Cargo, as bundled with the Rust compiler, did not respect the umask when extracting dependency tarballs and caching the extraction for future builds. If a dependency contained files with 0777 permissions, another local user could edit the cache of the extracted source code, potentially executing arbitrary code with the privileges of the user running Cargo during the next build.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rust-lang Cargo | <0.72.2 | |
| Fedoraproject Fedora | =38 | |
| redhat/rust-toolset | <1.66-rust-0:1.66.1-2.el7_9 | 1.66-rust-0:1.66.1-2.el7_9 |
| redhat/rust | <0:1.66.1-2.el9_2 | 0:1.66.1-2.el9_2 |
| rust/cargo | <=0.72.1 | 0.72.2 |
| ubuntu/rust-cargo | <0.57.0-1ubuntu0.1~ | 0.57.0-1ubuntu0.1~ |
| ubuntu/cargo | <0.72.2 | 0.72.2 |
| ubuntu/cargo | <0.66.0+ | 0.66.0+ |
| ubuntu/cargo | <0.67.1+ | 0.67.1+ |
| ubuntu/cargo | <0.67.1+ | 0.67.1+ |
| ubuntu/cargo | <0.47.0-1~ | 0.47.0-1~ |
| redhat/rust | <1.71.1 | 1.71.1 |
| debian/cargo | <=0.43.1-3~deb10u1<=0.47.0-3<=0.66.0+ds1-1<=0.70.1+ds1-2 | |
| debian/rust-cargo | <=0.32.0-2<=0.43.1-4<=0.66.0-1<=0.70.1-2 |
Remedy
We recommend configuring your system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/rust-lang/cargo/pull/12443
- https://en.wikipedia.org/wiki/Umask
- https://www.rust-lang.org/policies/security
- https://github.com/rust-lang/cargo/commit/d78bbf4bde3c6b95caca7512f537c6f9721426ff
- https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497
- https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGKE6PGM4HIQUHPJRBQAHMELINSGN4H4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMEXGUGPW5OBSQA6URTBNDSU3RAEFOZ4/
- https://www.cve.org/CVERecord?id=CVE-2023-38497 https://nvd.nist.gov/vuln/detail/CVE-2023-38497 https://www.openwall.com/lists/oss-security/2023/08/03/2
- https://bugzilla.redhat.com/show_bug.cgi?id=2228038
- https://access.redhat.com/errata/RHSA-2023:4651
- https://access.redhat.com/errata/RHSA-2023:4635
- https://access.redhat.com/errata/RHSA-2023:4634
- https://access.redhat.com/security/cve/cve-2023-38497
- https://nvd.nist.gov/vuln/detail/CVE-2023-38497
- https://github.com/advisories/GHSA-j3xp-wfr4-hx87 (Advisory)
- https://launchpad.net/bugs/cve/CVE-2023-38497
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38497
- https://github.com/alexcrichton/tar-rs/commit/1fd8b4ef309087d138c55aab7b38ad7e15993c96
- https://ubuntu.com/security/notices/USN-6275-1
- https://security-tracker.debian.org/tracker/CVE-2023-38497
- https://ubuntu.com/security/CVE-2023-38497
- https://www.openwall.com/lists/oss-security/2023/08/03/2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229138
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229139
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229140
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229141
- https://access.redhat.com/errata/RHSA-2024:3428
- https://access.redhat.com/errata/RHSA-2024:3418
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2023-38497.
What is the severity of CVE-2023-38497?
CVE-2023-38497 has a severity value of 7.9 (high).
What is the affected software for CVE-2023-38497?
The affected software for CVE-2023-38497 includes rust-cargo versions 0.57.0-1ubuntu0.1~ to 0.72.2, cargo versions 0.47.0-1~ to 0.67.1+ and 0.72.2, and Rust-lang Cargo versions up to 0.72.2.
How can I fix CVE-2023-38497?
To fix CVE-2023-38497, update the affected software to a version that includes the fix. Refer to the official sources, such as the Rust-lang website.
Where can I find more information about CVE-2023-38497?
You can find more information about CVE-2023-38497 on the official GitHub page for the Rust-lang Cargo project, Wikipedia page about umask, and the Rust-lang website's security policies.
- collector/oss-sec
- alias/CVE-2023-38497
- collector/nvd-latest
- collector/nvd-api
- collector/redhat-cve
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-j3xp-wfr4-hx87
- collector/github-advisory
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/severity
- agent/remedy
- agent/weakness
- agent/title
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/event
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- agent/references
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/rust-lang
- canonical/rust-lang cargo
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/38
- package-manager/redhat
- package-manager/rust
- package-manager/ubuntu
- package-manager/debian