Bug 1214689 (CVE-2023-40030)

Summary: VUL-0: CVE-2023-40030: rust1.70,rust1.71: XSS via unescaped feature name in `cargo build --timings`
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: William Brown <william.brown>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: rfrohl, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/376308/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-40030:6.1:(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-08-28 11:36:06 UTC 
CVE-2023-40030

Cargo downloads a Rust project’s dependencies and compiles the project. Starting
in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when
including them in the report generated by `cargo build --timings`. A malicious
package included as a dependency may inject nearly arbitrary HTML here,
potentially leading to cross-site scripting if the report is subsequently
uploaded somewhere. The vulnerability affects users relying on dependencies from
git, local paths, or alternative registries. Users who solely depend on
crates.io are unaffected.

Rust 1.60.0 introduced `cargo build --timings`, which produces a report of how
long the different steps of the build process took. It includes lists of Cargo
features for each crate. Prior to Rust 1.72, Cargo feature names were allowed to
contain almost any characters (with some exceptions as used by the feature
syntax), but it would produce a future incompatibility warning about them since
Rust 1.49. crates.io is far more stringent about what it considers a valid
feature name and has not allowed such feature names. As the feature names were
included unescaped in the timings report, they could be used to inject
Javascript into the page, for example with a feature name like `features =
["<img src='' onerror=alert(0)"]`. If this report were subsequently uploaded to
a domain that uses credentials, the injected Javascript could access resources
from the website visitor.

This issue was fixed in Rust 1.72 by turning the future incompatibility warning
into an error. Users should still exercise care in which package they download,
by only including trusted dependencies in their projects. Please note that even
with these vulnerabilities fixed, by design Cargo allows arbitrary code
execution at build time thanks to build scripts and procedural macros: a
malicious dependency will be able to cause damage regardless of these
vulnerabilities. crates.io has server-side checks preventing this attack, and
there are no packages on crates.io exploiting these vulnerabilities. crates.io
users still need to excercise care in choosing their dependencies though, as
remote code execution is allowed by design there as well.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40030
https://www.cve.org/CVERecord?id=CVE-2023-40030
https://github.com/rust-lang/cargo/commit/9835622853f08be9a4b58ebe29dcec8f43b64b33
https://github.com/rust-lang/cargo/commit/f975722a0eac934c0722f111f107c4ea2f5c4365
https://github.com/rust-lang/cargo/pull/12291
https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p
Comment 1 William Brown 2023-08-28 22:53:43 UTC 
I think we don't action this. As the advisory states:

"""
Please note that even
with these vulnerabilities fixed, by design Cargo allows arbitrary code
execution at build time thanks to build scripts and procedural macros: a
malicious dependency will be able to cause damage regardless of these
vulnerabilities.
"""

I think if someone *is* worried about this CVE, then we direct them to use 1.72. 

I am about to submit 1.72 anyway, so I can mark it as "resolving" this.
Comment 3 Maintenance Automation 2023-09-21 12:31:21 UTC 
SUSE-SU-2023:3722-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214689
CVE References: CVE-2023-40030
Sources used:
openSUSE Leap 15.4 (src): rust-1.72.0-150400.24.24.1
openSUSE Leap 15.5 (src): rust-1.72.0-150400.24.24.1
Development Tools Module 15-SP4 (src): rust-1.72.0-150400.24.24.1
Development Tools Module 15-SP5 (src): rust-1.72.0-150400.24.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Robert Frohl 2024-05-29 12:14:17 UTC 
done, closing