Bug 1203433 – VUL-0: CVE-2022-36113: rust1.61,rust1.62,rust1.60,rust: cargo is vulnerable to symlink attacks

Bug 1203433 - (CVE-2022-36113) VUL-0: CVE-2022-36113: rust1.61,rust1.62,rust1.60,rust: cargo is vulnerable to symlink attacks

(CVE-2022-36113)
Summary:	VUL-0: CVE-2022-36113: rust1.61,rust1.62,rust1.60,rust: cargo is vulnerable t...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/342431/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-36113:5.4:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-09-15 07:29 UTC by Gabriele Sonnu
Modified:	2022-11-04 09:43 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gabriele Sonnu 2022-09-15 07:29:25 UTC

CVE-2022-36113

Cargo is a package manager for the rust programming language. After a package is
downloaded, Cargo extracts its source code in the ~/.cargo folder on disk,
making it available to the Rust projects it builds. To record when an extraction
is successful, Cargo writes "ok" to the .cargo-ok file at the root of the
extracted source code once it extracted all the files. It was discovered that
Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would
extract. Then, when Cargo attempted to write "ok" into .cargo-ok, it would
actually replace the first two bytes of the file the symlink pointed to with ok.
This would allow an attacker to corrupt one file on the machine using Cargo to
extract the package. Note that by design Cargo allows code execution at build
time, due to build scripts and procedural macros. The vulnerabilities in this
advisory allow performing a subset of the possible damage in a harder to track
down way. Your dependencies must still be trusted if you want to be protected
from attacks, as it's possible to perform the same attacks with build scripts
and procedural macros. The vulnerability is present in all versions of Cargo.
Rust 1.64, to be released on September 22nd, will include a fix for it. Since
the vulnerability is just a more limited way to accomplish what a malicious
build scripts or procedural macros can do, we decided not to publish Rust point
releases backporting the security fix. Patch files are available for Rust 1.63.0
are available in the wg-security-response repository for people building their
own toolchain. Mitigations We recommend users of alternate registries to
exercise care in which package they download, by only including trusted
dependencies in their projects. Please note that even with these vulnerabilities
fixed, by design Cargo allows arbitrary code execution at build time thanks to
build scripts and procedural macros: a malicious dependency will be able to
cause damage regardless of these vulnerabilities. crates.io implemented
server-side checks to reject these kinds of packages years ago, and there are no
packages on crates.io exploiting these vulnerabilities. crates.io users still
need to exercise care in choosing their dependencies though, as remote code
execution is allowed by design there as well.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36113
https://www.cve.org/CVERecord?id=CVE-2022-36113
https://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a
https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j

Comment 1 Gabriele Sonnu 2022-09-15 07:50:07 UTC

Tracking these codestream as affected:

- SUSE:SLE-15:Update/rust
- SUSE:SLE-15-SP1:Update/rust
- SUSE:SLE-15-SP3:Update/rust
- SUSE:SLE-15-SP3:Update/rust1.60
- SUSE:SLE-15-SP3:Update/rust1.61
- SUSE:SLE-15-SP3:Update/rust1.62

Comment 2 William Brown 2022-09-16 05:41:13 UTC

I will apply these patches but both advisories make it clear that:

* These are extremely low risk, and likely not even worth patching in reality. The rust project does not consider it worth backporting of their own accord.
* That Cargo *already* allows arbitrary remote code execution due to build.rs files so the ability to exploit this is inconsequential next to RCE, therefore you should consider only using trusted registries and sources.

I think that in the future we should more carefully consider the risks and effort when making these patching decisions, measured against impact.

Comment 4 Swamp Workflow Management 2022-09-28 13:20:06 UTC

SUSE-SU-2022:3451-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1203431,1203433
CVE References: CVE-2022-36113,CVE-2022-36114
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    rust1.62-1.62.1-150300.7.7.1
openSUSE Leap 15.3 (src):    rust1.62-1.62.1-150300.7.7.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    rust1.62-1.62.1-150300.7.7.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    rust1.62-1.62.1-150300.7.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Carlos López 2022-11-04 09:43:26 UTC

Done, closing.