Bug 1203431 - (CVE-2022-36114) VUL-0: CVE-2022-36114: rust1.60,rust1.61,rust1.62,rust: cargo is vulnerable to zip bomb attacks
(CVE-2022-36114)
VUL-0: CVE-2022-36114: rust1.60,rust1.61,rust1.62,rust: cargo is vulnerable t...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/342430/
CVSSv3.1:SUSE:CVE-2022-36114:4.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-15 07:23 UTC by Gabriele Sonnu
Modified: 2022-09-28 13:20 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2022-09-15 07:23:29 UTC
CVE-2022-36114

Cargo is a package manager for the rust programming language. It was discovered
that Cargo did not limit the amount of data extracted from compressed archives.
An attacker could upload to an alternate registry a specially crafted package
that extracts way more data than its size (also known as a "zip bomb"),
exhausting the disk space on the machine using Cargo to download the package.
Note that by design Cargo allows code execution at build time, due to build
scripts and procedural macros. The vulnerabilities in this advisory allow
performing a subset of the possible damage in a harder to track down way. Your
dependencies must still be trusted if you want to be protected from attacks, as
it's possible to perform the same attacks with build scripts and procedural
macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be
released on September 22nd, will include a fix for it. Since the vulnerability
is just a more limited way to accomplish what a malicious build scripts or
procedural macros can do, we decided not to publish Rust point releases
backporting the security fix. Patch files are available for Rust 1.63.0 are
available in the wg-security-response repository for people building their own
toolchain. We recommend users of alternate registries to excercise care in which
package they download, by only including trusted dependencies in their projects.
Please note that even with these vulnerabilities fixed, by design Cargo allows
arbitrary code execution at build time thanks to build scripts and procedural
macros: a malicious dependency will be able to cause damage regardless of these
vulnerabilities. crates.io implemented server-side checks to reject these kinds
of packages years ago, and there are no packages on crates.io exploiting these
vulnerabilities. crates.io users still need to excercise care in choosing their
dependencies though, as the same concerns about build scripts and procedural
macros apply here.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36114
https://www.cve.org/CVERecord?id=CVE-2022-36114
https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp
https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7
Comment 1 Gabriele Sonnu 2022-09-15 07:49:55 UTC
Tracking these codestream as affected:

- SUSE:SLE-15:Update/rust
- SUSE:SLE-15-SP1:Update/rust
- SUSE:SLE-15-SP3:Update/rust
- SUSE:SLE-15-SP3:Update/rust1.60
- SUSE:SLE-15-SP3:Update/rust1.61
- SUSE:SLE-15-SP3:Update/rust1.62
Comment 2 William Brown 2022-09-16 05:41:12 UTC
I will apply these patches but both advisories make it clear that:

* These are extremely low risk, and likely not even worth patching in reality. The rust project does not consider it worth backporting of their own accord.
* That Cargo *already* allows arbitrary remote code execution due to build.rs files so the ability to exploit this is inconsequential next to RCE, therefore you should consider only using trusted registries and sources.

I think that in the future we should more carefully consider the risks and effort when making these patching decisions, measured against impact.
Comment 4 Swamp Workflow Management 2022-09-28 13:20:02 UTC
SUSE-SU-2022:3451-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1203431,1203433
CVE References: CVE-2022-36113,CVE-2022-36114
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    rust1.62-1.62.1-150300.7.7.1
openSUSE Leap 15.3 (src):    rust1.62-1.62.1-150300.7.7.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    rust1.62-1.62.1-150300.7.7.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    rust1.62-1.62.1-150300.7.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.