Headline
RHSA-2023:4651: Red Hat Security Advisory: rust-toolset-1.66-rust security update
An update for rust-toolset-1.66-rust is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-38497: A flaw was found in the rust-cargo package. Cargo, as bundled with the Rust compiler, did not respect the umask when extracting dependency tarballs and caching the extraction for future builds. If a dependency contained files with 0777 permissions, another local user could edit the cache of the extracted source code, potentially executing arbitrary code with the privileges of the user running Cargo during the next build.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-08-15
Updated:
2023-08-15
RHSA-2023:4651 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: rust-toolset-1.66-rust security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for rust-toolset-1.66-rust is now available for Red Hat Developer Tools.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries.
Security Fix(es):
- rust-cargo: cargo does not respect the umask when extracting dependencies (CVE-2023-38497)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Developer Tools (for RHEL Workstation) 1 x86_64
- Red Hat Developer Tools (for RHEL Server) 1 x86_64
- Red Hat Developer Tools (for RHEL Server for System Z) 1 s390x
- Red Hat Developer Tools (for RHEL Server for IBM Power LE) 1 ppc64le
- Red Hat Developer Tools (for RHEL Server for IBM Power) 1 ppc64
Fixes
- BZ - 2228038 - CVE-2023-38497 rust-cargo: cargo does not respect the umask when extracting dependencies
Red Hat Developer Tools (for RHEL Workstation) 1
SRPM
rust-toolset-1.66-rust-1.66.1-2.el7_9.src.rpm
SHA-256: 3f8091cfc6b00fd0131fc21b8ec0acbae25bd9b133d1f251f6d5882537f5fe81
x86_64
rust-toolset-1.66-cargo-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 91e85bc1e069458f6a73297b33d61d16dda17b074d374554eed96ef54d3c4b06
rust-toolset-1.66-clippy-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 37670cfff4e45b63b50347bb95a3665f3e4d2ac7266c9a2f314dc9da26776019
rust-toolset-1.66-rust-1.66.1-2.el7_9.x86_64.rpm
SHA-256: c62c743a0bf8780a45469ad258f1c66035472110b8f0717db3c1de29949a9a44
rust-toolset-1.66-rust-analysis-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 81c0c6b054e46a4521ed2d8eca5baa119c8891d85bc854df5f37d84b0e2ff493
rust-toolset-1.66-rust-analyzer-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 5002254841baedecc892dff56765983b59ef18e3fb47ca2b9a1efdb24945a28d
rust-toolset-1.66-rust-debugger-common-1.66.1-2.el7_9.noarch.rpm
SHA-256: 1e593be47086007834b4771be00d9b1d98f70300a3b4117d4af4a204a49693b6
rust-toolset-1.66-rust-debuginfo-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 0d76b04910608e00488c53bfaf7525d54c719d9f8febce218fca53324dd465ed
rust-toolset-1.66-rust-doc-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 8351c28668f5029fa921dd84425ca86c0f5a0535f254f53c463b9746fc8b3300
rust-toolset-1.66-rust-gdb-1.66.1-2.el7_9.noarch.rpm
SHA-256: fc06521b3aaf2afd63a24d97bf4f6cb0eea4cfa0e32477544ebc356c6e071972
rust-toolset-1.66-rust-lldb-1.66.1-2.el7_9.noarch.rpm
SHA-256: d6a3cbd801c11176151fcab737e84f0e6aa7d39e9536dd61ba9a1d586749b1f2
rust-toolset-1.66-rust-src-1.66.1-2.el7_9.noarch.rpm
SHA-256: 83ac556ccff82961f01dc25f01171537797e9f600e44e1e1a9e9ad79d78bc1e4
rust-toolset-1.66-rust-std-static-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 3bd81adbd3a22d860b00915e919c12a2e41fd32c55a1dd244d37c41787a103e0
rust-toolset-1.66-rustfmt-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 347dc42dd5b1bdad13effc6174a1feaaa630c13335e5e9daefb290fc4cabc834
Red Hat Developer Tools (for RHEL Server) 1
SRPM
rust-toolset-1.66-rust-1.66.1-2.el7_9.src.rpm
SHA-256: 3f8091cfc6b00fd0131fc21b8ec0acbae25bd9b133d1f251f6d5882537f5fe81
x86_64
rust-toolset-1.66-cargo-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 91e85bc1e069458f6a73297b33d61d16dda17b074d374554eed96ef54d3c4b06
rust-toolset-1.66-clippy-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 37670cfff4e45b63b50347bb95a3665f3e4d2ac7266c9a2f314dc9da26776019
rust-toolset-1.66-rust-1.66.1-2.el7_9.x86_64.rpm
SHA-256: c62c743a0bf8780a45469ad258f1c66035472110b8f0717db3c1de29949a9a44
rust-toolset-1.66-rust-analysis-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 81c0c6b054e46a4521ed2d8eca5baa119c8891d85bc854df5f37d84b0e2ff493
rust-toolset-1.66-rust-analyzer-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 5002254841baedecc892dff56765983b59ef18e3fb47ca2b9a1efdb24945a28d
rust-toolset-1.66-rust-debugger-common-1.66.1-2.el7_9.noarch.rpm
SHA-256: 1e593be47086007834b4771be00d9b1d98f70300a3b4117d4af4a204a49693b6
rust-toolset-1.66-rust-debuginfo-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 0d76b04910608e00488c53bfaf7525d54c719d9f8febce218fca53324dd465ed
rust-toolset-1.66-rust-doc-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 8351c28668f5029fa921dd84425ca86c0f5a0535f254f53c463b9746fc8b3300
rust-toolset-1.66-rust-gdb-1.66.1-2.el7_9.noarch.rpm
SHA-256: fc06521b3aaf2afd63a24d97bf4f6cb0eea4cfa0e32477544ebc356c6e071972
rust-toolset-1.66-rust-lldb-1.66.1-2.el7_9.noarch.rpm
SHA-256: d6a3cbd801c11176151fcab737e84f0e6aa7d39e9536dd61ba9a1d586749b1f2
rust-toolset-1.66-rust-src-1.66.1-2.el7_9.noarch.rpm
SHA-256: 83ac556ccff82961f01dc25f01171537797e9f600e44e1e1a9e9ad79d78bc1e4
rust-toolset-1.66-rust-std-static-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 3bd81adbd3a22d860b00915e919c12a2e41fd32c55a1dd244d37c41787a103e0
rust-toolset-1.66-rustfmt-1.66.1-2.el7_9.x86_64.rpm
SHA-256: 347dc42dd5b1bdad13effc6174a1feaaa630c13335e5e9daefb290fc4cabc834
Red Hat Developer Tools (for RHEL Server for System Z) 1
SRPM
rust-toolset-1.66-rust-1.66.1-2.el7_9.src.rpm
SHA-256: 3f8091cfc6b00fd0131fc21b8ec0acbae25bd9b133d1f251f6d5882537f5fe81
s390x
rust-toolset-1.66-cargo-1.66.1-2.el7_9.s390x.rpm
SHA-256: 392fc3789cdcd817a29f0abd0106b620795389d39193584030ac35b94999f728
rust-toolset-1.66-clippy-1.66.1-2.el7_9.s390x.rpm
SHA-256: 936e086136fe564e7fc5ee2832e14bc31d665a1002dcd64fb5c5e046c8fd584d
rust-toolset-1.66-rust-1.66.1-2.el7_9.s390x.rpm
SHA-256: f0db62c182dab7f577d1ab81621c15c3a47ae54b5edd8c28d1ba12dde5b0af3f
rust-toolset-1.66-rust-analysis-1.66.1-2.el7_9.s390x.rpm
SHA-256: 2c1bb513b83827275e0ff919c6657195e66d8c5643cf4402f4a6937047b1e6af
rust-toolset-1.66-rust-analyzer-1.66.1-2.el7_9.s390x.rpm
SHA-256: 25e32d0578423e08d11620599b17d71b9bf3022b959521f143e0ee655e8cd7e7
rust-toolset-1.66-rust-debugger-common-1.66.1-2.el7_9.noarch.rpm
SHA-256: 1e593be47086007834b4771be00d9b1d98f70300a3b4117d4af4a204a49693b6
rust-toolset-1.66-rust-debuginfo-1.66.1-2.el7_9.s390x.rpm
SHA-256: e23957a419c2aa7123409ef950ce833f426095c41635d1ceba9ca1944479d33d
rust-toolset-1.66-rust-doc-1.66.1-2.el7_9.s390x.rpm
SHA-256: 857a45c6fdca0c8abcb2fd4700b229030a80bfad49a6ec41e8c99d3aaefc4c5f
rust-toolset-1.66-rust-gdb-1.66.1-2.el7_9.noarch.rpm
SHA-256: fc06521b3aaf2afd63a24d97bf4f6cb0eea4cfa0e32477544ebc356c6e071972
rust-toolset-1.66-rust-lldb-1.66.1-2.el7_9.noarch.rpm
SHA-256: d6a3cbd801c11176151fcab737e84f0e6aa7d39e9536dd61ba9a1d586749b1f2
rust-toolset-1.66-rust-src-1.66.1-2.el7_9.noarch.rpm
SHA-256: 83ac556ccff82961f01dc25f01171537797e9f600e44e1e1a9e9ad79d78bc1e4
rust-toolset-1.66-rust-std-static-1.66.1-2.el7_9.s390x.rpm
SHA-256: b9607d2a4af19d6e781451172eeedcbea5e08d7d6fdb9cb7c808a3ae36d49c4e
rust-toolset-1.66-rustfmt-1.66.1-2.el7_9.s390x.rpm
SHA-256: e066a0a9e01bfcdd921a6a45807090256f399a47b1498be93eecbb7795ecdfad
Red Hat Developer Tools (for RHEL Server for IBM Power LE) 1
SRPM
rust-toolset-1.66-rust-1.66.1-2.el7_9.src.rpm
SHA-256: 3f8091cfc6b00fd0131fc21b8ec0acbae25bd9b133d1f251f6d5882537f5fe81
ppc64le
rust-toolset-1.66-cargo-1.66.1-2.el7_9.ppc64le.rpm
SHA-256: ef3b191e1fd95054c7d97d39a31a3090fd5be7c80889a1b7d41d63ae4e2969ab
rust-toolset-1.66-clippy-1.66.1-2.el7_9.ppc64le.rpm
SHA-256: da60e8a8fc4384f5249fdaa8870bef6af1a2d5cfe219d9bc626993c34b2fd411
rust-toolset-1.66-rust-1.66.1-2.el7_9.ppc64le.rpm
SHA-256: e42c2acc937fc430de4616fc7d36758ff242a779b255cadc5fc2dcbe054db8f8
rust-toolset-1.66-rust-analysis-1.66.1-2.el7_9.ppc64le.rpm
SHA-256: 0d66484df31bb3df7b09d4ab0a3cd4a415edcc4f63ab94c72342c98484219d25
rust-toolset-1.66-rust-analyzer-1.66.1-2.el7_9.ppc64le.rpm
SHA-256: 182df47f7d99d9ec3af6a12a56dd4e48f3e9f2ce95256f8eba0cc97046f05329
rust-toolset-1.66-rust-debugger-common-1.66.1-2.el7_9.noarch.rpm
SHA-256: 1e593be47086007834b4771be00d9b1d98f70300a3b4117d4af4a204a49693b6
rust-toolset-1.66-rust-debuginfo-1.66.1-2.el7_9.ppc64le.rpm
SHA-256: 61a437c3a563c24ef431d4969a75049b32181b3c3c30d58aa05e904226fd3534
rust-toolset-1.66-rust-doc-1.66.1-2.el7_9.ppc64le.rpm
SHA-256: 728dd9e05509b86fb319ad2dc5a6e640cc713e74b6d0750b9db0a0bf9b7d6bcd
rust-toolset-1.66-rust-gdb-1.66.1-2.el7_9.noarch.rpm
SHA-256: fc06521b3aaf2afd63a24d97bf4f6cb0eea4cfa0e32477544ebc356c6e071972
rust-toolset-1.66-rust-lldb-1.66.1-2.el7_9.noarch.rpm
SHA-256: d6a3cbd801c11176151fcab737e84f0e6aa7d39e9536dd61ba9a1d586749b1f2
rust-toolset-1.66-rust-src-1.66.1-2.el7_9.noarch.rpm
SHA-256: 83ac556ccff82961f01dc25f01171537797e9f600e44e1e1a9e9ad79d78bc1e4
rust-toolset-1.66-rust-std-static-1.66.1-2.el7_9.ppc64le.rpm
SHA-256: 06e0b4894c643c634719c53cb96353279d8e74ecd8ca3bc4b9ed77953c80ece5
rust-toolset-1.66-rustfmt-1.66.1-2.el7_9.ppc64le.rpm
SHA-256: 9eebd04afdfc704d00ee5ccbdec43dd57f35ece8adb517208086e6bcf54c73ef
Red Hat Developer Tools (for RHEL Server for IBM Power) 1
SRPM
rust-toolset-1.66-rust-1.66.1-2.el7_9.src.rpm
SHA-256: 3f8091cfc6b00fd0131fc21b8ec0acbae25bd9b133d1f251f6d5882537f5fe81
ppc64
rust-toolset-1.66-cargo-1.66.1-2.el7_9.ppc64.rpm
SHA-256: 8a01b15c3d3d22eddad18a8c9a326b0b8d12aa4811f0f50ed92907f98bebdfdd
rust-toolset-1.66-clippy-1.66.1-2.el7_9.ppc64.rpm
SHA-256: 9288b50552928e802e7f7faa1afccc3c5baf846cb524f7a1f329b46e704ceb90
rust-toolset-1.66-rust-1.66.1-2.el7_9.ppc64.rpm
SHA-256: 4a33afe04dcfac4f739f58a86d05df21ca0c7469640f3c0f742a716ad45fa47a
rust-toolset-1.66-rust-analysis-1.66.1-2.el7_9.ppc64.rpm
SHA-256: 28061327398a32f502dfd71566a2033d49ad7641d68e7069906fdc3d230e4f4a
rust-toolset-1.66-rust-analyzer-1.66.1-2.el7_9.ppc64.rpm
SHA-256: f96d0af1534c65a4c8cce3119bd5d71b468c2b284ed43f47085f56e500dac69e
rust-toolset-1.66-rust-debugger-common-1.66.1-2.el7_9.noarch.rpm
SHA-256: 1e593be47086007834b4771be00d9b1d98f70300a3b4117d4af4a204a49693b6
rust-toolset-1.66-rust-debuginfo-1.66.1-2.el7_9.ppc64.rpm
SHA-256: ef7aaede6d699d715dd1fff5278b588f8d8e397f9f074b821ca4654c4649ffdc
rust-toolset-1.66-rust-doc-1.66.1-2.el7_9.ppc64.rpm
SHA-256: b39c9628cc3fbd08e948a751ee539b269537a5f771d6420422e35da9b184745e
rust-toolset-1.66-rust-gdb-1.66.1-2.el7_9.noarch.rpm
SHA-256: fc06521b3aaf2afd63a24d97bf4f6cb0eea4cfa0e32477544ebc356c6e071972
rust-toolset-1.66-rust-lldb-1.66.1-2.el7_9.noarch.rpm
SHA-256: d6a3cbd801c11176151fcab737e84f0e6aa7d39e9536dd61ba9a1d586749b1f2
rust-toolset-1.66-rust-src-1.66.1-2.el7_9.noarch.rpm
SHA-256: 83ac556ccff82961f01dc25f01171537797e9f600e44e1e1a9e9ad79d78bc1e4
rust-toolset-1.66-rust-std-static-1.66.1-2.el7_9.ppc64.rpm
SHA-256: 9058216001836e1f207c6b31c8417b227facf0a8c03a6f87ec0e32225f30b92c
rust-toolset-1.66-rustfmt-1.66.1-2.el7_9.ppc64.rpm
SHA-256: c611ca9b180b378c794e95a13511fd198195c97d4139a45d5976296de9a4442f
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2024-3428-03 - An update for the rust-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Security Advisory 2024-3418-03 - An update for rust is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Security Advisory 2023-4651-01 - Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries.
Red Hat Security Advisory 2023-4635-01 - Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries.
Red Hat Security Advisory 2023-4634-01 - Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries.
Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.
Ubuntu Security Notice 6275-1 - Addison Crump discovered that Cargo incorrectly set file permissions on UNIX-like systems when extracting crate archives. If the crate would contain files writable by any user, a local attacker could possibly use this issue to execute code as another user.
The Rust Security Response WG was notified that Cargo did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. This vulnerability has been assigned CVE-2023-38497. ## Overview In UNIX-like systems, each file has three sets of permissions: for the user owning the file, for the group owning the file, and for all other local users. The "[umask][1]" is configured on most systems to limit those permissions during file creation, removing dangerous ones. For example, the default umask on macOS and most Linux distributions only allow the user owning a file to write to it, preventing the group owning it or other local users from doing the same. When a dependency is downloaded by Cargo, its source code has to be extracted on disk to allow the Rust compiler to read as part of the build. To ...