USN-6275-1: Cargo vulnerability
Published Aug 3, 2023
·Updated
Addison Crump discovered that Cargo incorrectly set file permissions on UNIX-like systems when extracting crate archives. If the crate would contain files writable by any user, a local attacker could possibly use this issue to execute code as another user.
Affected Software
12 affected componentsFixes available
All of the following
ubuntu/cargo<0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2+esm1
0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2+esm1
Ubuntu Ubuntu=22.04
All of the following
ubuntu/librust-cargo+openssl-dev<0.57.0-1ubuntu0.1~esm1
0.57.0-1ubuntu0.1~esm1
Ubuntu Ubuntu=22.04
All of the following
ubuntu/librust-cargo-dev<0.57.0-1ubuntu0.1~esm1
0.57.0-1ubuntu0.1~esm1
Ubuntu Ubuntu=22.04
All of the following
ubuntu/cargo<0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2+esm1
0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2+esm1
Ubuntu Ubuntu=20.04
All of the following
ubuntu/cargo<0.66.0+ds0ubuntu0.libgit2-0ubuntu0.18.04.1~esm1
0.66.0+ds0ubuntu0.libgit2-0ubuntu0.18.04.1~esm1
Ubuntu Ubuntu=18.04
All of the following
ubuntu/cargo<0.47.0-1~exp1ubuntu1~16.04.1+esm1
0.47.0-1~exp1ubuntu1~16.04.1+esm1
Ubuntu Ubuntu=16.04
Event History
Aug 3, 2023
Advisory Published
via Ubuntu·12:00 AM
Frequently Asked Questions
1
What is the vulnerability ID of this advisory?
The vulnerability ID of this advisory is USN-6275-1.
2
What is the title of this advisory?
The title of this advisory is USN-6275-1: Cargo vulnerability.
3
Who discovered this vulnerability?
The vulnerability was discovered by Addison Crump.
4
What is the severity level of this vulnerability?
The severity level of this vulnerability has not been provided.
5
How can I fix this vulnerability?
You can fix this vulnerability by updating the affected software to the recommended versions mentioned in the advisory.