In the Cargo package manager used to manage packages and assembly of projects in RUST, two vulnerabilities were identified that can be operated when loading specially designed third -party repositories (it is stated that users of the official repository Crates.io have not affected the problem). The first vulnerability (CVE-2022-36113) allows the first two bytes in any file, as far as the current access rights allow. The second vulnerability (CVE-2022-36114) can be used to exhaust free space on the disk.
vulnerabilities will be eliminated in the Rust 1.64 release, scheduled for September 22. Vulnerability is assigned a low level of danger, since similar harm when using unverified bags from third -party repositories can be caused by the full -time possibility of launching their handlers from assembly scripts or procedural macros supplied in the package. At the same time, the above problems differ in that their operation is carried out at the stage of opening the package after loading (without assembly).
In particular, after loading the Cargo package, it unpacked it
The contents in the ~/.cargo directory and retains a sign of successful unpacking to the. Cargo -ok file. The essence of the first vulnerability is that the creator of the package can place a symbolic link inside with the name. Cargo -ok, which will lead to the record of the text “OK” to the file indicated by the link.
The second vulnerability is caused by the absence of restrictions on the size of the data extracted from the archive, which can be used to create “ ZIP bomb ” (data can be posted in the archive to achieve the maximum compression degree for format – about 28 million times, in this case, for example, specially prepared A 10 MB zip file will lead to unpacking about 281 TB data).