Full details here from the Rust Security Response WG: https://blog.rust-lang.org/2023/08/03/cve-2023-38497.html
Affected Versions of Rust:
All Rust versions before 1.71.1 on UNIX-like systems (like macOS and Linux) are affected.
Mitigations:
We recommend all users to update to Rust 1.71.1, which will be released later today, as it fixes the vulnerability by respecting the umask when extracting crate archives. If you build your own toolchain, patches for 1.71.0 source tarballs are available here. To prevent existing cached extractions from being exploitable, the Cargo binary included in Rust 1.71.1 or later will purge the caches it tries to access if they were generated by older Cargo versions. If you cannot update to Rust 1.71.1, we recommend configuring your system to prevent other local users from accessing the Cargo directory, usually located in ~/.cargo: chmod go= ~/.cargo
{{}}
I can work on getting dev-lang/rust upgraded as part of patching this CVE. The dev-lang/rust-bin autogen should take care of that package.
- git code review opened
-
FL-11500 [dev-kit] dev-util/just-1.14.0 fails to compile with dev-lang/rust-1.71.1
- Closed