Arbitrary code execution during cargo build
#13897
Labels
A-security
Area: security
C-bug
Category: bug
S-triage
Status: This issue is waiting on initial triage.
Problem
When cargo builds a package, it adds the dependency directory to the front of the PATH environment variable.
As a result, the malicious package's modified executable is resolved and executed before toolchain executables such as rustc or cc.
This means that a malicious package may lead to arbitrary code execution.
This appears to be a similar issue to CVE-2024-24787(https://pkg.go.dev/vuln/GO-2024-2825), which was recently discovered in Golang.
However, this bug affects all operating systems, not just Darwin.
Additionally, while CVE-2024-24787 modifies path resolution by directly changing linker flags, Cargo does not require that.
Steps
Running
cargo build
executes arbitrary code.poc.mp4
https://drive.google.com/file/d/1wnK9YxAeI6HwLXSVp5k7eN-EvtD9hMa8/view?usp=sharing
Possible Solution(s)
Notes
I reported this bug to the Rust Security Response WG, but it was not treated as a security vulnerability.
Version
The text was updated successfully, but these errors were encountered: