Rust Security Advisory: Cargo Vulnerability (CVE-2023-38497)

The article discusses a security advisory for the Rust programming language's package manager, Cargo. It highlights a vulnerability where Cargo did not respect the umask when extracting crate archives on UNIX-like systems. This allowed another local user to exploit the vulnerability and change the source code compiled and executed by the current user. The vulnerability has been assigned CVE-2023-38497. The article explains that umask is used to limit file permissions during file creation, and Cargo failed to respect it during extraction, propagating the permissions stored in the crate archive. The article mentions that all Rust versions before 1.71.1 on UNIX-like systems are affected. It recommends users to update to Rust 1.71.1 to fix the vulnerability. The article also provides patches for 1.71.0 source tarballs. This information is crucial for developers who use Rust and Cargo to be aware of the security vulnerability and take necessary actions to protect their projects.