Fix CVE-2023-38497 for master #12443
Merged
Commits on Aug 3, 2023
-
test: verify permissions bits are preserved when unpacking
This is not secure and will be fixed in the next commit.
-
fix: respect
umaskwhen unpacking.cratefilesWithout this, an attacker can leverage globally writable files buried in the `.crate` file. After a user downloaded and unpacked the file, the attacker can then write malicous code to the downloaded sources.
-
fix: clear cache for old
.cargo-okformatIn 1.71, `.cargo-ok` changed to contain a JSON `{ v: 1 }` to indicate the version of it. A failure of parsing will result in a heavy-hammer approach that unpacks the `.crate` file again. This is in response to a security issue that the unpacking didn't respect umask on Unix systems.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.