The maintainers of the Rust programming language are planning to release a fix for a serious security vulnerability that could have allowed an attacker to fool a privileged program into deleting some directories and files that the attacker should not be able to access.
The flaw is in versions of Rust from 1.0.0 up to 1.58.0 and is the result of a missing check in a standard library function. The check is meant to ensure that the library does not recursively delete symlinks, or symbolic links, which provide references to other files or directories on a system. The Rust maintainers issued an advisory Friday that said although the check is present in the std::fs::remove_dir_all function, it does not work as intended.
“Unfortunately that check was implemented incorrectly in the standard library, resulting in a TOCTOU (Time-of-check Time-of-use) race condition. Instead of telling the system not to follow symlinks, the standard library first checked whether the thing it was about to delete was a symlink, and otherwise it would proceed to recursively delete the directory,” the advisory says.
“This exposed a race condition: an attacker could create a directory and replace it with a symlink between the check and the actual deletion. While this attack likely won't work the first time it's attempted, in our experimentation we were able to reliably perform it within a couple of seconds.”
All versions of Rust from 1.0 through 1.58.0 are vulnerable to this issue, and the maintainers said they plan to release a patch for the bug later on Friday. The updated version will be 1.58.1.
“We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this,” the Rust advisory says.
Rust is used to build software on a variety of platforms and many modern tools and cloud applications have components written in Rust.