FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Rust -- Race condition enabling symlink following

Affected packages
rust < 1.58.1
rust-nightly < 1.60.0.20220202

Details

VuXML ID ee26f513-826e-11ec-8be6-d4c9ef517024
Discovery 2022-01-20
Entry 2022-01-31
Modified 2022-02-03

The Rust Security Response WG was notified that the std::fs::remove_dir_all standard library function is vulnerable to a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete.

References

CVE Name CVE-2022-21658
URL https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html