diff --git a/posts/2022-01-20-cve-2022-21658.md b/posts/2022-01-20-cve-2022-21658.md index bf0b9a699..5765343f3 100644 --- a/posts/2022-01-20-cve-2022-21658.md +++ b/posts/2022-01-20-cve-2022-21658.md @@ -10,7 +10,7 @@ author: The Rust Security Response WG [advisory]: https://groups.google.com/g/rustlang-security-announcements/c/R1fZFDhnJVQ The Rust Security Response WG was notified that the `std::fs::remove_dir_all` -standard library function is vulneable a race condition enabling symlink +standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. @@ -50,7 +50,7 @@ able to reliably perform it within a couple of seconds. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability. We're going to release Rust 1.58.1 later today, which will include mitigations for this vulnerability. Patches to the Rust standard library are also available for -custom-built Rust toolchains here (TODO: link). +custom-built Rust toolchains [here][2]. Note that the following targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: @@ -73,7 +73,7 @@ intended outside of race conditions. ## Acknowledgments We want to thank Hans Kratz for independently discovering and disclosing this -issue to us according to the [Rust security policy][2], for developing the fix +issue to us according to the [Rust security policy][3], for developing the fix for UNIX-like targets and for reviewing fixes for other platforms. We also want to thank Florian Weimer for reviewing the UNIX-like fix and for @@ -85,4 +85,5 @@ and writing this advisory, Chris Denton for writing the Windows fix, Alex Crichton for writing the WASI fix, and Mara Bos for reviewing the patches. [1]: https://www.cve.org/CVERecord?id=CVE-2022-21658 -[2]: https://www.rust-lang.org/policies/security +[2]: https://github.com/rust-lang/wg-security-response/tree/master/patches/CVE-2022-21658 +[3]: https://www.rust-lang.org/policies/security