Security advisory for the standard library (CVE-2024-24576)

snaggen@programming.dev · 2 years ago

Security advisory for the standard library (CVE-2024-24576)

Ich, einfach anders@lemmings.world · 2 years ago

Tl;dr: std::process::Command is vulnerable to shell injection if you invoke cmd.exe or *.{cmd,bat} on Windows.

BB_C@programming.dev · edit-2 2 years ago

Were there actually any real-world use-cases affected by this? Do any of them not deserve to be named and shamed irregardless of this vulnerability?

If it was up to me, I would nuke the cmd custom implementation, leave some helpful compile error messages behind, and direct users to some 3rd party crates to choose from.

Moussx@programming.dev · 2 years ago

Doing such a regression on a Tier 1 target would be a really big blow to the language’s reputation imo

BatmanAoD@programming.dev · edit-2 2 years ago

What custom implementation? The escaping logic?

Edit: to be clear, there is no “custom implementation” of cmd itself, nor is the problem exclusive to Rust. This is a problem with the Windows cmd itself.

Security advisory for the standard library (CVE-2024-24576)

Security advisory for the standard library (CVE-2024-24576)

Security advisory for the standard library (CVE-2024-24576) | Rust Blog