from Hacker News

Security vulnerability in Rust standard library

by alex14fr on 1/21/22, 2:06 PM with 41 comments

  • by nindalf on 1/21/22, 2:45 PM

    This issue seems like it would be common across languages, or at least those languages that have filesystem APIs in the stdlib. My understanding is that it is fixed in Python 3.3, while in C++ concurrent file system access is considered UB and therefore this isn’t a bug.

    Do people know the state in other languages?

  • by cyber_kinetist on 1/21/22, 3:40 PM

    This relates to the fact that there's some talk going on in the Rust community to extend lifetime checks to domains outside of memory safety (like filesystems).

    Here's an RFC that tries to extend lifetimes to file handles: https://github.com/rust-lang/rfcs/blob/master/text/3128-io-s...

  • by josephcsible on 1/21/22, 2:25 PM

    In general, programs should never operate on the same file name more than once. If there's more than one thing you need to do with a file, open it and then operate on the FD instead.

  • by vlmutolo on 1/22/22, 1:01 AM

    > Note that the following targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain:

    > - macOS before version 10.10 (Yosemite)

    > - REDOX

    It's funny to me that they chose to include RedoxOS in this security advisory. For those of you serving your customers over RedoxOS in production, beware.

  • by vessenes on 1/21/22, 3:56 PM

    This doesn’t go with my mental model of unix filesystem permissions, can someone explain it to me?

    The vulnerability mentions a userspace compromise aimed at a system directory, not another sensitive user directory.

    In my mind, a user trying to delete say /usr/bin on a POSIX system is going to be slapped down immediately unless they are root, or have the proper group access, and this is not the responsibility of any standard library, it’s the responsibility of the fs layer and kernel.

    So, what am I misunderstanding? Opening up a link to /usr/bin doesn’t ever give me permissions on /usr/bin over what I have.

  • by perlgeek on 1/21/22, 4:11 PM

    If I remember correctly, rust compiles to static binaries by default, meaning they include a copy of all used parts of both libraries and standard library in the executable.

    Does that mean that any Rust program compiled with any affected version of the standard library is affected? How would I even find those?

    Statically linked binary make deployments really easy, but this one scenario where they have real downsides.

  • by crispyalmond on 1/21/22, 2:18 PM

    It's admiring how quickly they fix these. Kudos to the Rust team. But I worry about older software compiled with an older version of Rust which does not have this fixed.

  • by PeterCorless on 1/21/22, 4:15 PM