Updated rust packages fix security vulnerability
Publication date: 17 Apr 2025Modification date: 17 Apr 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-24576
Description
The Rust Security Response WG was notified that the Rust standard
library did not properly escape arguments when invoking batch files
(with the bat and cmd extensions) on Windows using the Command API. An
attacker able to control the arguments passed to the spawned process
could execute arbitrary shell commands by bypassing the escaping.
The severity of this vulnerability is critical if you are invoking batch
files on Windows with untrusted arguments. No other platform or use is
affected.
We update to rust 1.78.0 for future mesa updates in mageia 9.
References
- https://bugs.mageia.org/show_bug.cgi?id=34107
- http://www.openwall.com/lists/oss-security/2024/04/09/16
- https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N323QAEEUVTJ354BTVQ7UB6LYXUX2BCL/
- https://blog.rust-lang.org/2024/04/09/cve-2024-24576/
- https://github.com/rust-lang/rust/releases/tag/1.78.0
- https://github.com/rust-lang/rust/releases/tag/1.77.2
- https://github.com/rust-lang/rust/releases/tag/1.77.1
- https://github.com/rust-lang/rust/releases/tag/1.77.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24576
SRPMS
9/core
- rust-1.78.0-1.mga9