Search CVE reports
1 – 10 of 30 results
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability...
19 affected packages
rustc, rustc-1.62, rustc-1.74, rustc-1.76, rustc-1.77...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| rustc | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| rustc-1.62 | Not in release | Not in release | Needs evaluation | — | — |
| rustc-1.74 | Not in release | Needs evaluation | Not in release | — | — |
| rustc-1.76 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | — |
| rustc-1.77 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | — |
| rustc-1.78 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | — |
| rustc-1.79 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | — |
| rustc-1.80 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | — |
| rustc-1.81 | Not in release | Needs evaluation | Needs evaluation | — | — |
| rustc-1.82 | Not in release | Needs evaluation | Needs evaluation | — | — |
| rustc-1.83 | Not in release | Needs evaluation | Needs evaluation | — | — |
| rustc-1.84 | Not in release | Needs evaluation | Needs evaluation | — | — |
| rustc-1.85 | Not in release | Needs evaluation | Needs evaluation | — | — |
| rustc-1.88 | Not in release | Not in release | Not in release | — | — |
| rustc-1.89 | Not in release | Needs evaluation | Needs evaluation | — | — |
| rustc-1.91 | Needs evaluation | Needs evaluation | Needs evaluation | — | — |
| rustc-1.92 | Needs evaluation | Not in release | Not in release | — | — |
| rustc-1.93 | Needs evaluation | Not in release | Not in release | — | — |
| cargo | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an...
19 affected packages
rustc, rustc-1.62, rustc-1.74, rustc-1.76, rustc-1.77...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| rustc | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| rustc-1.62 | Not in release | Not in release | Needs evaluation | — | — |
| rustc-1.74 | Not in release | Needs evaluation | Not in release | — | — |
| rustc-1.76 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | — |
| rustc-1.77 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | — |
| rustc-1.78 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | — |
| rustc-1.79 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | — |
| rustc-1.80 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | — |
| rustc-1.81 | Not in release | Needs evaluation | Needs evaluation | — | — |
| rustc-1.82 | Not in release | Needs evaluation | Needs evaluation | — | — |
| rustc-1.83 | Not in release | Needs evaluation | Needs evaluation | — | — |
| rustc-1.84 | Not in release | Needs evaluation | Needs evaluation | — | — |
| rustc-1.85 | Not in release | Needs evaluation | Needs evaluation | — | — |
| rustc-1.88 | Not in release | Not in release | Not in release | — | — |
| rustc-1.89 | Not in release | Needs evaluation | Needs evaluation | — | — |
| rustc-1.91 | Needs evaluation | Needs evaluation | Needs evaluation | — | — |
| rustc-1.92 | Needs evaluation | Not in release | Not in release | — | — |
| rustc-1.93 | Needs evaluation | Not in release | Not in release | — | — |
| cargo | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
Some fixes available 34 of 53
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a...
23 affected packages
rust-tar, rustc, rustc-1.62, rustc-1.74, rustc-1.76...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| rust-tar | Not affected | Fixed | Fixed | Needs evaluation | — |
| rustc | Not in release | Fixed | Fixed | Needs evaluation | Needs evaluation |
| rustc-1.62 | Not in release | Not in release | Fixed | — | — |
| rustc-1.74 | Not in release | Fixed | Not in release | — | — |
| rustc-1.76 | Not in release | Fixed | Fixed | Needs evaluation | — |
| rustc-1.77 | Not in release | Fixed | Fixed | Needs evaluation | — |
| rustc-1.78 | Not in release | Fixed | Fixed | Needs evaluation | — |
| rustc-1.79 | Not in release | Fixed | Fixed | Needs evaluation | — |
| rustc-1.80 | Not in release | Fixed | Fixed | Needs evaluation | — |
| rustc-1.81 | Not in release | Fixed | Fixed | — | — |
| rustc-1.82 | Not in release | Fixed | Fixed | — | — |
| rustc-1.83 | Not in release | Fixed | Fixed | — | — |
| rustc-1.84 | Not in release | Fixed | Fixed | — | — |
| rustc-1.85 | Not in release | Fixed | Fixed | — | — |
| rustc-1.88 | Not in release | Not in release | Not in release | — | — |
| rustc-1.89 | Not in release | Fixed | Fixed | — | — |
| rustc-1.91 | Not affected | Fixed | Fixed | — | — |
| rustc-1.92 | Not affected | Not in release | Not in release | — | — |
| rustc-1.93 | Not affected | Not in release | Not in release | — | — |
| cargo | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| rust-cargo-c | Not affected | Needs evaluation | Not in release | — | — |
| rust-async-tar | Not in release | Needs evaluation | Not in release | — | — |
| rust-astral-tokio-tar | Needs evaluation | Not in release | Not in release | — | — |
Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (`x86_64-pc-cygwin`) didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes....
14 affected packages
rustc, rustc-1.62, rustc-1.74, rustc-1.76, rustc-1.77...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| rustc | Not in release | Not affected | Not affected | Not affected | Not affected |
| rustc-1.62 | Not in release | Not in release | Not affected | — | — |
| rustc-1.74 | Not in release | Not affected | Not in release | — | — |
| rustc-1.76 | Not in release | Not affected | Not affected | Not affected | — |
| rustc-1.77 | Not in release | Not affected | Not affected | Not affected | — |
| rustc-1.78 | Not in release | Not affected | Not affected | Not affected | — |
| rustc-1.79 | Not in release | Not affected | Not affected | Not affected | — |
| rustc-1.80 | Not in release | Not affected | Not affected | Not affected | — |
| rustc-1.88 | Not in release | Not in release | Not in release | — | — |
| rustc-1.81 | Not in release | Not affected | Not affected | — | — |
| rustc-1.82 | Not in release | Not affected | Not affected | — | — |
| rustc-1.83 | Not in release | Not affected | Not affected | — | — |
| rustc-1.84 | Not in release | Not affected | Not affected | — | — |
| rustc-1.85 | Not in release | Not affected | Not affected | — | — |
Rust is a programming language. The fix for CVE-2024-24576, where `std::process::Command` incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass...
2 affected packages
rustc, cargo
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| rustc | — | Not affected | Not affected | Not affected | Not affected |
| cargo | — | Not in release | Not affected | Not affected | Not affected |
Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on...
2 affected packages
rustc, cargo
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| rustc | — | — | Not affected | Not affected | Not affected |
| cargo | — | — | Not affected | Not affected | Not affected |
Some fixes available 1 of 7
Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by `cargo build --timings`. A...
2 affected packages
cargo, rustc
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| cargo | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| rustc | Not in release | Fixed | Not affected | Not affected | Not affected |
Some fixes available 6 of 11
Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If...
3 affected packages
rust-cargo, rustc, cargo
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| rust-cargo | Not affected | Vulnerable | Fixed | Not in release | Ignored |
| rustc | Not in release | Fixed | Not affected | Not affected | Not affected |
| cargo | Not in release | Not in release | Fixed | Fixed | Fixed |
Some fixes available 11 of 39
crossbeam-utils provides atomics, synchronization primitives, scoped threads, and other utilities for concurrent programming in Rust. crossbeam-utils prior to version 0.8.7 incorrectly assumed that the alignment of `{i,u}64` was...
11 affected packages
rust-crossbeam-utils, rust-crossbeam-utils-0.7, firefox, mozjs38, librsvg...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| rust-crossbeam-utils | Not affected | Not affected | Vulnerable | Vulnerable | Not in release |
| rust-crossbeam-utils-0.7 | Not in release | Not in release | Vulnerable | Not in release | Not in release |
| firefox | Fixed | Fixed | Fixed | Not in release | Ignored |
| mozjs38 | Not in release | Not in release | Not in release | Not in release | Ignored |
| librsvg | Not affected | Not affected | Not affected | Not affected | Not affected |
| mozjs78 | Not in release | Not in release | Ignored | Not in release | Not in release |
| rustc | Not in release | Not affected | Fixed | Fixed | Not affected |
| thunderbird | Ignored | Ignored | Ignored | Not in release | Ignored |
| cargo | Not in release | Not in release | Not affected | Not affected | Not affected |
| mozjs52 | Not in release | Not in release | Not in release | Ignored | Ignored |
| mozjs68 | Not in release | Not in release | Not in release | Ignored | Not in release |
Some fixes available 1 of 5
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library...
1 affected package
rustc
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| rustc | Not in release | Not affected | Not affected | Fixed | Not affected |