CVE-2022-36113

Name of the Vulnerable Software and Affected Versions Cargo versions prior to 1.64

Description The issue arises from Cargo allowing packages to contain a .cargo-ok symbolic link. When Cargo attempts to write "ok" into .cargo-ok, it replaces the first two bytes of the file the symlink points to with "ok", potentially corrupting a file on the machine. This vulnerability allows an attacker to perform a subset of possible damage in a harder-to-track way. By design, Cargo permits code execution at build time due to build scripts and procedural macros, making it essential for users to trust their dependencies to be protected from attacks.

Recommendations For Cargo versions prior to 1.64, update to Rust 1.64 or later to resolve the issue. Alternatively, for Rust 1.63.0, apply the patch files available in the wg-security-response repository. Users of alternate registries should exercise care in choosing packages by only including trusted dependencies in their projects. As a temporary mitigation, consider restricting the use of build scripts and procedural macros until the issue is resolved.