CVE-2022-21658

Name of the Vulnerable Software and Affected Versions Rust versions 1.0.0 through 1.58.0

Description The std::fs::remove dir all standard library function in Rust is vulnerable to a race condition enabling symlink following. This issue allows an attacker to trick a privileged program into deleting files and directories that the attacker could not otherwise access or delete. The vulnerability is particularly dangerous when the affected application runs with elevated privileges, as it could lead to the deletion of important system files.

Recommendations To resolve the issue, update to Rust 1.58.1 as soon as possible, especially if you are developing programs expected to run in privileged contexts, including system daemons and setuid binaries. For build targets that do not have usable APIs to properly mitigate the attack, such as macOS before version 10.10 (Yosemite) and REDOX, consider alternative mitigation strategies, but note that even with a patched toolchain, these targets are still vulnerable. As a temporary workaround, consider avoiding the use of the std::fs::remove dir all function in privileged contexts until the issue is fully resolved.