Skip to content

Commit 2f32d33

Browse files
rylevrylev
authored
Merge pull request #918 from pietroalbini/pa-fix-cve-2022-21658
2 parents 39fbadf + 2e6a4f8 commit 2f32d33

File tree

1 file changed

+5
-4
lines changed

1 file changed

+5
-4
lines changed

posts/2022-01-20-cve-2022-21658.md

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ author: The Rust Security Response WG
1010
[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/R1fZFDhnJVQ
1111

1212
The Rust Security Response WG was notified that the `std::fs::remove_dir_all`
13-
standard library function is vulneable a race condition enabling symlink
13+
standard library function is vulnerable a race condition enabling symlink
1414
following (CWE-363). An attacker could use this security issue to trick a
1515
privileged program into deleting files and directories the attacker couldn't
1616
otherwise access or delete.
@@ -50,7 +50,7 @@ able to reliably perform it within a couple of seconds.
5050
Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability. We're going
5151
to release Rust 1.58.1 later today, which will include mitigations for this
5252
vulnerability. Patches to the Rust standard library are also available for
53-
custom-built Rust toolchains here (TODO: link).
53+
custom-built Rust toolchains [here][2].
5454

5555
Note that the following targets don't have usable APIs to properly mitigate the
5656
attack, and are thus still vulnerable even with a patched toolchain:
@@ -73,7 +73,7 @@ intended outside of race conditions.
7373
## Acknowledgments
7474

7575
We want to thank Hans Kratz for independently discovering and disclosing this
76-
issue to us according to the [Rust security policy][2], for developing the fix
76+
issue to us according to the [Rust security policy][3], for developing the fix
7777
for UNIX-like targets and for reviewing fixes for other platforms.
7878

7979
We also want to thank Florian Weimer for reviewing the UNIX-like fix and for
@@ -85,4 +85,5 @@ and writing this advisory, Chris Denton for writing the Windows fix, Alex
8585
Crichton for writing the WASI fix, and Mara Bos for reviewing the patches.
8686

8787
[1]: https://www.cve.org/CVERecord?id=CVE-2022-21658
88-
[2]: https://www.rust-lang.org/policies/security
88+
[2]: https://github.com/rust-lang/wg-security-response/tree/master/patches/CVE-2022-21658
89+
[3]: https://www.rust-lang.org/policies/security

0 commit comments

Comments
 (0)