diff --git a/EXAMPLE_ADVISORY.md b/EXAMPLE_ADVISORY.md index cd12bf782..d3b71db45 100644 --- a/EXAMPLE_ADVISORY.md +++ b/EXAMPLE_ADVISORY.md @@ -18,7 +18,9 @@ unaffected = ["<= 0.1.2"] [affected] #arch = ["x86"] #os = ["windows"] -#functions = { "crate_name::MyStruct::vulnerable_fn" = [">= 1.3.0, < 1.3.4"] } + +#[affected.functions] +#"crate_name::MyStruct::vulnerable_fn" = [">= 1.3.0, < 1.3.4"] ``` # RustSec Advisory Template - Advisory Title Goes Here diff --git a/README.md b/README.md index 539982f5a..4073da166 100644 --- a/README.md +++ b/README.md @@ -122,7 +122,8 @@ keywords = ["ssl", "mitm"] # name (e.g. if the function was renamed between versions). # The path syntax is `cratename::path::to::function`, without any # parameters or additional information, followed by a list of version reqs. -functions = { "mycrate::MyType::vulnerable_function" = ["< 1.2.0, >= 1.1.0"] } +[affected.functions] +"mycrate::MyType::vulnerable_function" = ["< 1.2.0, >= 1.1.0"] # Versions which include fixes for this vulnerability (mandatory) # All selectors supported by Cargo are supported here: diff --git a/crates/age/RUSTSEC-0000-0000.md b/crates/age/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..df734d828 --- /dev/null +++ b/crates/age/RUSTSEC-0000-0000.md @@ -0,0 +1,92 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "age" +date = "2024-12-18" +url = "https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w" +categories = ["code-execution"] +aliases = ["GHSA-4fg7-vxc8-qx5w"] +related = ["GHSA-32gq-x56h-299c"] + +[affected.functions] +"age::plugin::Identity::from_str" = [ + "0.6.0", + ">= 0.7.0, < 0.7.2", + ">= 0.8.0, < 0.8.2", + ">= 0.9.0, < 0.9.3", + "0.10.0", + "0.11.0", +] +"age::plugin::Identity::default_for_plugin" = [ + ">= 0.7.0, < 0.7.2", + ">= 0.8.0, < 0.8.2", + ">= 0.9.0, < 0.9.3", + "0.10.0", + "0.11.0", +] +"age::plugin::IdentityPluginV1::new" = [ + "0.6.0", + ">= 0.7.0, < 0.7.2", + ">= 0.8.0, < 0.8.2", + ">= 0.9.0, < 0.9.3", + "0.10.0", + "0.11.0", +] +"age::plugin::Recipient::from_str" = [ + "0.6.0", + ">= 0.7.0, < 0.7.2", + ">= 0.8.0, < 0.8.2", + ">= 0.9.0, < 0.9.3", + "0.10.0", + "0.11.0", +] +"age::plugin::RecipientPluginV1::new" = [ + "0.6.0", + ">= 0.7.0, < 0.7.2", + ">= 0.8.0, < 0.8.2", + ">= 0.9.0, < 0.9.3", + "0.10.0", + "0.11.0", +] + +[versions] +patched = [ + ">= 0.6.1, < 0.7.0", + ">= 0.7.2, < 0.8.0", + ">= 0.8.2, < 0.9.0", + ">= 0.9.3, < 0.10.0", + ">= 0.10.1, < 0.11.0", + ">= 0.11.1", +] +unaffected = ["< 0.6.0"] +``` + +# Malicious plugin names, recipients, or identities can cause arbitrary binary execution + +A plugin name containing a path separator may allow an attacker to execute an arbitrary +binary. + +Such a plugin name can be provided through an attacker-controlled input to the following +`age` APIs when the `plugin` feature flag is enabled: +- [`age::plugin::Identity::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#impl-FromStr-for-Identity) + (or equivalently [`str::parse::()`](https://doc.rust-lang.org/stable/core/primitive.str.html#method.parse)) +- [`age::plugin::Identity::default_for_plugin`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#method.default_for_plugin) +- [`age::plugin::IdentityPluginV1::new`](https://docs.rs/age/0.11.0/age/plugin/struct.IdentityPluginV1.html#method.new) + (the `plugin_name` argument) +- [`age::plugin::Recipient::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Recipient.html#impl-FromStr-for-Recipient) + (or equivalently [`str::parse::()`](https://doc.rust-lang.org/stable/core/primitive.str.html#method.parse)) +- [`age::plugin::RecipientPluginV1::new`](https://docs.rs/age/0.11.0/age/plugin/struct.RecipientPluginV1.html#method.new) + (the `plugin_name` argument) + +On UNIX systems, a directory matching `age-plugin-*` needs to exist in the working +directory for the attack to succeed. + +The binary is executed with a single flag, either `--age-plugin=recipient-v1` or +`--age-plugin=identity-v1`. The standard input includes the recipient or identity string, +and the random file key (if encrypting) or the header of the file (if decrypting). The +format is constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol. + +An equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age), +see advisory [GHSA-32gq-x56h-299c](https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c). + +Thanks to ⬡-49016 for reporting this issue. diff --git a/crates/rage/RUSTSEC-0000-0000.md b/crates/rage/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..54b562d90 --- /dev/null +++ b/crates/rage/RUSTSEC-0000-0000.md @@ -0,0 +1,42 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "rage" +date = "2024-12-18" +url = "https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w" +categories = ["code-execution"] +aliases = ["GHSA-4fg7-vxc8-qx5w"] +related = ["GHSA-32gq-x56h-299c"] + +[versions] +patched = [ + ">= 0.6.1, < 0.7.0", + ">= 0.7.2, < 0.8.0", + ">= 0.8.2, < 0.9.0", + ">= 0.9.3, < 0.10.0", + ">= 0.10.1, < 0.11.0", + ">= 0.11.1", +] +unaffected = ["< 0.6.0"] +``` + +# Malicious plugin names, recipients, or identities can cause arbitrary binary execution + +A plugin name containing a path separator may allow an attacker to execute an arbitrary +binary. + +Such a plugin name can be provided to the `rage` CLI through an attacker-controlled +recipient or identity string, or an attacker-controlled plugin name via the `-j` flag. + +On UNIX systems, a directory matching `age-plugin-*` needs to exist in the working +directory for the attack to succeed. + +The binary is executed with a single flag, either `--age-plugin=recipient-v1` or +`--age-plugin=identity-v1`. The standard input includes the recipient or identity string, +and the random file key (if encrypting) or the header of the file (if decrypting). The +format is constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol. + +An equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age), +see advisory [GHSA-32gq-x56h-299c](https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c). + +Thanks to ⬡-49016 for reporting this issue.