Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add advisory for rage plugin name vulnerability (GHSA-4fg7-vxc8-qx5w) #2170

Merged
merged 2 commits into from
Jan 3, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion EXAMPLE_ADVISORY.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ unaffected = ["<= 0.1.2"]
[affected]
#arch = ["x86"]
#os = ["windows"]
#functions = { "crate_name::MyStruct::vulnerable_fn" = [">= 1.3.0, < 1.3.4"] }

#[affected.functions]
#"crate_name::MyStruct::vulnerable_fn" = [">= 1.3.0, < 1.3.4"]
```

# RustSec Advisory Template - Advisory Title Goes Here
Expand Down
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,8 @@ keywords = ["ssl", "mitm"]
# name (e.g. if the function was renamed between versions).
# The path syntax is `cratename::path::to::function`, without any
# parameters or additional information, followed by a list of version reqs.
functions = { "mycrate::MyType::vulnerable_function" = ["< 1.2.0, >= 1.1.0"] }
[affected.functions]
"mycrate::MyType::vulnerable_function" = ["< 1.2.0, >= 1.1.0"]

# Versions which include fixes for this vulnerability (mandatory)
# All selectors supported by Cargo are supported here:
Expand Down
92 changes: 92 additions & 0 deletions crates/age/RUSTSEC-0000-0000.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "age"
date = "2024-12-18"
url = "https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w"
categories = ["code-execution"]
aliases = ["GHSA-4fg7-vxc8-qx5w"]
related = ["GHSA-32gq-x56h-299c"]

[affected.functions]
"age::plugin::Identity::from_str" = [
"0.6.0",
">= 0.7.0, < 0.7.2",
">= 0.8.0, < 0.8.2",
">= 0.9.0, < 0.9.3",
"0.10.0",
"0.11.0",
]
"age::plugin::Identity::default_for_plugin" = [
">= 0.7.0, < 0.7.2",
">= 0.8.0, < 0.8.2",
">= 0.9.0, < 0.9.3",
"0.10.0",
"0.11.0",
]
"age::plugin::IdentityPluginV1::new" = [
"0.6.0",
">= 0.7.0, < 0.7.2",
">= 0.8.0, < 0.8.2",
">= 0.9.0, < 0.9.3",
"0.10.0",
"0.11.0",
]
"age::plugin::Recipient::from_str" = [
"0.6.0",
">= 0.7.0, < 0.7.2",
">= 0.8.0, < 0.8.2",
">= 0.9.0, < 0.9.3",
"0.10.0",
"0.11.0",
]
"age::plugin::RecipientPluginV1::new" = [
"0.6.0",
">= 0.7.0, < 0.7.2",
">= 0.8.0, < 0.8.2",
">= 0.9.0, < 0.9.3",
"0.10.0",
"0.11.0",
]

[versions]
patched = [
">= 0.6.1, < 0.7.0",
">= 0.7.2, < 0.8.0",
">= 0.8.2, < 0.9.0",
">= 0.9.3, < 0.10.0",
">= 0.10.1, < 0.11.0",
">= 0.11.1",
]
unaffected = ["< 0.6.0"]
```

# Malicious plugin names, recipients, or identities can cause arbitrary binary execution

A plugin name containing a path separator may allow an attacker to execute an arbitrary
binary.

Such a plugin name can be provided through an attacker-controlled input to the following
`age` APIs when the `plugin` feature flag is enabled:
- [`age::plugin::Identity::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#impl-FromStr-for-Identity)
(or equivalently [`str::parse::<age::plugin::Identity>()`](https://doc.rust-lang.org/stable/core/primitive.str.html#method.parse))
- [`age::plugin::Identity::default_for_plugin`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#method.default_for_plugin)
- [`age::plugin::IdentityPluginV1::new`](https://docs.rs/age/0.11.0/age/plugin/struct.IdentityPluginV1.html#method.new)
(the `plugin_name` argument)
- [`age::plugin::Recipient::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Recipient.html#impl-FromStr-for-Recipient)
(or equivalently [`str::parse::<age::plugin::Recipient>()`](https://doc.rust-lang.org/stable/core/primitive.str.html#method.parse))
- [`age::plugin::RecipientPluginV1::new`](https://docs.rs/age/0.11.0/age/plugin/struct.RecipientPluginV1.html#method.new)
(the `plugin_name` argument)

On UNIX systems, a directory matching `age-plugin-*` needs to exist in the working
directory for the attack to succeed.

The binary is executed with a single flag, either `--age-plugin=recipient-v1` or
`--age-plugin=identity-v1`. The standard input includes the recipient or identity string,
and the random file key (if encrypting) or the header of the file (if decrypting). The
format is constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol.

An equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age),
see advisory [GHSA-32gq-x56h-299c](https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c).

Thanks to ⬡-49016 for reporting this issue.
42 changes: 42 additions & 0 deletions crates/rage/RUSTSEC-0000-0000.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "rage"
date = "2024-12-18"
url = "https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w"
categories = ["code-execution"]
aliases = ["GHSA-4fg7-vxc8-qx5w"]
related = ["GHSA-32gq-x56h-299c"]

[versions]
patched = [
">= 0.6.1, < 0.7.0",
">= 0.7.2, < 0.8.0",
">= 0.8.2, < 0.9.0",
">= 0.9.3, < 0.10.0",
">= 0.10.1, < 0.11.0",
">= 0.11.1",
]
unaffected = ["< 0.6.0"]
```

# Malicious plugin names, recipients, or identities can cause arbitrary binary execution

A plugin name containing a path separator may allow an attacker to execute an arbitrary
binary.

Such a plugin name can be provided to the `rage` CLI through an attacker-controlled
recipient or identity string, or an attacker-controlled plugin name via the `-j` flag.

On UNIX systems, a directory matching `age-plugin-*` needs to exist in the working
directory for the attack to succeed.

The binary is executed with a single flag, either `--age-plugin=recipient-v1` or
`--age-plugin=identity-v1`. The standard input includes the recipient or identity string,
and the random file key (if encrypting) or the header of the file (if decrypting). The
format is constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol.

An equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age),
see advisory [GHSA-32gq-x56h-299c](https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c).

Thanks to ⬡-49016 for reporting this issue.
Loading