rust-lang · pietroalbini · Sep 4, 2024 · Sep 3, 2024
diff --git a/posts/2024-09-04-cve-2024-43402.md b/posts/2024-09-04-cve-2024-43402.md
@@ -0,0 +1,63 @@
+---
+layout: post
+title: "Security advisory for the standard library (CVE-2024-43402)"
+author: The Rust Security Response WG
+---
+
+On April 9th, 2024, the Rust Security Response WG disclosed [CVE-2024-24576][1],
+where `std::process::Command` incorrectly escaped arguments when invoking batch
+files on Windows. We were notified that our fix for the vulnerability was
+incomplete, and it was possible to bypass the fix when the batch file name had
+trailing whitespace or periods (which are ignored and stripped by Windows).
+
+The severity of the incomplete fix is **low**, due to the niche conditions
+needed to trigger it. Note that calculating the CVSS score might assign a
+higher severity to this, but that doesn't take into account what is required to
+trigger the incomplete fix.
+
+The incomplete fix is identified by CVE-2024-43402.
+
+## Overview
+
+Refer to [the advisory for CVE-2024-24576][1] for details on the
+original vulnerability.
+
+To determine whether to apply the `cmd.exe` escaping rules, the original fix
+for the vulnerability checked whether the command name ended with `.bat` or
+`.cmd`. At the time that seemed enough, as we refuse to invoke batch scripts
+with no file extension.
+
+Unfortunately, [Windows removes trailing whitespace and periods][2] when
+parsing file paths. For example, `.bat. .` is interpreted by Windows as `.bat`,
+but our original fix didn't check for that.
+
+## Mitigations
+
+If you are affected by this, and you are using Rust 1.77.2 or greater, you can
+remove the trailing whitespace (ASCII 0x20) and trailing periods (ASCII 0x2E)
+from the batch file name to bypass the incomplete fix and enable the
+mitigations.
+
+Rust 1.81.0, due to be released on September 5th 2024, will update the standard
+library to apply the [CVE-2024-24576][1] mitigations to all batch files
+invocations, regardless of the trailing chars in the file name.
+
+## Affected versions
+
+All Rust versions before 1.81.0 are affected, if your code or one of your
+dependencies invoke a batch script on Windows with trailing whitespace or
+trailing periods in the name, and pass untrusted arguments to it.
+
+## Acknowledgements
+
+We want to thank Kainan Zhang (@4xpl0r3r) for responsibly disclosing this to us
+according to the [Rust security policy][3].
+
+We also want to thank the members of the Rust project who helped us disclose
+the incomplete fix: Chris Denton for developing the fix, Amanieu D'Antras for
+reviewing the fix; Pietro Albini for writing this advisory; Pietro Albini,
+Manish Goregaokar and Josh Stone for coordinating this disclosure.
+
+[1]: https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html
+[2]: https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/file-folder-name-whitespace-characters
+[3]: https://www.rust-lang.org/policies/security