major security vulnerability found in rust (over hyped?)

Instructions unclear, the children are hidden in the closet and are staying there indefinitely

SzaboB

For a 10/10 I'd expect that any compiled rust code that takes an input to be vulnerable.

Elesario

To put it in comparison, its the same score as the xz backdoor that was recently uncovered.

Its so ridiculous. Jia Tan probably died inside when he saw the severity score.

wlockuz

I also find it weird that they singled out Rust for this because it affects many libraries across many languages, just Windows cmd.exe not escaping things correctly. Why specifically target Rust? (Answer: sensational news story)

Eysvar

i dont really understand how this is a bug. if you pass an unsanitized input, you get injections, skill issue

andrewdupper

They rated this 10/10? CVEs are such a joke

kibels

Vulnerability 1 - Windows
Vulnerability 2 - .bat files
Vulnerability 3 - A programmer that wants to run .bat files from his rust code
Vulnerability 4 - The specific rare use case mentioned by the CVE

DanielSantanaBjj

"This gun is defective, every time I load it, point it at my foot and pull the trigger, it shoots me!"

Iceman

It gets at the heart of why CVSS scoring is hard - there's no consideration for "how commonly is this used like this?"

latiotech

Agreed, I saw this headline and read into it further and immediately clicked off when I learned of its actual nature.

khz

I suppose the issue is more related to how Windows executes script files in general, I expect this sort of issue to be present with just about anything that is supported via the ShellExecute or CreateProcess APIs. Every program on Windows is free to parse its command line in any way it sees fit, there's no real concept of arguments or standardized escape sequences for quoted arguments or such, it's all handled on an app-by-app basis and I know for a fact some do not not support any form of escaping. IIRC you can even edit an environment variable to change which file extensions are run by the command processor, which means even if a programming language tried to detect what it thought was happening, it could still be subject to timing attacks.

N....

Guys, i don't want to worry you, but I just found this critical vulnerability where if i execute "shutdown" from rust, my computer turns off. 10/10 CVE.

georgehelyar

I just read the CVE description before coming here and was really surprised to see it rated 10/10. At first I thought I'd misread the description because the mitigating factors (requires you to be executing a Windows batch file AND the attacker has the ability to arbitrarily control the input arguments) are quite strong.
I'm not really into Rust, but did find it odd that the vulnerability is making the headlines as somehow specific to Rust, when it's also present in (at least) Erlang (unpatched), Go (unpatched), Haskell, Java ("won't fix"), NodeJS, PHP, Python and Ruby.

batlin

if you are running a windows server, this is probably your least problem

knolljo

why run a batchfile with rust..?

edit: this is clickbait and not even specific to rust but cmd/batch..?

Couleur

I recently submitted some bugs to Microsoft about Windows. I was able to demonstrate how to bypass inTune security controls and execute code that is supposed to be blocked. Because it required local machine access they dismissed it. Then you get this one which also requires local access and somebody else reckons it's the worst thing ever. It's sideways. Rust issue is bad but nowhere near catastrophic. The windows issue i found is not nothing and could be used by malware authors to get their malware to execute when imtune restrictions were supposed to stop it.

vkfbab

If I remember correctly DOS/WIndows share that limitation that there is no standard way to quote arguments because it is not a shell that parses them, but a process itself that is spawned by shell. I.e. you'll need to quote depending on which program you run.

virkony

10/10 was the XZ backdoor that shook the FOSS world two weeks ago. I'm not a huge fan of rust myself, but I agree this doesn't look like a 10/10 vulnerability at all.

benoitrousseau

Every C dev right now: isn’t this doing exactly what it’s supposed to do?

hansdampf

Giving this a 10/10 rating just drops the integrity of the CVSS system. Giving it a CVE is just a process, but this is barely even a bug, it's expected behaviour.

ragectl