Two vulnerabilities have been identified in the Cargo package manager, which is used to manage packages and build projects in the Rust language, that can be exploited when downloading specially designed packages from third-party repositories (it is alleged that users of the official crates.io repository were not affected by the problem). The first vulnerability (CVE-2022-36113) allows overwriting the first two bytes in any file, as long as the current permissions allow. The second vulnerability (CVE-2022-36114) can be exploited to exhaust free disk space.
The vulnerabilities will be fixed in the release of Rust 1.64, scheduled for September 22. The vulnerabilities are assigned a low level of severity, since similar damage when using unverified packages from third-party repositories can be caused by the standard ability to run their handlers from the build scripts or procedural macros supplied in the package. At the same time, the above problems differ in that their operation is carried out at the stage of opening the package after loading (without assembly).
In particular, after a package is loaded, cargo unpacks its contents into the ~/.cargo directory and saves a sign of successful unpacking to the .cargo-ok file. The essence of the first vulnerability is that the creator of the package can place a symbolic link inside with the name .cargo-ok, which will lead to writing the text βokβ to the file pointed to by the link.
The second vulnerability is caused by the lack of a limit on the size of data extracted from the archive, which can be used to create "zip bombs" (data can be placed in the archive to achieve the maximum compression ratio for the zip format - about 28 million times, in this case, for example, a specially prepared 10 MB zip file will unpack about 281 TB of data).
Source: opennet.ru