CVE-2024-24576 discloses an issue with std::process::Command that incorrectly escapes arguments when invoking batch files on Windows. An incomplete fix, identified as CVE-2024-43402, allows potential bypass under specific conditions involving trailing whitespace or periods in batch file names. The severity is low due to the rarity of these conditions. The original fix relied on checking file extensions but did not accommodate Windows' handling of trailing characters. Users are advised to remove such characters from file names to mitigate the issue. An update in Rust 1.81.0 will address this to prevent future occurrences.
On April 9th, 2024, the Rust Security Response WG disclosed CVE-2024-24576, revealing an issue with std::process::Command incorrectly escaping arguments when invoking batch files on Windows.
The severity of the incomplete fix for CVE-2024-43402 is low, as it requires niche conditions like trailing whitespace or periods which are ignored by Windows.
The original fix for the vulnerability checked if the command name ended with .bat or .cmd, but it did not account for how Windows treats trailing characters.
To mitigate the issue, users of Rust 1.77.2 or greater can remove trailing whitespace or periods from batch file names to prevent bypassing the incomplete fix.
Collection
[
|
...
]