List Unix-like target OSes as affected by CVE-2025-22620 #2196
Conversation
This builds on rustsec#2193 by listing all Unix-like target operating systems as affected (since a category of OSes like "unix" cannot currently be represented in RUSTSEC advisory metadata). The list was obtained by running the command given in: rustsec#1911 (comment) The vulnerability is specific to Unix-like operating systems because: - The vulnerable code runs only in the `unix` build configuration. - 0777 permissions are meaningful on such systems and (due to containing 0002) allow any user account on the system to write. Therefore, if there are any Unix-like systems where Unix-style filesystem permissions are not used, or that are *truly* single user (i.e. do not use multiple user accounts, not even for running daemons with limited privileges), then this vulnerability would not affect such systems. In addition, I have not attempted specifically to run the proof of concept for the vulnerability on most of the listed operating systems, nor examined whether `gix-worktree-state` might not be usable on some of them for reasons unrealted to this vulnerability. Conversely, if new target OSes are added in the future, and they are Unix-like, then they would probably be vulnerable, even though not listed here. (It may not be likely that anyone would be using an affected version of `gix-worktree-state` by that time, though.)
There was a problem hiding this comment.
This PR is as discussed in #2193 (comment). Aside from the caveats mentioned above in the description, there's one thing I wasn't totally sure about, commented below.
|
Thanks! |
|
FYI, this change is causing |
|
Right, because older versions don't recognize this platform. This should probably be made a non-fatal error, but in the meantime we'll just remove the offending obscure platforms. |
|
And publish a new DB without nuttx? Sounds good to me. |
|
Removing NuttX seems especially okay at least for now, since I'm not clear on whether the vulnerability is exploitable there. (I'm not knowledgeable about what filesystems are used there, and also whether any of the conditional mitigating factors listed in the advisory that usually don't apply might more often, or even always, apply on it.) Another RTOS that's not totally Unix-like and that I wasn't sure about is VxWorks. I can see that's been removed as well, along with various others, some of which I do suspect are affected, such as Hurd. Maybe the list can be revised again, including re-adding some of the operating systems removed in #2201, once tooling permits. |
This builds on #2193 by listing all Unix-like target operating systems as affected (since a category of OSes like "unix" cannot currently be represented in RUSTSEC advisory metadata).
The list was obtained by running the command given in #1911 (comment).
The vulnerability is specific to Unix-like operating systems because:
The vulnerable code runs only in the
unixbuild configuration.0777 permissions are meaningful on such systems and (due to containing 0002) allow any user account on the system to write.
Therefore, if there are any Unix-like systems where Unix-style filesystem permissions are not used, or that are truly single user (i.e. do not use multiple user accounts, not even for running daemons with limited privileges), then this vulnerability would not affect such systems.
In addition, I have not attempted specifically to run the proof of concept for the vulnerability on most of the listed operating systems, nor examined whether
gix-worktree-statemight not be usable on some of them for reasons unrealted to this vulnerability.Conversely, if new target OSes are added in the future, and they are Unix-like, then they would probably be vulnerable, even though not listed here. (It may not be likely that anyone would be using an affected version of
gix-worktree-stateby that time, though.)