Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

Mageia 9: 2025-0136 Critical: Rust Command API Shell Execution Risk

mageia
Calendar Grey April 17, 2025
Dist Mageia Esm H88
Significant shell command execution flaw discovered in Mageia 9. Adequate escaping methods needed from the Rust standard library.
The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows u...

Summary

The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments. No other platform or use is affected. We update to rust 1.78.0 for future mesa updates in mageia 9.

References

- https://bugs.mageia.org/show_bug.cgi?id=34107

- http://www.openwall.com/lists/oss-security/2024/04/09/16

- https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N323QAEEUVTJ354BTVQ7UB6LYXUX2BCL/

- https://blog.rust-lang.org/2024/04/09/cve-2024-24576/

- https://github.com/rust-lang/rust/releases/tag/1.78.0

- https://github.com/rust-lang/rust/releases/tag/1.77.2

- https://github.com/rust-lang/rust/releases/tag/1.77.1

- https://github.com/rust-lang/rust/releases/tag/1.77.0

- https://www.cve.org/CVERecord?id=CVE-2024-24576

Topics%20covered

Topics Covered

security advisory critical execution shell command mageia rust

Resolution

SRPMS

- 9/core/rust-1.78.0-1.mga9

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 17 Apr 2025
URL: https://advisories.mageia.org/MGASA-2025-0136.html
Type: security
CVE: CVE-2024-24576

Topics%20covered

Topics Covered

security advisory critical execution shell command mageia rust

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here