Skip to content

Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all

Low severity GitHub Reviewed Published Feb 24, 2023 in XAMPPRocky/remove_dir_all • Updated Mar 6, 2023

Package

cargo remove_dir_all (Rust)

Affected versions

< 0.8.0

Patched versions

0.8.0

Description

The remove_dir_all crate is a Rust library that offers additional features over the Rust standard library fs::remove_dir_all function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.

Thanks to the Rust security team for identifying the problem and alerting us to it.

References

@XAMPPRocky XAMPPRocky published to XAMPPRocky/remove_dir_all Feb 24, 2023
Published to the GitHub Advisory Database Feb 24, 2023
Reviewed Feb 24, 2023
Last updated Mar 6, 2023

Severity

Low

EPSS score

Weaknesses

Race Condition within a Thread

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined. Learn more on MITRE.

Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-mc8h-8q98-g5hr

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.