The Rust language team has published a point release of Rust to fix a critical vulnerability to the standard library that could benefit an attacker when using Windows.
Rust 1.77.2, published on April 9, includes a fix for CVE-2024-24576. Before this release, Rust’s standard library did not properly escape arguments when invoking batch files with the bat and cmd extensions on Windows using the Command API. An attacker who controlled arguments passed to a spawned process could execute arbitrary shell commands by bypassing the escape. This vulnerability becomes critical if batch files are invoked on Windows with untrusted arguments. No other platform or use was affected. Developers already using Rust can get Rust 1.77.2 using the command: rustup update stable.
Rust 1.77.2 is a point release, following Rust 1.77.1 by roughly 12 days. Version 1.77.1 addressed a situation impacting the Cargo package manager in Rust 1.77, which was announced on March 21. In Rust 1.77, Cargo enabled developers to strip debuginfo in release builds by default. However, due to a pre-existing issue, debuginfo stripping did not behave in the expected way on Windows with the MSVC toolchain. Rust 1.77.1 now disables new Cargo behavior on Windows for targets that use MSVC. There are plans to re-enable debuginfo stripping in release mode in a subsequent Rust release.