CVE-2024-56327
rage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution
Description
A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the `rage` CLI through an attacker-controlled recipient or identity string, or to the following `age` APIs when the `plugin` feature flag is enabled: - [`age::plugin::Identity::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#impl-FromStr-for-Identity) (or equivalently [`str::parse::<age::plugin::Identity>()`](https://doc.rust-lang.org/stable/core/primitive.str.html#method.parse)) - [`age::plugin::Identity::default_for_plugin`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#method.default_for_plugin) - [`age::plugin::IdentityPluginV1::new`](https://docs.rs/age/0.11.0/age/plugin/struct.IdentityPluginV1.html#method.new) - [`age::plugin::Recipient::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Recipient.html#impl-FromStr-for-Recipient) (or equivalently [`str::parse::<age::plugin::Recipient>()`](https://doc.rust-lang.org/stable/core/primitive.str.html#method.parse)) - [`age::plugin::RecipientPluginV1::new`](https://docs.rs/age/0.11.0/age/plugin/struct.RecipientPluginV1.html#method.new) On UNIX systems, a directory matching `age-plugin-*` needs to exist in the working directory for the attack to succeed. The binary is executed with a single flag, either `--age-plugin=recipient-v1` or `--age-plugin=identity-v1`. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol. An equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age), see advisory [GHSA-32gq-x56h-299c](https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c). Thanks to ⬡-49016 for reporting this issue.
How to fix CVE-2024-56327
To remediate CVE-2024-56327, upgrade the affected package to a fixed version below.
- —upgrade to 0.6.1 or later
- —upgrade to 0.6.1 or later
- —upgrade to 1.2.1 or later