|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Announcing Rust 1.77.2" |
| 4 | +author: The Rust Security Response WG |
| 5 | +release: true |
| 6 | +--- |
| 7 | + |
| 8 | +The Rust team has published a new point release of Rust, 1.77.2. Rust is a |
| 9 | +programming language that is empowering everyone to build reliable and |
| 10 | +efficient software. |
| 11 | + |
| 12 | +If you have a previous version of Rust installed via rustup, getting Rust |
| 13 | +1.77.2 is as easy as: |
| 14 | + |
| 15 | +``` |
| 16 | +rustup update stable |
| 17 | +``` |
| 18 | + |
| 19 | +If you don't have it already, you can [get `rustup`][rustup] from the |
| 20 | +appropriate page on our website. |
| 21 | + |
| 22 | +[rustup]: https://www.rust-lang.org/install.html |
| 23 | + |
| 24 | +## What's in 1.77.2 |
| 25 | + |
| 26 | +This release includes a fix for [CVE-2024-24576]. |
| 27 | + |
| 28 | +Before this release, the Rust standard library did not properly escape |
| 29 | +arguments when invoking batch files (with the `bat` and `cmd` extensions) on |
| 30 | +Windows using the [`Command`] API. An attacker able to control the arguments |
| 31 | +passed to the spawned process could execute arbitrary shell commands by |
| 32 | +bypassing the escaping. |
| 33 | + |
| 34 | +This vulnerability is **CRITICAL** if you are invoking batch files on Windows |
| 35 | +with untrusted arguments. No other platform or use is affected. |
| 36 | + |
| 37 | +[You can learn more about the vulnerability in the dedicated |
| 38 | +advisory.][advisory] |
| 39 | + |
| 40 | +[CVE-2024-24576]: https://www.cve.org/CVERecord?id=CVE-2024-24576 |
| 41 | +[advisory]: https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html |
| 42 | +[`Command`]: https://doc.rust-lang.org/std/process/struct.Command.html |
| 43 | + |
| 44 | +### Contributors to 1.77.2 |
| 45 | + |
| 46 | +Many people came together to create Rust 1.77.2. We couldn't have done it |
| 47 | +without all of you. [Thanks!](https://thanks.rust-lang.org/rust/1.77.2/) |
0 commit comments