Rust installer security problem

1

I installed rust today on debian Linux, using the instructions at Installation - The Embedded Rust Book

In fact, it was a reinstall of some sort - the install script reported that it was updating something I had installed before. Nevertheless, it completed succesfully.

Later, I noticed that I was able to execute binaries in the current directory without the expected leading ./ - this was because my $PATH contained ':::', resulting in searching the current directory.

I determined that this was happening because of the script ~/.cargo/env which is executed twice (once from .profile, once from .bashrc) when starting up.

This seems very undesirable.

2

What does your ~/.cargo/env contain? The one I have does not look like it could cause empty segments in the PATH, only a duplication if it were sourced twice.

export PATH="$HOME/.cargo/bin:$PATH"

Looks like that's old though, and a fresh installation tries to avoid duplication:

#!/bin/sh
# rustup shell setup
# affix colons on either side of $PATH to simplify matching
case ":${PATH}:" in
    *:"$HOME/.cargo/bin":*)
        ;;
    *)
        # Prepending path in case a system-installed rustc needs to be overridden
        export PATH="$HOME/.cargo/bin:$PATH"
        ;;
esac
2 Likes
3

Mine is the same.
And I have retested and I was possibly wrong about env doing that - though I haven't yet found out what is.

4

Yup, my mistake - definitely not the installer.
Sorry !

2 Likes
5

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.