RUSTSEC-2021-0077

better-macro has deliberate RCE to prove a point

Reported

July 22, 2021

Issued

July 26, 2021 (last modified: November 6, 2021)

Package

better-macro (crates.io)

Type

Vulnerability

Categories

code-execution

Keywords

#rce #proc-macro

Aliases

CVE-2021-38196

Details

https://github.com/raycar5/better-macro/blob/24ff1702397b9c19bbfa4c660e2316cd77d3b900/src/lib.rs#L36-L38

Patched

no patched versions

Affected Functions

Version

better_macro::println

>1.0.0

Description

better-macro is a fake crate which is "Proving A Point" that proc-macros can run arbitrary code. This is not a particularly novel or interesting observation.

It currently opens https://github.com/raycar5/better-macro/blob/master/doc/hi.md which doesn't appear to have any malicious content, but there's no guarantee that will remain the case.

This crate has no useful functionality, and should not be used.