Security Advisory for crates.io, 2016-08-15


#1

Hey all; a cross post from the announcement list at https://groups.google.com/forum/#!topic/rustlang-security-announcements/BK_3gbXhSn4

That link contains a signed version with our PGP key, as well.


The Rust team was recently notified of a security vulnerability affecting
crates.io. It has since been resolved, and there is no indication that the bug
has been exploited. For most users, no action need be taken at this time,
though users who have renamed their GitHub accounts since publishing to
crates.io are recommended to validate their published crates according to
details below.

The vulnerability worked as follows: if a user with a crates.io login renamed
their GitHub account then another GitHub user could claim the old username (on
GitHub) and then log into the existing crates.io account. This would result in
full access to publish or yank crates under that account.

The flaw was that crates.io tracked users by username, instead of by unique ID.
The issue has since been fixed by tracking GitHub users by unique ID rather
than by username. This ID is persistent across renames and prevents new users
on GitHub from logging into existing accounts on crates.io. Implementing this
fix involved filling in all existing crates.io users’ GitHub user IDs.

Though we have no indication that the bug has been exploited, due to the nature
of the vulnerability we cannot know whether any users were compromised.

As a precaution, if you have logged into crates.io and subsequently renamed
your GitHub account prior to Friday, August 12, 2016, we recommend that you log
into crates.io and check that the set of crates under your account is what you
expect. If somebody were to be affected by this vulnerability, the symptom they
would see is that entire crates they had previously owned and published would
no longer be owned by them, their account under the old name having been
transferred to another user. Again, we have no indication this has happened,
but if you believe you have been affected please report it to the Rust
security email address.

Many thanks to Carol Nichols || Goulding (@carols10cents) for responsibly
reporting this
and helping us identify and test a fix! The timeline of
events is as follows:

  • 2016-08-09 at 17:07 PST - Notification of the vulnerability to
    security@rust-lang.org
  • 2016-08-09 at 17:41 PST - Response acknowledging report
  • 2016-08-10 at 14:00 PST - Decision to escalate to the core team’s agenda,
    and conclusion was to prioritize a fix for this issue.
  • 2016-08-11 at 18:49 PST - Fix deployed, all users tracked via GitHub
    ID and all logins matching based on this. Some users remained to be filled in.
  • 2016-08-12 at 10:35 PST - All user rows filled in with a GitHub ID.