Hey all; a cross post from the announcement list at Redirecting to Google Groups
That link contains a signed version with our PGP key, as well.
The Rust team was recently notified of a security vulnerability affecting
crates.io. It has since been resolved, and there is no indication that the bug
has been exploited. No action is necessary from any user, this email is a
notice about the vulnerability in addition to a disclosure of the timeline of
events.
When Cargo extracted the source code for a package on crates.io it could
overwrite the source code for another package.
Source code is stored on crates.io as a tarball, and Cargo uses the tar
crate
to parse these tarballs and extract them. Historically Cargo extracted these
tarballs directly into the global crate cache 1, relying on each tarball to
only actually have one directory of the form foo-0.1.0
($name-$version
).
This was not verified, however, and if a tarball contained multiple top-level
directories then the extraction would overwrite or create new files in the
global crate cache.
Cargo itself would never manufacture a tarball with more than one top-level
directory, but a malicious tarball could be uploaded directly to crates.io
which could exhibit this behavior. Cargo's cache for downloaded crates is a
global one, which means that an unrelated project could poison anothers'
dependency graph by overwriting a crate's source code, causing malicious code
to be compiled and executed eventually.
A fix for this issue was first implemented on crates.io 2 to reject any
tarball being published which contains a top-level directory not of the form
expected ($crate_name-$crate_version
). After this patch was merged and
deployed all tarballs ever published to crates.io were downloaded and
inspected. No tarball ever uploaded to crates.io exhibited malicious behavior
with multiple top-level directories.
As a second precaution a change was also landed in Cargo 3 which causes Cargo
to return an error if a tarball looks ill-formed. This change will be present
in Cargo of Rust 1.22.0, to be released 2017-11-23. To reiterate, this change
is not needed to protect from malicious downloads from crates.io. Only
well-formed tarballs can be uploaded to crates.io as of a few days ago.
Many thanks to Justin Geibel (@jtgeibel) for responsibly reporting this 4 and
helping us identify and test a fix! The timeline of events is as follows:
- 2017-09-13 @ 19:19 - Justin sends mail to security@rust-lang.org about this
- 2017-09-13 @ 19:28 - response sent to Justin acknowledging the vulnerability
- 2017-09-13 @ 21:14 - a patch to crates.io was finished, all current
tarballs verified not-malicious - 2017-09-14 @ 9:10 - crates.io PR proposed
- 2017-09-14 @ 10:04 - crates.io PR merged and deployed
- 2017-09-14 @ 12:08 - cargo PR proposed
- 2017-09-14 @ 12:26 - crates.io verified again to contain no malicious tarballs
- 2017-09-17 @ 16:10 - cargo PR merged