Hey all; a cross post from the announcement list at https://groups.google.com/forum/#!topic/rustlang-security-announcements/ALbMvU-q9Qs

That link contains a signed version with our PGP key, as well.

The Rust team was recently notified of a security vulnerability affecting

crates.io. It has since been resolved, and there is no indication that the bug

has been exploited. No action is necessary from any user, this email is a

notice about the vulnerability in addition to a disclosure of the timeline of

events.

When Cargo extracted the source code for a package on crates.io it could

overwrite the source code for another package.

Source code is stored on crates.io as a tarball, and Cargo uses the tar crate

to parse these tarballs and extract them. Historically Cargo extracted these

tarballs directly into the global crate cache 1, relying on each tarball to

only actually have one directory of the form foo-0.1.0 ( $name-$version ).

This was not verified, however, and if a tarball contained multiple top-level

directories then the extraction would overwrite or create new files in the

global crate cache.

Cargo itself would never manufacture a tarball with more than one top-level

directory, but a malicious tarball could be uploaded directly to crates.io

which could exhibit this behavior. Cargo’s cache for downloaded crates is a

global one, which means that an unrelated project could poison anothers’

dependency graph by overwriting a crate’s source code, causing malicious code

to be compiled and executed eventually.

A fix for this issue was first implemented on crates.io 2 to reject any

tarball being published which contains a top-level directory not of the form

expected ( $crate_name-$crate_version ). After this patch was merged and

deployed all tarballs ever published to crates.io were downloaded and

inspected. No tarball ever uploaded to crates.io exhibited malicious behavior

with multiple top-level directories.

As a second precaution a change was also landed in Cargo 3 which causes Cargo

to return an error if a tarball looks ill-formed. This change will be present

in Cargo of Rust 1.22.0, to be released 2017-11-23. To reiterate, this change

is not needed to protect from malicious downloads from crates.io. Only

well-formed tarballs can be uploaded to crates.io as of a few days ago.

Many thanks to Justin Geibel (@jtgeibel) for responsibly reporting this 4 and

helping us identify and test a fix! The timeline of events is as follows: