|
| 1 | +```toml |
| 2 | +[advisory] |
| 3 | +id = "CVE-2019-16760" |
| 4 | +package = "cargo" |
| 5 | +aliases = ["GHSA-phjm-8x66-qw4r"] |
| 6 | +date = "2019-09-30" |
| 7 | +url = "https://groups.google.com/forum/#!topic/rustlang-security-announcements/rVQ5e3TDnpQ" |
| 8 | + |
| 9 | +[versions] |
| 10 | +patched = [">= 1.26.0"] |
| 11 | +``` |
| 12 | + |
| 13 | +# Cargo prior to Rust 1.26.0 may download the wrong dependency |
| 14 | + |
| 15 | +The Rust team was recently notified of a security concern when using older |
| 16 | +versions of Cargo to build crates which use the package rename feature added in |
| 17 | +newer versions of Cargo. If you're using Rust 1.26.0, released on 2018-05-10, |
| 18 | +or later you're not affected. |
| 19 | + |
| 20 | +The CVE for this vulnerability is [CVE-2019-16760][0]. |
| 21 | + |
| 22 | +## Overview |
| 23 | + |
| 24 | +Cargo can be configured through `Cargo.toml` and the `[dependencies]` section |
| 25 | +to depend on different crates, such as those from crates.io. There are multiple |
| 26 | +ways to configure how you depend on crates as well, for example if you depend |
| 27 | +on `serde` and enable the `derive` feature it would look like: |
| 28 | + |
| 29 | +```toml |
| 30 | +serde = { version = "1.0", features = ['derive'] } |
| 31 | +``` |
| 32 | + |
| 33 | +Rust 1.31.0 [introduced a new feature of Cargo][1] where one of the optional |
| 34 | +keys you can specify in this map is `package`, a way to [rename a crate |
| 35 | +locally][2]. For example if you preferred to use `serde1` locally instead of |
| 36 | +`serde`, you could write: |
| 37 | + |
| 38 | +```toml |
| 39 | +serde1 = { version = "1.0", features = ['derive'], package = "serde" } |
| 40 | +``` |
| 41 | + |
| 42 | +It's the addition of the `package` key that causes Cargo to compile the crate |
| 43 | +differently. This feature was [first implemented][3] in Rust 1.26.0, but it was |
| 44 | +unstable at the time. For Rust 1.25.0 and prior, however, Cargo would ignore |
| 45 | +the `package` key and and interpret the dependency line as if it were: |
| 46 | + |
| 47 | +```toml |
| 48 | +serde1 = { version = "1.0", features = ['derive'] } |
| 49 | +``` |
| 50 | + |
| 51 | +This means when compiled with Rust 1.25.0 and prior then it would attempt to |
| 52 | +download the `serde1` crate. A malicious user could squat the `serde1` name on |
| 53 | +crates.io to look like `serde 1.0.0` but instead act maliciously when built. |
| 54 | + |
| 55 | +In summary, usage of the `package` key to rename dependencies in `Cargo.toml` |
| 56 | +is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo |
| 57 | +will ignore `package` and download the wrong dependency, which could be |
| 58 | +squatted on crates.io to be a malicious package. This not only affects |
| 59 | +manifests that you write locally yourself, but also manifests published to |
| 60 | +crates.io. If you published a crate, for example, that depends on `serde1` to |
| 61 | +crates.io then users who depend on you may also be vulnerable if they use Rust |
| 62 | +1.25.0 and prior. |
| 63 | + |
| 64 | +## Affected Versions |
| 65 | + |
| 66 | +Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will |
| 67 | +ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not |
| 68 | +affected and typically will emit an error because the `package` key is |
| 69 | +unstable. Rust 1.31.0 and after are not affected because Cargo understands the |
| 70 | +`package` key. |
| 71 | + |
| 72 | +In terms of Cargo versions, this affects Cargo up through Cargo 0.26.0. All |
| 73 | +future versions of Cargo are unaffected. |
| 74 | + |
| 75 | +## Mitigations |
| 76 | + |
| 77 | +We strongly recommend that users of the affected versions update their compiler |
| 78 | +to the latest available one. Preventing this issue from happening requires |
| 79 | +updating your compiler to either Rust 1.26.0 or newer. |
| 80 | + |
| 81 | +We will not be issuing a patch release for Rust versions prior to 1.26.0. Users |
| 82 | +of Rust 1.19.0 to Rust 1.25.0 can instead apply [the provided patches][4] to |
| 83 | +mitigate the issue. |
| 84 | + |
| 85 | +An audit of existing crates published to crates.io using the `package` key has |
| 86 | +been performed and there is no evidence that this vulnerability has been |
| 87 | +exploited in the wild. Our audit only covers the crates currently published on |
| 88 | +crates.io: if you notice crates exploiting this vulnerability in the future |
| 89 | +please don't hesitate to email secu...@rust-lang.org in accordance with [our |
| 90 | +security policy][5]. |
| 91 | + |
| 92 | +## Timeline of events |
| 93 | + |
| 94 | +* Wed, Sep 18, 2019 at 13:54 UTC - Bug reported to secu...@rust-lang.org |
| 95 | +* Wed, Sep 18, 2019 at 15:35 UTC - Response confirming the report |
| 96 | +* Wed, Sep 18, 2019 - Cargo, Core, and crates.io teams confer on how best to |
| 97 | +handle this |
| 98 | +* Thu, Sep 19, 2019 - Confirmed with Elichai plan of action and continued to |
| 99 | +audit existing crates |
| 100 | +* Mon, Sep 23, 2019 - Advisory drafted, patches developed, audit completed |
| 101 | +* Mon, Sep 30, 2019 - Advisory published, security list informed of this issue |
| 102 | + |
| 103 | +## Acknowledgments |
| 104 | + |
| 105 | +Thanks to Elichai Turkel, who found this bug and reported it to us in accordance |
| 106 | +with our [security policy][5]. |
| 107 | + |
| 108 | +## Links |
| 109 | + |
| 110 | +[0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16760 |
| 111 | +[1]: https://blog.rust-lang.org/2018/12/06/Rust-1.31-and-rust-2018.html#cargo-features |
| 112 | +[2]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#renaming-dependencies-in-cargotoml |
| 113 | +[3]: https://github.com/rust-lang/cargo/pull/4953 |
| 114 | +[4]: https://gist.github.com/pietroalbini/0d293b24a44babbeb6187e06eebd4992 |
| 115 | +[5]: https://www.rust-lang.org/policies/security |
0 commit comments