A Cargo vulnerability in Rust 1.25 and prior makes it ignore the package key and download a wrong dependency

2 min read

Yesterday, the Rust team shared that a Cargo vulnerability confuses the older versions of Cargo making them ignore the new package rename feature and download a wrong dependency. This vulnerability, tracked as CVE-2019-16760, affects Rust 1.0 through Rust 1.25.

The vulnerability was first reported to the Rust team by Elichai Turkel:

Details of Cargo vulnerability

Rust 1.31 introduced the package configuration key for renaming dependencies in the ‘Cargo.toml’ manifest file. In Rust 1.25 and prior, Cargo ignores its usage to rename dependencies and may end up downloading a wrong dependency. It affects not only manifests that are written locally, but also those that are published to crates.io.

If you published a crate, for example, that depends on `serde1` to crates.io then users who depend on you may also be vulnerable if they use Rust 1.25.0 and prior. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests,” the team wrote.

This vulnerability does not affect Rust 1.26 through Rust 1.30 versions and will throw an error as the package key is unstable in these versions. Rust 1.31 and later are not affected because Cargo understands the package key.

Mitigation steps to prevent this Cargo vulnerability

The team has already audited the existing crates using the package key published to crates.io and have not detected any exploit of this vulnerability. However, they have recommended users of the affected versions to update their compiler to either 1.26 or later.

The team further wrote, “We will not be issuing a patch release for Rust versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply the provided patches to mitigate the issue.

This news sparked a discussion on Reddit where developers discussed how this could have been avoided. A user commented, “What do we learn from this? Always throw an error if you encounter an unknown key inside a known configuration object.

Another user suggested, “It would be better to have the config contain a “minimum allowed cargo version”, and if you want to use new features you have to bump this version number to at least the version which added the feature. Old versions of cargo can detect the version number and automatically refuse to compile the crate if the minimum version is newer than the cargo version.

Read the official announcement by the Rust team to know more about this vulnerability in detail.

Read Next

Rust 1.38 releases with pipelined compilation for better parallelism while building a multi-crate project

Mozilla introduces Neqo, Rust implementation for QUIC, new http protocol

Introducing Weld, a runtime written in Rust and LLVM for cross-library optimizations