the response time of the rust team was extremely quick, great job!<p>2017-09-13 @ 19:19 - Justin sends mail to security@rust-lang.org about this<p>2017-09-13 @ 19:28 - response sent to Justin acknowledging the vulnerability<p>2017-09-13 @ 21:14 - a patch to crates.io was finished, all current tarballs verified not-malicious
As always: there are no silver bullets. Static typing, nor Rust, can save you from all bugs.<p>If you follow the link to the security announcement list, you can see the one other advisory we've had since 1.0 as well.
the second 'precaution' fix looks actually important because it stops an archive from a following a symlink it creates that would allow it to write outside of the package directory. my thoughts are:<p>before the precaution fix this was a legal archive:<p><pre><code> $crate_name-$crate_version/outside -> ../
$crate_name-$crate_version/outside/$other_crate-$other-version/blah/blah
</code></pre>
then you have this code:<p><a href="https://github.com/rust-lang/cargo/pull/4493/files#diff-ce3ac564b3688633fe9c7ccb934e6253L316" rel="nofollow">https://github.com/rust-lang/cargo/pull/4493/files#diff-ce3a...</a><p><pre><code> tar.unpack(dst.parent().unwrap())?;
</code></pre>
so while Archive#unpack protects you against following symlinks outside of `dst` (which is a really good default!) it doesn't protect you from following symlinks inside of `dst` so presumably you can use the symlink trick to overwrite other packages.<p>i haven't tested this so this could be wrong :/ like maybe archive by default doesn't create symlinks or reorders the extraction so symlinks are always created last.
Why is it that people are still writing code in languages such as Rust when we have much better alternatives such as C. In C this bug would have never happened. ;)