CVE-2019-16760 in Rust
Summary
by MITRE
Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io. If you published a crate, for example, that depends on `serde1` to crates.io then users who depend on you may also be vulnerable if they use Rust 1.25.0 and prior. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not affected and typically will emit an error because the `package` key is unstable. Rust 1.31.0 and after are not affected because Cargo understands the `package` key. Users of the affected versions are strongly encouraged to update their compiler to the latest available one. Preventing this issue from happening requires updating your compiler to be either Rust 1.26.0 or newer. There will be no patch issued for Rust versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply linked patches to mitigate the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/29/2023
This vulnerability represents a critical dependency confusion flaw in Cargo package management system affecting Rust versions prior to 1.26.0. The issue stems from improper handling of the package configuration key within Cargo.toml manifest files, where the dependency resolver fails to properly interpret the package renaming mechanism. When developers use the package key to rename dependencies in their manifest files, Cargo in affected versions completely ignores this configuration, leading to potential security implications. This behavior creates a scenario where the package manager resolves dependencies based on the original package name rather than the intended renamed target, which can result in downloading unintended packages from the package registry.
The technical flaw manifests specifically in the dependency resolution logic of Cargo where the package key configuration is silently disregarded during manifest parsing. This vulnerability is categorized under CWE-252, representing an improper validation of a dependency specification, and aligns with ATT&CK technique T1195.002 for supply chain compromise through dependency confusion. The issue affects not only locally authored manifests but also those published to crates.io, creating a widespread impact across the Rust ecosystem. When developers publish crates that depend on renamed packages, downstream consumers using vulnerable Rust versions become susceptible to downloading malicious packages that have been squatting on the original package names.
The operational impact of this vulnerability extends far beyond individual developers, creating a systemic risk within the Rust package ecosystem. Attackers can exploit this by registering malicious packages with names that match the original dependency names, knowing that vulnerable systems will download these packages instead of the intended renamed dependencies. This creates a supply chain attack vector where malicious actors can compromise systems simply by publishing malicious packages to crates.io that match the original dependency names. The vulnerability affects all Rust versions from 1.0.0 through 1.25.0, with the specific behavior being that Cargo completely ignores the package key configuration, leading to potential compromise of the entire dependency resolution chain.
Mitigation strategies require immediate compiler updates to Rust 1.26.0 or newer versions where the package key is properly supported and validated. The Rust team implemented a protective measure by making the package key unstable in versions 1.26.0 through 1.30.0, which would cause compilation errors when the key is used, thereby alerting developers to the issue. For users who cannot immediately upgrade, patches are available for Rust versions 1.19.0 through 1.25.0 that address the specific dependency resolution flaw. Organizations should implement comprehensive dependency verification processes, including regular security audits of their dependency trees, and maintain up-to-date development environments to prevent exploitation of this vulnerability. The vulnerability demonstrates the critical importance of proper package management validation and the potential security implications of seemingly minor configuration parsing issues in package managers.