Vulnerable build script (MitM on network can make it execute arbitrary code)

[magicgoose]

Build script attempts to download portaudio code through plain http and without any signature checking (because there aren't any) and then run it.

rust-portaudio/build.rs

Line 62 in c776b83

pub const PORTAUDIO_URL: &'static str = "http://www.portaudio.com/archives/pa_stable_v19_20140130.tgz";

rust-portaudio/build.rs

Lines 75 to 91 in c776b83

	match Command::new("tar").arg("xvf").arg(PORTAUDIO_TAR).output() {
	Ok(_) => {},
	Err(e) => panic!("{}", e)
	}
	// change dir to the portaudio folder
	match env::set_current_dir(PORTAUDIO_FOLDER) {
	Ok(_) => {},
	Err(e) => panic!("{}", e)
	}
	// run portaudio autoconf
	Command::new("./configure")
	.args(&["--disable-shared", "--enable-static"]) // Only build static lib
	.args(&["--prefix", out_dir.to_str().unwrap()]) // Install on the outdir
	.arg("--with-pic") // Build position-independent code (required by Rust)
	.output()

That's of course portaudio team's fault. But it's possible to download portaudio code from git as a safer alternative — https://app.assembla.com/spaces/portaudio/git/source.
I think, rust-portaudio should use this safer way to download code.

[alex]

This could also be addressed by verifying the hash of the tarball against one included in build.rs.

[tarcieri]

The tarball is only 1.5MB. The source code within could be vendored into the crate. Since it's available via git, it could be added to this project as a git submodule, which makes it easy to update and also easy to release new crates which already contain the source code and therefore don't have to hit the network to get it or worry about authenticating the retrieved artifact and unpacking it.

[barakugav]

This was solved by #190
Can we release a new versino? @mitchmindtree @jeremyletang @wmedrano

[mitchmindtree]

I don't have time for rust-portaudio these days I'm afraid, but I've just added the github:rustaudio/rust-portaudio-maintainers team as a crate owner, so a team member should be able to update it now

[wmedrano]

Done, this is live in 0.7.1.

[wmedrano]

I didn't have permissions to push updates to portaudio-sys so forked into portaudio-sys2. Will try to contact @mvdnes for ownership.

[mvdnes]

Ha I didn't even remember the name portaudio. Funny seeing a 7 year old crate having >30 downloads per day. I fully agree this is a problem, so how can I help?

[mitchmindtree]

@mvdnes if you could, cd into rust-portaudio-sys and add the rustaudio portaudio maintainers team as a cargo owner:

cargo owner --add github:RustAudio:rust-portaudio-maintainers

[wmedrano]

@mvdnes You may also be able to do it from the crates.io UI at https://crates.io/crates/portaudio-sys

[mvdnes]

I think there may be a problem with the name or the permissoins of the group. This is the response I get:

% cargo owner --add github:RustAudio:rust-portaudio-maintainers
    Updating crates.io index
error: failed to invite owners to crate `portaudio-sys` on registry at https://crates.io

Caused by:
  the remote server responded with an error (status 400 Bad Request): could not find the github team RustAudio/rust-portaudio-maintainers. Make sure that you have the right permissions in GitHub. See https://doc.rust-lang.org/cargo/reference/publishing.html#github-permissions

[wmedrano]

What about cargo owner --add wmedrano

[mvdnes]

What about cargo owner --add wmedrano

That works, you now have an invite.