Announcement

Collapse
No announcement yet.

Rust is not a panacea against vulnerabilities

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Rust is not a panacea against vulnerabilities

    As a reminder that just using rust will not solve all problems, a report on the oss-security list led me to https://nvd.nist.gov/vuln/detail/CVE-2019-16760


    What I found particularly concerning was the following part of the description:
    When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io.
    I find the idea of malicious crates being able to squat on crates.io surprising, but overall it's no different from vulnerabilities in other languages which can by default pull in external code over the internet. Fortunately most people will have long ago stopped using that version, so I'm just mentioning this for the next time someone posts "use rust" in a thread.
Working...
X