Security Advisory for crates.io, 2016-08-15

575 views
Skip to first unread message

Steve Klabnik

unread,
Aug 15, 2016, 8:47:50 PM8/15/16
to rustlang-securi...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

# Security Advisory for crates.io, 2016-08-15

The Rust team was recently notified of a security vulnerability affecting
crates.io. It has since been resolved, and there is no indication that the bug
has been exploited. For most users, no action need be taken at this time,
though users who have renamed their GitHub accounts since publishing to
crates.io are recommended to validate their published crates according to
details below.

The vulnerability worked as follows: if a user with a crates.io login renamed
their GitHub account then another GitHub user could claim the old username (on
GitHub) and then log into the existing crates.io account. This would result in
full access to publish or yank crates under that account.

The flaw was that crates.io tracked users by username, instead of by unique ID.
The issue has since been fixed by tracking GitHub users by unique ID rather
than by username. This ID is persistent across renames and prevents new users
on GitHub from logging into existing accounts on crates.io. Implementing this
fix involved filling in all existing crates.io users' GitHub user IDs.

Though we have no indication that the bug has been exploited, due to the nature
of the vulnerability we cannot know whether any users were compromised.

As a precaution, if you have logged into crates.io and subsequently renamed
your GitHub account prior to Friday, August 12, 2016, we recommend that you log
into crates.io and check that the set of crates under your account is what you
expect. If somebody were to be affected by this vulnerability, the symptom they
would see is that entire crates they had previously owned and published would
no longer be owned by them, their account under the old name having been
transferred to another user. Again, we have no indication this has happened,
but if you believe you have been affected please [report] it to the Rust
security email address.

Many thanks to Carol Nichols || Goulding (@carols10cents) for [responsibly
reporting this][report] and helping us identify and test a fix! The timeline of
events is as follows:

* 2016-08-09 at 17:07 PST - Notification of the vulnerability to
secu...@rust-lang.org
* 2016-08-09 at 17:41 PST - Response acknowledging report
* 2016-08-10 at 14:00 PST - Decision to escalate to the core team's agenda,
and conclusion was to prioritize a fix for this issue.
* 2016-08-11 at 18:49 PST - Fix deployed, all users tracked via GitHub
ID and all logins matching based on this. Some users remained to be filled in.
* 2016-08-12 at 10:35 PST - All user rows filled in with a GitHub ID.

[report]: https://www.rust-lang.org/en-US/security.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXskAEAAoJEO+5hgrnUg2sjkUP/1oAQyKQKzoEkE/owdEyBh4I
AQ3Lh/RovjoojanyRSzs6G43gHxKFTjEs+RYDWs7BVmojedJqj7iciGRIHYLnXLp
wdkPaZW46QTmBSOHU03uvjMPG6maG/VQJwqichPhW9n0kySwVuV8UDZcCN+NqI7k
epFga7wVlsySZwdYQj7NBk/1CpcSyJ1R6SDd/RyS7Uw4bkCm8Q+RXJCU2CqFWi2n
kGuGhdoqGDIFyKxHyQSqBOhp4XCkiPCqZanmttPabGEUGTJjaLNHGRJyeoCudfGr
TTbdIIlcm5T4LCxuNxYm8wh/9tVATmW6jHWQ6Mn7ldR05D7mCFOI2xw4r1eFM4Vb
fBqrJIpMX4CSlzI20Y3m45KZxebELfP2rpkS25SvoqnlHibjhsyOFjMmb+NZa8AE
rmEZqTR7sKfnp91EqApr95CGns6Gi8HwjaaRLDJUxR+Q9FczrE/hU7NW4nAI0sUx
AlwRsccLgO7Pay7e6aw43OYjKDBpxmWSEZDRREZW0W4zHbPUYKUO+5HBoaksLhP9
tlXi3cr/SCyx0d3VSlf4dlB32HspPP6OKYfaM3LW5OlGW3lZM4iKIWXsghMBw+aI
ZHY9NJstf8IvRRyVG0DE15NU7NyA88spVixoqZ07OMkjc4DgXu6FaJgawGHSlvBq
iDLhL0jX97n16CyiZjEr
=xMMq
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages