1. 15

  2. 3


    Note that even if you don’t explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git’s [url.<base>.insteadOf][1] setting), as that’d cause you to clone the crates.io index through SSH.

    If I’m understanding right, that means that if you haven’t added an alternate registry, and you haven’t configured git to rewrite HTTPS clones to SSH clones for GitHub, you’re not affected (since this issue doesn’t affect HTTPS). In other words, the default configuration is safe and most people aren’t affected.

    Still a bad vulnerability, but luckily one limited in scope.

    1. 1

      Yeah, that’s a hilariously roundabout way to say “who is affected” which boils down to “a few people”.

      I think the most common case in practice is dependency on a private git repo via SSH. Eg, if your company has a bunch of private repos with Rust crates, you might want to use git+ssh dependencies for them (for public repos, you’d use git+https).

    2. 8

      This wouldn’t have happened if Cargo was written in a memory safe language like Rust…

      On a serious note, maybe this introduces a bit of humility to the Rust community. Not all bugs are memory safety bugs and it’s still important to be on the lookout for the other types, especially logic bugs.

      1. 20

        The unstated implication that rust community somehow claims that Rust prevents all security bugs is wrong.

        It’s also not the first time that a CVE is reported against Cargo:

        So, I doubt that would be much of an update for rust community.

        It is however a useful reminder for people outside of the rust community that Rust it’s a silver bullet.

        1. 1

          No, but I think it’s how some folks in the wider programming community read it. It’s very much the Underpants Gnomes of PL safety engineering.

          1. Memory safety!
          2. No bugs!
        2. 8

          Can I flag this comment as funny?

          1. 12

            Cargo uses libssh2, which is written in C (not that it matters to the issue, but you could use some humility too.)

            1. 4

              Please provide a single example where anyone in the Rust community seriously claims that all bugs are memory safety bugs or that Rust eliminates all classes of security bugs.