Code reviews of the PortAudio crate // Lib.rs

RUSTSEC-2016-0003 on 2016-08-01: HTTP download and execution allows MitM RCE

The build script in the portaudio crate will attempt to download via HTTP the portaudio source and build it.

A Mallory in the middle can intercept the download with their own archive and get RCE.

CVE-2016-10933

This crate has no reviews yet. To add a review, set up your cargo-crev.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.

To review the actual code of the crate, it's best to use cargo crev open portaudio. Alternatively, you can download the tarball of portaudio v0.7.0 or view the source online.