RUSTSEC-2016-0003 on 2016-08-01: HTTP download and execution allows MitM RCE

The build script in the portaudio crate will attempt to download via HTTP the portaudio source and build it.

A Mallory in the middle can intercept the download with their own archive and get RCE.

CVE-2016-10933

GHSA-pq6v-x7gp-7776

This crate has no reviews yet. To add a review, set up your cargo-crev.


Lib.rs has been able to verify that all files in the crate's tarball, except Cargo.lock, are in the crate's repository with a git tag matching the version. Please note that this check is still in beta, and absence of this confirmation does not mean that the files don't match.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories, so there is a possibility that published crates have a misleading repository URL, or contain different code from the code in the repository.

To review the actual code of the crate, it's best to use cargo crev open portaudio. Alternatively, you can download the tarball of portaudio v0.8.0 or view the source online.