Vulnerable build script (MitM on network can make it execute arbitrary code)

[magicgoose]

Build script attempts to download portaudio code through plain http and without any signature checking (because there aren't any) and then run it.

rust-portaudio/build.rs

Line 62 in c776b83

pub const PORTAUDIO_URL: &'static str = "http://www.portaudio.com/archives/pa_stable_v19_20140130.tgz";

rust-portaudio/build.rs

Lines 75 to 91 in c776b83

	match Command::new("tar").arg("xvf").arg(PORTAUDIO_TAR).output() {
	Ok(_) => {},
	Err(e) => panic!("{}", e)
	}
	// change dir to the portaudio folder
	match env::set_current_dir(PORTAUDIO_FOLDER) {
	Ok(_) => {},
	Err(e) => panic!("{}", e)
	}
	// run portaudio autoconf
	Command::new("./configure")
	.args(&["--disable-shared", "--enable-static"]) // Only build static lib
	.args(&["--prefix", out_dir.to_str().unwrap()]) // Install on the outdir
	.arg("--with-pic") // Build position-independent code (required by Rust)
	.output()

That's of course portaudio team's fault. But it's possible to download portaudio code from git as a safer alternative — https://app.assembla.com/spaces/portaudio/git/source.
I think, rust-portaudio should use this safer way to download code.

[alex]

This could also be addressed by verifying the hash of the tarball against one included in build.rs.

[tarcieri]

The tarball is only 1.5MB. The source code within could be vendored into the crate. Since it's available via git, it could be added to this project as a git submodule, which makes it easy to update and also easy to release new crates which already contain the source code and therefore don't have to hit the network to get it or worry about authenticating the retrieved artifact and unpacking it.