CVE-2019-16760

Name of the Vulnerable Software and Affected Versions Rust versions prior to 1.26.0

Description The issue arises when the package configuration key in the package.toml file is used to rename dependencies. In Rust 1.25.0 and prior, this key is ignored by Cargo, potentially leading to the download of the wrong dependency. This could be exploited if a malicious package with the same name is published on crates.io. The issue affects not only local manifests but also those published to crates.io.

Recommendations For Rust versions 1.19.0 through 1.25.0, apply the linked patches to mitigate the issue. For all affected versions, update the compiler to Rust 1.26.0 or a newer version to resolve the issue. As a temporary workaround, consider avoiding the use of the package key in Cargo.toml until the compiler is updated.