Vulnerable build script (MitM on network can make it execute arbitrary code)

[magicgoose]

Build script attempts to download portaudio code through plain http and without any signature checking (because there aren't any) and then run it. https://github.com/RustAudio/rust-portaudio/blob/c776b83efc99984e54d6d1815d0a511ebe54ae05/build.rs#L62 https://github.com/RustAudio/rust-portaudio/blob/c776b83efc99984e54d6d1815d0a511ebe54ae05/build.rs#L75-L91

That's of course portaudio team's fault. But it's possible to download portaudio code from git as a safer alternative — https://app.assembla.com/spaces/portaudio/git/source. I think, rust-portaudio should use this safer way to download code.

[alex]

This could also be addressed by verifying the hash of the tarball against one included in build.rs.

[tarcieri]

The tarball is only 1.5MB. The source code within could be vendored into the crate. Since it's available via git, it could be added to this project as a git submodule, which makes it easy to update and also easy to release new crates which already contain the source code and therefore don't have to hit the network to get it or worry about authenticating the retrieved artifact and unpacking it.