GHSA-36xm-35qq-795w

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-36xm-35qq-795w/GHSA-36xm-35qq-795w.json

Published

2023-09-11T20:43:41Z

Modified

2023-09-11T20:43:41Z

Details

Affected versions do not enforce a Sync bound on the type of caller-provided value held in the plugin registry. References to these values are made accessible to arbitrary threads other than the one that constructed them.

A caller could use this flaw to submit thread-unsafe data into inventory, then access it as a reference simultaneously from multiple threads.

The flaw was corrected by enforcing that data submitted by the caller into inventory is Sync.

References

https://github.com/dtolnay/inventory/pull/42
https://github.com/dtolnay/inventory/commit/e1e347d2725b9c9dd4a70b63eb08532ca9687652
https://github.com/dtolnay/inventory
https://rustsec.org/advisories/RUSTSEC-2023-0058.html

Affected packages

crates.io / inventory

Source Details

Package Name: inventory

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

0.2.0

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}