GHSA-r88h-6987-g79f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r88h-6987-g79f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-r88h-6987-g79f/GHSA-r88h-6987-g79f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r88h-6987-g79f
- Aliases
-
- CVE-2020-36462
- GHSA-vp6r-mrq9-8f4h
- RUSTSEC-2020-0142
- Published
- 2021-08-25T21:00:28Z
- Modified
- 2023-11-08T04:03:46.319786Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Data races on syncpool
- Details
-
Affected versions of this crate unconditionally implements
SendforBucket2. This allows sending non-Send types to other threads.This can lead to data races when non Send types like
Cell<T>orRc<T>are contained insideBucket2and sent across thread boundaries. The data races can potentially lead to memory corruption (as demonstrated in the PoC from the original report issue).The flaw was corrected in commit
15b2828by adding aT: Sendbound to theSendimpl ofBucket2<T>. - Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-362" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-08-05T22:09:21Z" }- References
-
- https://github.com/Chopinsky/byte_buffer/issues/2
- https://github.com/Chopinsky/byte_buffer/commit/15b282877d1e576de2b337d8162bbf43ed1a0f2d
- https://github.com/Chopinsky/byte_buffer/tree/master/syncpool
- https://github.com/RustSec/advisory-db/blob/main/crates/syncpool/RUSTSEC-2020-0142.md
- https://rustsec.org/advisories/RUSTSEC-2020-0142.html
Affected packages
crates.io / syncpool
Package
- Name
- syncpool
- View open source insights on deps.dev
- Purl
- pkg:cargo/syncpool