GHSA-wxjf-9f4g-3v44
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wxjf-9f4g-3v44
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wxjf-9f4g-3v44/GHSA-wxjf-9f4g-3v44.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wxjf-9f4g-3v44
- Aliases
-
- CVE-2020-36461
- RUSTSEC-2020-0141
- Published
- 2021-08-25T20:56:05Z
- Modified
- 2023-11-08T04:03:46.256345Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Data races in noise_search
- Details
-
Affected versions of the
noise_searchcrate unconditionally implement Send/Sync forMvccRwLock. This can lead to data races when types that are either!Sendor!Sync(e.g.Rc<T>,Arc<Cell<_>>) are contained insideMvccRwLockand sent across thread boundaries. The data races can potentially lead to memory corruption (as demonstrated in the PoC from the original report issue).Also, safe APIs of
MvccRwLockallow aliasing violations by allowing&TandLockResult<MutexGuard<Box<T>>>to co-exist in conflicting lifetime regions. The APIs ofMvccRwLockshould either be marked asunsafeorMbccRwLockshould be changed to private or pub(crate). - Database specific
{ "nvd_published_at": "2021-08-08T06:15:00Z", "github_reviewed_at": "2021-08-18T21:19:50Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-362", "CWE-77" ] }- References
Affected packages
crates.io / noise_search
Package
- Name
- noise_search
- View open source insights on deps.dev
- Purl
- pkg:cargo/noise_search