RUSTSEC-2020-0062

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2020-0062

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0062.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2020-0062

Aliases

Published

2020-01-24T12:00:00Z

Modified

2023-11-08T04:03:38.733785Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Improper `Sync` implementation on `FuturesUnordered` in futures-utils can cause data corruption

Details

Affected versions of the crate had an unsound Sync implementation on the FuturesUnordered structure, which used a Cell for interior mutability without any code to handle synchronized access to the underlying task list's length and head safely.

This could of lead to data corruption since two threads modifying the list at once could see incorrect values due to the lack of access synchronization.

The issue was fixed by adding access synchronization code around insertion of tasks into the list.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / futures-util

Package

Name: futures-util; View open source insights on deps.dev
Purl: pkg:cargo/futures-util

Affected ranges

Type: SEMVER
Events: Introduced

0.3.0

Fixed

0.3.2

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "futures_util::stream::FuturesUnordered"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "informational": null,
    "categories": [
        "memory-corruption",
        "thread-safety"
    ]
}