RUSTSEC-2020-0062

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2020-0062
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0062.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2020-0062
Aliases
Published
2020-01-24T12:00:00Z
Modified
2023-11-08T04:03:38.733785Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Improper `Sync` implementation on `FuturesUnordered` in futures-utils can cause data corruption
Details

Affected versions of the crate had an unsound Sync implementation on the FuturesUnordered structure, which used a Cell for interior mutability without any code to handle synchronized access to the underlying task list's length and head safely.

This could of lead to data corruption since two threads modifying the list at once could see incorrect values due to the lack of access synchronization.

The issue was fixed by adding access synchronization code around insertion of tasks into the list.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / futures-util

Package

Name
futures-util
View open source insights on deps.dev
Purl
pkg:cargo/futures-util

Affected ranges

Type
SEMVER
Events
Introduced
0.3.0
Fixed
0.3.2

Ecosystem specific 

{
    "affects": {
        "arch": [],
        "os": [],
        "functions": [
            "futures_util::stream::FuturesUnordered"
        ]
    },
    "affected_functions": null
}

Database specific

categories

[
    "memory-corruption",
    "thread-safety"
]

informational

null

cvss

"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"