RUSTSEC-2020-0130
on 2020-11-12: Bunch<T> unconditionally implements Send/Sync
This crate has no reviews yet. To add a review, set up your cargo-crev.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.
To review the actual code of the crate, it's best to use cargo crev open bunch. Alternatively, you can download the tarball of bunch v0.1.0 or view the source online.
Affected versions of this crate unconditionally implements
Send/SyncforBunch<T>. This allows users to insertT: !SynctoBunch<T>. It is possible to create a data race to aT: !Syncby invoking theBunch::get()API (which returns&T) from multiple threads. It is also possible to sendT: !Sendto other threads by insertingTinsideBunch<T>and sendingBunch<T>to another thread, allowing to create a data race by inserting types likeT = Rc<_>.Such data races can lead to memory corruption.
CVE-2020-36450
GHSA-jwph-qp5h-f9wj