RUSTSEC-2020-0130
on 2020-11-12: Bunch<T> unconditionally implements Send/Sync
This crate has no reviews yet. To add a review, set up your cargo-crev
.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.
To review the actual code of the crate, it's best to use cargo crev open bunch
. Alternatively, you can download the tarball of bunch v0.1.0 or view the source online.
Affected versions of this crate unconditionally implements
Send
/Sync
forBunch<T>
. This allows users to insertT: !Sync
toBunch<T>
. It is possible to create a data race to aT: !Sync
by invoking theBunch::get()
API (which returns&T
) from multiple threads. It is also possible to sendT: !Send
to other threads by insertingT
insideBunch<T>
and sendingBunch<T>
to another thread, allowing to create a data race by inserting types likeT = Rc<_>
.Such data races can lead to memory corruption.
CVE-2020-36450
GHSA-jwph-qp5h-f9wj