Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS0zaHhoLTdqeG0tNTl4NM4AArss

Moderate
Permalink JSON

AtomicBucket<T> unconditionally implements Send/Sync

Affected Packages Affected Versions Fixed Versions
cargo:metrics-util < 0.7.0 0.7.0
40 Dependent packages
978 Dependent repositories
31,456,006 Downloads total

Affected Version Ranges

All affected versions

0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.6.2

All unaffected versions

0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.16.0, 0.16.2, 0.16.3, 0.17.0, 0.18.0, 0.19.0, 0.19.1, 0.19.2, 0.20.0

In the affected versions of the crate, AtomicBucket<T> unconditionally implements Send/Sync traits. Therefore, users can create a data race to the inner
T: !Sync by using the AtomicBucket::data_with() API.
Such data races can potentially cause memory corruption or other undefined behavior.

The flaw was fixed in commit 8e6daab by adding appropriate Send/Sync bounds to the Send/Sync impl of struct Block<T> (which is a data type contained inside AtomicBucket<T>).

References:

Identifiers

GHSA-3hxh-7jxm-59x4

Risk

Severity

Moderate

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/metrics-rs/metrics

Date and time

Published

about 3 years ago

Updated

over 2 years ago

API

JSON