Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRoamctY3g4OC1nOWY5
Data races in futures-intrusive
GenericMutexGuard was given the Sync auto trait as long as T is Send due to its contained members. However, since the guard is supposed to represent an acquired lock and allows concurrent access to the underlying data from different threads, it should only be Sync when the underlying data is.
This is a soundness issue and allows data races, potentially leading to crashes and segfaults from safe Rust code.
The flaw was corrected by adding a T: Send + Sync bound for GenericMutexGuard's Sync trait.
Permalink: https://github.com/advisories/GHSA-4hjg-cx88-g9f9JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRoamctY3g4OC1nOWY5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-4hjg-cx88-g9f9, CVE-2020-35915
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35915
- https://github.com/Matthias247/futures-intrusive/issues/53
- https://rustsec.org/advisories/RUSTSEC-2020-0072.html
- https://github.com/advisories/GHSA-4hjg-cx88-g9f9
Blast Radius: 19.7
Affected Packages
cargo:futures-intrusive
Dependent packages: 90Dependent repositories: 3,801
Downloads: 24,399,067 total
Affected Version Ranges: < 0.4.0
Fixed in: 0.4.0
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1
All unaffected versions: 0.4.0, 0.4.1, 0.4.2, 0.5.0