Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdtZzctbTVjMy0zaHFq

Data races in unicycle

Affected versions of this crate unconditionally implemented Send & Sync for types PinSlab<T> & Unordered<T, S>. This allows sending non-Send types to other threads and concurrently accessing non-Sync types from multiple threads.

This can result in a data race & memory corruption when types that provide internal mutability without synchronization are contained within PinSlab<T> or Unordered<T, S> and accessed concurrently from multiple threads.

The flaw was corrected in commits 92f40b4 & 6a6c367 by adding trait bound T: Send to Send impls for PinSlab<T> & Unordered<T, S> and adding T: Sync to Sync impls for PinSlab<T> & Unordered<T, S>.

Permalink: https://github.com/advisories/GHSA-7mg7-m5c3-3hqj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdtZzctbTVjMy0zaHFq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago

Widthdrawn: almost 3 years ago

Identifiers: GHSA-7mg7-m5c3-3hqj
References: Repository: https://github.com/udoprog/unicycle
Blast Radius: 0.0

Affected Packages

cargo:unicycle
Dependent packages: 2
Dependent repositories: 2
Downloads: 38,551 total
Affected Version Ranges: < 0.7.1
Fixed in: 0.7.1
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0
All unaffected versions: 0.7.1, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.10.0, 0.10.1