Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZxcTIteHA3bS14dm04
Data race in ruspiro-singleton
Singleton<T> is meant to be a static object that can be initialized lazily. In
order to satisfy the requirement that static items must implement Sync,
Singleton implemented both Sync and Send unconditionally.
This allows for a bug where non-Sync types such as Cell can be used in
singletons and cause data races in concurrent programs.
The flaw was corrected in commit b0d2bd20e by adding trait bounds, requiring
the contaiend type to implement Sync.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZxcTIteHA3bS14dm04
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: almost 2 years ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-fqq2-xp7m-xvm8, CVE-2020-36435
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-36435
- https://github.com/RusPiRo/ruspiro-singleton/pull/11
- https://rustsec.org/advisories/RUSTSEC-2020-0115.html
- https://github.com/RusPiRo/ruspiro-singleton/issues/10
- https://github.com/RusPiRo/ruspiro-singleton/commit/b0d2bd20eb40b9cbc2958b981ba2dcd9e6f9396e
- https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/ruspiro-singleton/RUSTSEC-2020-0115.md
- https://github.com/advisories/GHSA-fqq2-xp7m-xvm8
Blast Radius: 3.9
Affected Packages
cargo:ruspiro-singleton
Dependent packages: 7Dependent repositories: 3
Downloads: 17,878 total
Affected Version Ranges: < 0.4.1
Fixed in: 0.4.1
All affected versions: 0.0.2, 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.4.0
All unaffected versions: 0.4.1, 0.4.2, 0.4.3