Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBxcXAteG1oai13Z2N3
crossbeam-deque Data Race before v0.7.4 and v0.8.1
Impact
In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.
Crates using Stealer::steal, Stealer::steal_batch, or Stealer::steal_batch_and_pop are affected by this issue.
Patches
This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.
Credits
This issue was reported and fixed by Maor Kleinberger.
License
This advisory is in the public domain.
Permalink: https://github.com/advisories/GHSA-pqqp-xmhj-wgcwJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBxcXAteG1oai13Z2N3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-pqqp-xmhj-wgcw, CVE-2021-32810
References:
- https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw
- https://nvd.nist.gov/vuln/detail/CVE-2021-32810
- https://lists.fedoraproject.org/archives/list/[email protected]/message/EW5B2VTDVMJ6B3DA4VLMAMW2GGDCE2BK/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/7EZILHZDRGDPOBQ4KTW3E5PPMKLHGH5N/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/AWHNNBJCU4EHA2X5ZAMJMGLDUYS5FEPP/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/AYBSLIYFANZLCYWOGTIYZUM26TJRH7WU/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/CY5T3FCE4MUYSPKEWICLVJBBODGJ6SZE/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/LCIBFGBSL3JSVJQTNEDEIMZGZF23N2KE/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/OCLMH7B7B2MF55ET4NQNPH7JWISFX4RT/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/RRPKBRXCRNGNMVFQPFD4LM3QKPEMBQQR/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/U3LSN3B43TJSFIOB3QLPBI3RCHRU5BLO/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/VQZIEJQBV3S72BHD5GKJQF3NVYNRV5CF/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/WGB2H35CTZDHOV3VLC5BM6VFGURLLVRP/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/XFBZWCLG7AGLJO4A7K5IMJVPLSWZ5TJP/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/ZQDIBB7VR3ER52FMSMNJPAWNDO5SITCE/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/TFUBWBYCPSSXTJGEAQ67CJUNQJBOCM26/
- https://rustsec.org/advisories/RUSTSEC-2021-0093.html
- https://github.com/advisories/GHSA-pqqp-xmhj-wgcw
Blast Radius: 44.3
Affected Packages
cargo:crossbeam-deque
Dependent packages: 58Dependent repositories: 33,060
Downloads: 129,473,796 total
Affected Version Ranges: >= 0.8.0, < 0.8.1, < 0.7.4
Fixed in: 0.8.1, 0.7.4
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0
All unaffected versions: 0.7.4, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5