Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZwNnItbXJxOS04ZjRo

Data race in syncpool

Affected versions of this crate unconditionally implements Send for Bucket2. This allows sending non-Send types to other threads. This can lead to data races when non Send types like Cell or Rc are contained inside Bucket2 and sent across thread boundaries. The data races can potentially lead to memory corruption (as demonstrated in the PoC from the original report issue). The flaw was corrected in commit 15b2828 by adding a T: Send bound to the Send impl of Bucket2.

Permalink: https://github.com/advisories/GHSA-vp6r-mrq9-8f4h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZwNnItbXJxOS04ZjRo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago


CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00248
EPSS Percentile: 0.65301

Identifiers: GHSA-vp6r-mrq9-8f4h, CVE-2020-36462
References: Repository: https://github.com/Chopinsky/byte_buffer
Blast Radius: 0.0

Affected Packages

cargo:syncpool
Dependent packages: 3
Dependent repositories: 1
Downloads: 11,335 total
Affected Version Ranges: < 0.1.6
Fixed in: 0.1.6
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5
All unaffected versions: 0.1.6