Reported

August 25, 2020

Issued

October 2, 2020 (last modified: January 31, 2021)

Package

arr (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Aliases

• CVE-2020-35886
• CVE-2020-35887
• CVE-2020-35888

Details

https://github.com/sjep/array/issues/1

Patched

no patched versions

Description

arr crate contains multiple security issues. Specifically,

1. It incorrectly implements Sync/Send bounds, which allows to smuggle non-Sync/Send types across the thread boundary.
2. Index and IndexMut implementation does not check the array bound.
3. Array::new_from_template() drops uninitialized memory.