Reported

August 25, 2020

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

arr (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Aliases

• CVE-2020-35886
• CVE-2020-35887
• CVE-2020-35888
• GHSA-36xw-hgfv-jwm7
• GHSA-c7fw-cr3w-wvfc
• GHSA-fhvj-7f9p-w788

References

• https://github.com/sjep/array/issues/1

Patched

no patched versions

Description

arr crate contains multiple security issues. Specifically,

1. It incorrectly implements Sync/Send bounds, which allows to smuggle non-Sync/Send types across the thread boundary.
2. Index and IndexMut implementation does not check the array bound.
3. Array::new_from_template() drops uninitialized memory.

Advisory available under CC0-1.0 license.