HistoryEdit

RUSTSEC-2020-0088

MPMCConsumer/Producer allows sending non-Send type across threads

Issued
Package
magnetic (crates.io)
Type
Vulnerability
Categories
Aliases
Details
https://github.com/johnshaw/magnetic/issues/9
CVSS Score
5.5 MEDIUM
CVSS Details
Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Patched
  • >=2.0.1

Description

Affected versions of this crate unconditionally implemented Sync and Send traits for MPMCConsumer and MPMCProducer types.

This allows users to send types that do not implement Send trait across thread boundaries, which can cause a data race.

The flaw was corrected in the 2.0.1 release by adding T: Send bound to affected Sync/Send trait implementations.