HistoryEdit

RUSTSEC-2020-0098

UsbContext trait did not require implementers to be Send and Sync.

Issued
Package
rusb (crates.io)
Type
INFO Unsound
Categories
Keywords
#concurrency
Aliases
Details
https://github.com/a1ien/rusb/issues/44
CVSS Score
7 HIGH
CVSS Details
Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Patched
  • >=0.7.0
Keywords
#concurrency

Description

Affected versions of rusb did not require UsbContext to implement Send and Sync. However, through Device and DeviceHandle it is possible to use UsbContexts across threads.

This issue allows non-thread safe UsbContext types to be used concurrently leading to data races and memory corruption.

The issue was fixed by adding Send and Sync bounds to UsbContext.