HistoryEditJSON (OSV)

RUSTSEC-2020-0102

LateStatic has incorrect Sync bound

Reported
Issued
Package
late-static (crates.io)
Type
Vulnerability
Categories
Aliases
References
CVSS Score
7 HIGH
CVSS Details
Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Patched
  • >=0.4.0

Description

Affected versions of this crate implemented Sync for LateStatic with T: Send, so that it is possible to create a data race to a type T: Send + !Sync (e.g. Cell<T>).

This can result in a memory corruption or other kinds of undefined behavior.

The flaw was corrected in commit 11f396c by replacing the T: Send bound to T: Sync bound in the Sync impl for LateStatic<T>.

Advisory available under CC0-1.0 license.