Reported

November 16, 2020

Issued

January 22, 2021 (last modified: June 13, 2023)

Package

ruspiro-singleton (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Keywords

#concurrency

Aliases

• CVE-2020-36435
• GHSA-fqq2-xp7m-xvm8

References

• https://github.com/RusPiRo/ruspiro-singleton/issues/10

CVSS Score

8.1 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

• >=0.4.1

Description

Singleton<T> is meant to be a static object that can be initialized lazily. In order to satisfy the requirement that static items must implement Sync, Singleton implemented both Sync and Send unconditionally.

This allows for a bug where non-Sync types such as Cell can be used in singletons and cause data races in concurrent programs.

The flaw was corrected in commit b0d2bd20e by adding trait bounds, requiring the contaiend type to implement Sync.

Advisory available under CC0-1.0 license.