RUSTSEC-2020-0122

beef::Cow lacks a Sync bound on its Send trait allowing for data races

Issued
Package
beef (crates.io)
Type
Vulnerability
Categories
  • memory-corruption
  • thread-safety
Details
https://github.com/maciejhirsz/beef/issues/37
Patched
  • >=0.5.0

Description

Affected versions of this crate did not have a T: Sync bound in the Send impl for Cow<'_, T, U>. This allows users to create data races by making Cow contain types that are (Send && !Sync) like Cell<_> or RefCell<_>.

Such data races can lead to memory corruption.

The flaw was corrected in commit d1c7658 by adding trait bounds T: Sync and T::Owned: Send to the Send impl for Cow<'_, T, U>.

More