RUSTSEC-2020-0122

beef::Cow lacks a Sync bound on its Send trait allowing for data races

Issued

October 28, 2020

Package

beef (crates.io)

Type

Vulnerability

Categories

memory-corruption
thread-safety

Details

https://github.com/maciejhirsz/beef/issues/37

Patched

>=0.5.0

Description

Affected versions of this crate did not have a T: Sync bound in the Send impl for Cow<'_, T, U>. This allows users to create data races by making Cow contain types that are (Send && !Sync) like Cell<_> or RefCell<_>.

Such data races can lead to memory corruption.

The flaw was corrected in commit d1c7658 by adding trait bounds T: Sync and T::Owned: Send to the Send impl for Cow<'_, T, U>.

Advisory History
Edit Advisory

Description

More