RUSTSEC-2020-0122: beef: beef::Cow lacks a Sync bound on its Send trait allowing for data races

Next: RUSTSEC-2020-0072: futures-intrusive: GenericMutexGuard allows data races of non-Sync types across threads
Previous: RUSTSEC-2020-0059: futures-util: MutexGuard::map can cause a data race in safe code

October 28, 2020

Description

Affected versions of this crate did not have a T: Sync bound in the Send impl for Cow<'_, T, U>. This allows users to create data races by making Cow contain types that are (Send && !Sync) like Cell<_> or RefCell<_>.

Such data races can lead to memory corruption.

The flaw was corrected in commit d1c7658 by adding trait bounds T: Sync and T::Owned: Send to the Send impl for Cow<'_, T, U>.

More Info

https://github.com/maciejhirsz/beef/issues/37

Patched Versions

>=0.5.0