HistoryEdit

RUSTSEC-2020-0125

convec::ConVec unconditionally implements Send/Sync

Reported
Issued
Package
convec (crates.io)
Type
Vulnerability
Categories
Aliases
Details
https://github.com/krl/convec/issues/2
CVSS Score
8.1 HIGH
CVSS Details
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched
no patched versions

Description

Affected versions of this crate unconditionally implement Send/Sync for ConVec<T>. This allows users to insert T that is not Send or not Sync.

This allows users to create data races by using non-Send types like Arc<Cell<_>> or Rc<_> as T in ConVec<T>. It is also possible to create data races by using types like Cell<_> or RefCell<_> as T (types that are Send but not Sync). Such data races can lead to memory corruption.