HistoryEdit

RUSTSEC-2022-0012

Arrow2 allows double free in safe code

Issued
Package
arrow2 (crates.io)
Type
Vulnerability
Categories
Details
https://github.com/jorgecarleitao/arrow2/issues/880
Patched
  • >=0.7.1, <0.8
  • >=0.8.2, <0.9
  • >=0.9.2, <0.10
  • >=0.10.0

Description

The struct Ffi_ArrowArray implements #derive(Clone) that is inconsistent with its custom implementation of Drop, resulting in a double free when cloned.

Cloning this struct in safe results in a segmentation fault, which is unsound.

This derive was removed from this struct. All users are advised to either:

Doing so elimitates this vulnerability (code no longer compiles).