RUSTSEC-2023-0058

Exposes reference to non-Sync data to an arbitrary thread

Reported

September 10, 2023

Issued

September 10, 2023 (last modified: February 10, 2024)

Package

inventory (crates.io)

Type

INFO Unsound

Categories

thread-safety

Keywords

#life-before-main

Aliases

GHSA-36xm-35qq-795w

References

https://github.com/dtolnay/inventory/pull/42

Patched

>=0.2.0

Description

Affected versions do not enforce a Sync bound on the type of caller-provided value held in the plugin registry. References to these values are made accessible to arbitrary threads other than the one that constructed them.

A caller could use this flaw to submit thread-unsafe data into inventory, then access it as a reference simultaneously from multiple threads.

The flaw was corrected by enforcing that data submitted by the caller into inventory is Sync.

Advisory available under CC0-1.0 license.