Reported

November 10, 2023

Issued

November 11, 2023 (last modified: February 10, 2024)

Package

self_cell (crates.io)

Type

Vulnerability

Keywords

#unsound #self_cell #self-referential

Aliases

• GHSA-48m6-wm5p-rr6h

References

• https://github.com/Voultapher/self_cell/issues/49

Patched

• >=0.10.3, <1.0.0
• >=1.0.2

Description

All public versions prior to 1.02 used an insufficient check to ensure that users correctly marked the dependent type as either covariant or not_covariant. This allowed users to mark a dependent as covariant even though its type was not covariant but invariant, for certain invariant types involving trait object lifetimes. One example for such a dependent type is type Dependent<'a> = RefCell<Box<dyn fmt::Display + 'a>>. Such a type allowed unsound usage in purely safe user code that leads to undefined behavior. The patched versions now produce a compile time error if such a type is marked as covariant.

Advisory available under CC0-1.0 license.