rustsec-2020-0062
Vulnerability from osv_rustsec
Published
2020-01-24 12:00
Modified
2023-06-13 13:10
Summary
Improper `Sync` implementation on `FuturesUnordered` in futures-utils can cause data corruption
Details

Affected versions of the crate had an unsound Sync implementation on the FuturesUnordered structure, which used a Cell for interior mutability without any code to handle synchronized access to the underlying task list's length and head safely.

This could of lead to data corruption since two threads modifying the list at once could see incorrect values due to the lack of access synchronization.

The issue was fixed by adding access synchronization code around insertion of tasks into the list.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-corruption",
          "thread-safety"
        ],
        "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "futures_util::stream::FuturesUnordered"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "futures-util",
        "purl": "pkg:cargo/futures-util"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "0.3.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2020-35908",
    "GHSA-5r9g-j7jj-hw6c"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Affected versions of the crate had an unsound `Sync` implementation on the `FuturesUnordered` structure, which used a `Cell` for\ninterior mutability without any code to handle synchronized access to the underlying task list\u0027s length and head safely.\n\nThis could of lead to data corruption since two threads modifying the list at once could see incorrect values due to the lack\nof access synchronization.\n\nThe issue was fixed by adding access synchronization code around insertion of tasks into the list.",
  "id": "RUSTSEC-2020-0062",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2020-01-24T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/futures-util"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0062.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/rust-lang/futures-rs/issues/2050"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper `Sync` implementation on `FuturesUnordered` in futures-utils can cause data corruption"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.