GHSA-5j8w-r7g8-5472: Arrow2 allows double free in `safe` code

June 16, 2022

The struct Ffi_ArrowArray implements #derive(Clone) that is inconsistent with its custom implementation of Drop, resulting in a double free when cloned.

Cloning this struct in safe results in a segmentation fault, which is unsound.

This derive was removed from this struct. All users are advised to either:

bump the patch version of this crate (for versions v0.7,v0.8,v0.9), or
migrate to a more recent version of the crate (when using <0.7).

Doing so elimitates this vulnerability (code no longer compiles).

References

github.com/advisories/GHSA-5j8w-r7g8-5472
github.com/jorgecarleitao/arrow2
github.com/jorgecarleitao/arrow2/issues/880
rustsec.org/advisories/RUSTSEC-2022-0012.html

Code Behaviors & Features

Detect and mitigate GHSA-5j8w-r7g8-5472 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →