CVE-2020-36450: Data races in bunch

August 25, 2021

An issue was discovered in the bunch crate through 2020-11-12 for Rust. Affected versions of this crate unconditionally implements Send/Sync for Bunch<T>. This allows users to insert T: !Sync to Bunch<T>. It is possible to create a data race to a T: !Sync by invoking the Bunch::get() API (which returns &T) from multiple threads. It is also possible to send T: !Send to other threads by inserting T inside Bunch<T> and sending Bunch<T> to another thread, allowing to create a data race by inserting types like T = Rc<_>.

Such data races can lead to memory corruption.

References

github.com/advisories/GHSA-jwph-qp5h-f9wj
github.com/krl/bunch
github.com/krl/bunch/issues/1
nvd.nist.gov/vuln/detail/CVE-2020-36450
raw.githubusercontent.com/rustsec/advisory-db/main/crates/bunch/RUSTSEC-2020-0130.md
rustsec.org/advisories/RUSTSEC-2020-0130.html

Code Behaviors & Features

Detect and mitigate CVE-2020-36450 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →