CVE-2020-36471: Data races in generator
The Generator type is an iterable which uses a generator function that yields
values. In affected versions of the crate, the provided function yielding values
had no Send bounds despite the Generator itself implementing Send.
The generator function lacking a Send bound means that types that are
dangerous to send across threads such as Rc could be sent as part of a
generator, potentially leading to data races.
References
- github.com/Xudong-Huang/generator-rs
- github.com/Xudong-Huang/generator-rs/commit/f7d120a3b724d06a7b623d0a4306acf8f78cb4f0
- github.com/Xudong-Huang/generator-rs/issues/27
- github.com/advisories/GHSA-w3g5-2848-2v8r
- nvd.nist.gov/vuln/detail/CVE-2020-36471
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/generator/RUSTSEC-2020-0151.md
- rustsec.org/advisories/RUSTSEC-2020-0151.html
Code Behaviors & Features
Detect and mitigate CVE-2020-36471 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →