CVE-2020-35908

MEDIUM5.5EPSS 0.05%

Improper `Sync` implementation on `FuturesUnordered` in futures-utils can cause data corruption

發布日:2022/5/24修改日:2023/11/8

也稱為:GHSA-5r9g-j7jj-hw6cRUSTSEC-2020-0062

描述

Affected versions of the crate had an unsound `Sync` implementation on the `FuturesUnordered` structure, which used a `Cell` for interior mutability without any code to handle synchronized access to the underlying task list's length and head safely. This could of lead to data corruption since two threads modifying the list at once could see incorrect values due to the lack of access synchronization. The issue was fixed by adding access synchronization code around insertion of tasks into the list.

受影響套件(2)

crates.io/futures-util>= 0.3.0, < 0.3.2
crates.io/futures-util>= 0.3.0, < 0.3.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-35908
PATCHhttps://crates.io/crates/futures-util
PATCHhttps://github.com/rust-lang/futures-rs
WEBhttps://github.com/rust-lang/futures-rs/issues/2050
WEBhttps://rustsec.org/advisories/RUSTSEC-2020-0062.html