CVE-2020-36471
MEDIUM5.9EPSS 0.28%Generators can cause data races if non-Send types are used in their generator functions
發布日:2021/8/25修改日:2023/11/8
描述
The `Generator` type is an iterable which uses a generator function that yields values. In affected versions of the crate, the provided function yielding values had no `Send` bounds despite the `Generator` itself implementing `Send`. The generator function lacking a `Send` bound means that types that are dangerous to send across threads such as `Rc` could be sent as part of a generator, potentially leading to data races. This flaw was fixed in commit [`f7d120a3b`](https://github.com/Xudong-Huang/generator-rs/commit/f7d120a3b724d06a7b623d0a4306acf8f78cb4f0) by enforcing that the generator function be bound by `Send`.
受影響套件(3)
- crates.io/generatorfrom 0, < 0.7.0
- crates.io/generator>= 0.0.0-0, < 0.7.0
- Debian/rust-generatorfrom 0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-36471
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-36471
- PATCHhttps://crates.io/crates/generator
- PATCHhttps://github.com/Xudong-Huang/generator-rs
- WEBhttps://github.com/Xudong-Huang/generator-rs/commit/f7d120a3b724d06a7b623d0a4306acf8f78cb4f0
- WEBhttps://github.com/Xudong-Huang/generator-rs/issues/27
- WEBhttps://raw.githubusercontent.com/rustsec/advisory-db/main/crates/generator/RUSTSEC-2020-0151.md
- WEBhttps://rustsec.org/advisories/RUSTSEC-2020-0151.html