CVE-2020-36442: Data races in beef

August 25, 2021

An issue was discovered in the beef crate before 0.5.0 for Rust. Affected versions of this crate did not have a T: Sync bound in the Send impl for Cow<'_, T, U>. This allows users to create data races by making Cow contain types that are (Send && !Sync) like Cell<_> or RefCell<_>.

Such data races can lead to memory corruption.

The flaw was corrected in commit d1c7658 by adding trait bounds T: Sync and T::Owned: Send to the Send impl for Cow<'_, T, U>.

References

github.com/advisories/GHSA-m7w4-8wp8-m2xq
github.com/maciejhirsz/beef
github.com/maciejhirsz/beef/issues/37
nvd.nist.gov/vuln/detail/CVE-2020-36442
raw.githubusercontent.com/rustsec/advisory-db/main/crates/beef/RUSTSEC-2020-0122.md
rustsec.org/advisories/RUSTSEC-2020-0122.html

Detect and mitigate CVE-2020-36442 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →