GHSA-h6gg-fvf5-qgwf: Data races in generator

August 25, 2021

The Generator type is an iterable which uses a generator function that yields values. In affected versions of the crate, the provided function yielding values had no Send bounds despite the Generator itself implementing Send.

The generator function lacking a Send bound means that types that are dangerous to send across threads such as Rc could be sent as part of a generator, potentially leading to data races.

References

github.com/Xudong-Huang/generator-rs
github.com/Xudong-Huang/generator-rs/commit/f7d120a3b724d06a7b623d0a4306acf8f78cb4f0
github.com/Xudong-Huang/generator-rs/issues/27
github.com/advisories/GHSA-h6gg-fvf5-qgwf
rustsec.org/advisories/RUSTSEC-2020-0151.html

Detect and mitigate GHSA-h6gg-fvf5-qgwf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →