CVE-2020-36435: Data race in ruspiro-singleton
Singleton<T> is meant to be a static object that can be initialized lazily. In
order to satisfy the requirement that static items must implement Sync,
Singleton implemented both Sync and Send unconditionally.
This allows for a bug where non-Sync types such as Cell can be used in
singletons and cause data races in concurrent programs.
The flaw was corrected in commit b0d2bd20e by adding trait bounds, requiring
the contaiend type to implement Sync.
References
- github.com/RusPiRo/ruspiro-singleton
- github.com/RusPiRo/ruspiro-singleton/commit/b0d2bd20eb40b9cbc2958b981ba2dcd9e6f9396e
- github.com/RusPiRo/ruspiro-singleton/issues/10
- github.com/RusPiRo/ruspiro-singleton/pull/11
- github.com/advisories/GHSA-fqq2-xp7m-xvm8
- nvd.nist.gov/vuln/detail/CVE-2020-36435
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/ruspiro-singleton/RUSTSEC-2020-0115.md
- rustsec.org/advisories/RUSTSEC-2020-0115.html
Detect and mitigate CVE-2020-36435 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →