CVE-2020-36434: Double free in sys-info

August 25, 2021 (updated June 13, 2023)

Affected versions of sys-info use a static, global, list to store temporary disk information while running. The function that cleans up this list, DFCleanup, assumes a single threaded environment and will try to free the same memory twice in a multithreaded environment. This results in consistent double-frees and segfaults when calling sys_info::disk_info from multiple threads at once. The issue was fixed by moving the global variable into a local scope.

References

github.com/FillZpp/sys-info-rs
github.com/FillZpp/sys-info-rs/issues/63
github.com/advisories/GHSA-2f5j-3mhq-xv58
nvd.nist.gov/vuln/detail/CVE-2020-36434
raw.githubusercontent.com/rustsec/advisory-db/main/crates/sys-info/RUSTSEC-2020-0100.md
rustsec.org/advisories/RUSTSEC-2020-0100.html

Detect and mitigate CVE-2020-36434 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →