GHSA-w59h-378f-2frm: Unsound sending of non-Send types across threads in threadalone

January 23, 2024

Affected versions can run the Drop impl of a non-Send type on a different thread than it was created on.

The flaw occurs when a stderr write performed by the threadalone crate fails, for example because stderr is redirected to a location on a filesystem that is full, or because stderr is a pipe that has been closed by the reader.

Dropping a non-Send type on the wrong thread is unsound. If used with a type such as a pthread-based MutexGuard, the consequence is undefined behavior. If used with Rc, there would be a data race on the reference count, which is likewise undefined behavior.

References

github.com/advisories/GHSA-w59h-378f-2frm
github.com/cr0sh/threadalone/issues/1
rustsec.org/advisories/RUSTSEC-2024-0005.html

Detect and mitigate GHSA-w59h-378f-2frm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →