CVE-2020-36220: Data race in va-ts

August 25, 2021 (updated June 13, 2023)

In the affected versions of this crate, Demuxer unconditionally implemented Send with no trait bounds on T. This allows sending a non-Send type T across thread boundaries, which can cause undefined behavior like unlocking a mutex from a thread that didn’t lock the mutex, or memory corruption from data race. The flaw was corrected in commit 0562cbf by adding a T: Send bound to the Send impl for Demuxer.

References

github.com/advisories/GHSA-3hj2-hh36-hv9v
github.com/video-audio/va-ts
github.com/video-audio/va-ts/issues/4
nvd.nist.gov/vuln/detail/CVE-2020-36220
rustsec.org/advisories/RUSTSEC-2020-0114.html

Detect and mitigate CVE-2020-36220 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →