hello-world.rs icon indicating copy to clipboard operation
hello-world.rs copied to clipboard

Published 20 hours ago • verified publisher icon mTvare6

CVE-2020-15254 (High) detected in crossbeam-queue-0.1.2.crate, crossbeam-channel-0.3.9.crate

Open mend-bolt-for-github[bot] opened this issue 3 years ago • 2 comments

CVE-2020-15254 - High Severity Vulnerability

Vulnerable Libraries - crossbeam-queue-0.1.2.crate, crossbeam-channel-0.3.9.crate

crossbeam-queue-0.1.2.crate

Concurrent queues

Library home page: https://crates.io/api/v1/crates/crossbeam-queue/0.1.2/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • amethyst_assets-0.15.3.crate
        • :x: crossbeam-queue-0.1.2.crate (Vulnerable Library)
crossbeam-channel-0.3.9.crate

Multi-producer multi-consumer channels for message passing

Library home page: https://crates.io/api/v1/crates/crossbeam-channel/0.3.9/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • amethyst_rendy-0.15.3.crate
        • rendy-0.4.1.crate
          • rendy-resource-0.4.1.crate
            • :x: crossbeam-channel-0.3.9.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that Vec::from_iter has allocated capacity that same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when Vec::from_iter has allocated different sizes with the number of iterator elements. This has been fixed in crossbeam-channel 0.4.4.

Publish Date: 2020-10-16

URL: CVE-2020-15254

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-28

Fix Resolution: crossbeam-channel-0.4.4, crossbeam-0.8.0

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Sep 27 '21 15:09 mend-bolt-for-github[bot]

LIES RUST:rocket: IS 100% SAFE

meisme-dev avatar Aug 07 '22 23:08 meisme-dev

Vera Verba

mTvare6 avatar Aug 09 '22 15:08 mTvare6