PT-2020-17543 · Rust+1 · Lock Api+1

Published

2020-11-08

Updated

2021-08-25

CVE-2020-35911

CVSS v3.1

4.7

Medium

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions lock api versions prior to 0.4.2

Description An issue in the lock api crate for Rust can cause a data race due to unsoundness in certain guard objects. The affected guard objects include MappedMutexGuard, MappedRwLockReadGuard, MappedRwLockWriteGuard, RwLockReadGuard, and RwLockWriteGuard. These guards can allow data races through types that are not safe to send across thread boundaries in safe Rust code.

Recommendations For versions prior to 0.4.2, update to version 0.4.2 or later to fix the issue by changing the trait bounds on the Mapped guard types and removing the Sync trait for the RwLock guards. As a temporary workaround, consider restricting the use of the affected guard objects to minimize the risk of exploitation.

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

CVE-2020-35911

GHSA-5WG8-7C9Q-794V

GHSA-GMV4-VMX3-X9F3

GHSA-HJ9H-WRGG-HGMX

GHSA-PPJ3-7JW3-8VC4

GHSA-VH4P-6J7G-F4J9

RUSTSEC-2020-0070

Affected Products

Debian

Lock Api

PT-2020-17543 · Rust+1 · Lock Api+1

CVE-2020-35911

Weakness Enumeration

Related Identifiers

Affected Products

References · 22