RUSTSEC-2023-0070: Vulnerability in self_cell

Rust Crates.io Security Advisory


History
Edit
JSON (OSV)

RUSTSEC-2023-0070

Insufficient covariance check makes self_cell unsound


Reported
Issued

Package

self_cell
(crates.io)

Type

Vulnerability

Keywords

#unsound

#self_cell

#self-referential

References
Patched
  • >=0.10.3, <1.0.0
  • >=1.0.2

Description

All public versions prior to 1.02 used an insufficient check to ensure that
users correctly marked the dependent type as either covariant or
not_covariant. This allowed users to mark a dependent as covariant even though
its type was not covariant but invariant, for certain invariant types involving
trait object lifetimes. One example for such a dependent type is type Dependent<'a> = RefCell>. Such a type allowed
unsound usage in purely safe user code that leads to undefined behavior. The
patched versions now produce a compile time error if such a type is marked as
covariant.

Advisory available under CC0-1.0
license.

READ MORE