RUSTSEC-2024-0005: Unsoundness in threadalone

Rust Crates.io Security Advisory


History
Edit
JSON (OSV)

RUSTSEC-2024-0005

Unsound sending of non-Send types across threads


Reported
Issued

Package

threadalone
(crates.io)

Type

INFO
Unsound

References
Patched
  • >=0.2.1

Description

Affected versions can run the Drop impl of a non-Send type on a different
thread than it was created on.

The flaw occurs when a stderr write performed by the threadalone crate fails,
for example because stderr is redirected to a location on a filesystem that is
full, or because stderr is a pipe that has been closed by the reader.

Dropping a non-Send type on the wrong thread is unsound. If used with a type
such as a pthread-based MutexGuard, the consequence is undefined
behavior
. If used with Rc, there would be a data race on the
reference count, which is likewise undefined behavior.

Advisory available under CC0-1.0
license.

READ MORE