[RUSTSEC-2021-0093] Data race in crossbeam-deque

Severity Critical

Affected Packages 1

Fixed Packages 2

CVEs 1

In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.

Crates using Stealer::steal, Stealer::steal_batch, or Stealer::steal_batch_and_pop are affected by this issue.

Credits to @kmaork for discovering, reporting and fixing the bug.

Package	Affected Version
pkg:cargo/crossbeam-deque	< 0.8.1

Package	Fixed Version
pkg:cargo/crossbeam-deque	>= 0.7.4, < 0.8.0
pkg:cargo/crossbeam-deque	>= 0.8.1

ID

RUSTSEC-2021-0093

Severity

critical

Severity from

CVE-2021-32810

Impact

Memory Corruption

URL

https://rustsec.org/advisories/RUSTSEC-2021-0093.html

Published

2021-07-30T00:00:00
(3 years ago)

Modified

2021-10-19T22:14:35
(2 years ago)

Other Advisories

Source	# ID	URL
		https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw
crates.io	crossbeam-deque	https://crates.io/crates/crossbeam-deque
rustsec.org	crossbeam-deque	https://rustsec.org/packages/crossbeam-deque.html
Security Advisory	GHSA-pqqp-xmhj-wgcw	https://github.com/advisories/GHSA-pqqp-xmhj-wgcw

Type	Package URL	Name / Product	Version
Fixed	pkg:cargo/crossbeam-deque	crossbeam-deque	>= 0.7.4 < 0.8.0
Fixed	pkg:cargo/crossbeam-deque	crossbeam-deque	>= 0.8.1
Affected	pkg:cargo/crossbeam-deque	crossbeam-deque	< 0.8.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date