[Pkg-rust-maintainers] Bug#993146: rust-crossbeam-deque: CVE-2021-32810
Moritz Mühlenhoff
jmm at inutil.org
Fri Aug 27 22:11:55 BST 2021
Source: rust-crossbeam-deque
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for rust-crossbeam-deque.
CVE-2021-32810[0]:
| crossbeam-deque is a package of work-stealing deques for building task
| schedulers when programming in Rust. In versions prior to 0.7.4 and
| 0.8.0, the result of the race condition is that one or more tasks in
| the worker queue can be popped twice instead of other tasks that are
| forgotten and never popped. If tasks are allocated on the heap, this
| can cause double free and a memory leak. If not, this still can cause
| a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`,
| or `Stealer::steal_batch_and_pop` are affected by this issue. This has
| been fixed in crossbeam-deque 0.8.1 and 0.7.4.
https://rustsec.org/advisories/RUSTSEC-2021-0093.html
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32810
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32810
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-rust-maintainers
mailing list