[Pkg-rust-maintainers] Bug#1103988: rust-tokio: RUSTSEC-2025-0023: Broadcast channel calls clone in parallel, but does not require Sync
Salvatore Bonaccorso
carnil at debian.org
Wed Apr 23 16:15:43 BST 2025
Source: rust-tokio
Version: 1.43.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/tokio-rs/tokio/pull/7232
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi
As reported in https://github.com/tokio-rs/tokio/pull/7232 and
https://rustsec.org/advisories/RUSTSEC-2025-0023.html:
| The broadcast channel internally calls clone on the stored value when
| receiving it, and only requires T:Send. This means that using the
| broadcast channel with values that are Send but not Sync can trigger
| unsoundness if the clone implementation makes use of the value being
| !Sync.
iegards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list