Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crossbeam AtomicCell<*64> Soundness #1203

Closed
Firstyear opened this issue Mar 2, 2022 · 2 comments · Fixed by #1304
Closed

Crossbeam AtomicCell<*64> Soundness #1203

Firstyear opened this issue Mar 2, 2022 · 2 comments · Fixed by #1304
Labels
Unsound Informational / Unsound

Comments

@Firstyear
Copy link

crossbeam released a security update for 0.8.7. It would be good to have this in rustsec.

GHSA-qc84-gqf4-9926
@pinkforest pinkforest mentioned this issue Jul 31, 2022
Merged
@pinkforest
Copy link
Contributor

pinkforest commented Jul 31, 2022
edited
Loading

GHSA are on CC-BY-4.0 and RustSec is on Public Domain
Luckily there was CVE-2022-23639 we can use.

Would you like to send a PR ?

Just please ensure the contents are from CVE source (can still link to GHSA though)

Or I can do later -

Cheers

Stats:

Crate: crossbeam-utils

Total all versions 75,264,545 downloads - ~120k a day

0.8.7 - 7k downloads a day - 2.8M total all time

Affected is all < 0.8.7

0.8 release stream is yanked
0.7.2 - 15k downloads a day - 16.5M total all time
0.7.1 - yanked
0.7.0 - 600 downloads a day - 2.6M total
0.6.6 - 2.6k downloads a day

Semver 0.7 seems to have got stuck on people's manifests 0.7.2 stuck in

Time to parse ecosystem manifests who are the biggest 0.7 users and try to get big downstreamers to semver up their manifests

@pinkforest pinkforest changed the title Assign rustsec id to GHSA-qc84-gqf4-9926 Crossbeam AtomicCell<*64> Soundess Aug 4, 2022
@pinkforest pinkforest added the Unsound Informational / Unsound label Aug 4, 2022
@pinkforest
Copy link
Contributor

The maintainer has released the advisory on Public domain
crossbeam-rs/crossbeam#781 (comment)

I will sketch a PR

@pinkforest pinkforest changed the title Crossbeam AtomicCell<*64> Soundess Crossbeam AtomicCell<*64> Soundness Aug 4, 2022
pinkforest added a commit to pinkforest/advisory-db that referenced this issue Aug 4, 2022
@pinkforest
Add Crossbeam AtomicCell<*64> Soundness rustsec#1203
7cf343e
@pinkforest pinkforest mentioned this issue Aug 4, 2022
Merged
pinkforest added a commit that referenced this issue Aug 4, 2022
@pinkforest
Add Crossbeam AtomicCell<*64> Soundness #1203 (#1304)
3ee71b8 
* Add Crossbeam AtomicCell<*64> Soundness #1203
* Address @amousset feedback
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Unsound Informational / Unsound
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Crossbeam AtomicCell<*64> Soundness #1203 pinkforest/advisory-db
2 participants
@Firstyear @pinkforest