OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-08 04:27:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add Insufficient covariance check makes self_cell unsound (#1818)

Browse Source
This commit is contained in:
Lukas Bergdoll
2023-11-11 15:48:23 +01:00
committed by GitHub
parent 0f4e16f7cd
commit 0c128ba5cc
1 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
crates/self_cell/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,24 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "self_cell"
date = "2023-11-10"
url = "https://github.com/Voultapher/self_cell/issues/49"
categories = []
keywords = ["unsound", "self_cell", "self-referential"]
[versions]
patched = [">= 0.10.3, < 1.0.0", ">= 1.0.2"]
```
# Insufficient covariance check makes self_cell unsound
All public versions prior to `1.02` used an insufficient check to ensure that
users correctly marked the dependent type as either `covariant` or
`not_covariant`. This allowed users to mark a dependent as covariant even though
its type was not covariant but invariant, for certain invariant types involving
trait object lifetimes. One example for such a dependent type is `type
Dependent<'a> = RefCell<Box<dyn fmt::Display + 'a>>`. Such a type allowed
unsound usage in purely safe user code that leads to undefined behavior. The
patched versions now produce a compile time error if such a type is marked as
`covariant`.