Add qcell crate advisory (#1171)

Co-authored-by: Jim Peters <jim@uazu.net>
2025-12-29 15:56:07 +01:00 · 2022-01-24 12:38:17 -05:00
parent 9839c6ee0f
commit 3c8a9dc31d
1 changed files with 26 additions and 0 deletions
--- a/crates/qcell/RUSTSEC-0000-0000.md
+++ b/crates/qcell/RUSTSEC-0000-0000.md
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "qcell"
+date = "2022-01-24"
+url = "https://github.com/uazu/qcell/issues/20"
+informational = "unsound"
+keywords = ["unsound"]
+
+[versions]
+patched = [">= 0.4.3"]
+
+```
+
+# A malicious coder can get unsound access to TCell or TLCell memory
+
+This is impossible to do by accident, but by carefully constructing
+marker types to be covariant, a malicious coder can cheat the
+singleton check in `TCellOwner` and `TLCellOwner`, giving unsound
+access to cell memory.  This could take the form of getting two
+mutable references to the same memory, or a mutable reference and an
+immutable reference.
+
+The fix is for the crate to internally force the marker type to be
+invariant.  This blocks the conversion between covariant types which
+Rust normally allows.