diff --git a/crates/crossbeam/RUSTSEC-0000-0000.toml b/crates/crossbeam/RUSTSEC-0000-0000.toml new file mode 100644 index 0000000..1f150f1 --- /dev/null +++ b/crates/crossbeam/RUSTSEC-0000-0000.toml @@ -0,0 +1,56 @@ +[advisory] +# Identifier for the advisory (mandatory). Will be assigned a "RUSTSEC-YYYY-NNNN" +# identifier e.g. RUSTSEC-2018-0001. Please use "RUSTSEC-0000-0000" in PRs. +id = "RUSTSEC-0000-0000" + +# Name of the affected crate (mandatory) +package = "crossbeam" + +# Disclosure date of the advisory as an RFC 3339 date (mandatory) +date = "2018-12-09" + +# Single-line description of a vulnerability (mandatory) +title = "MsQueue and SegQueue suffer from double-free" + +# Enter a short-form description of the vulnerability here (mandatory) +description = """ +Even if an element is popped from a queue, crossbeam would run its +destructor inside the epoch-based garbage collector. This is a source +of double frees. + +The flaw was corrected by wrapping elements inside queues in a +`ManuallyDrop`. + +Thanks to @c0gent for reporting the issue. +""" + +# Versions which include fixes for this vulnerability (mandatory) +patched_versions = [">= 0.4.1"] + +# Versions which were never vulnerable (optional) +#unaffected_versions = ["< 1.1.0"] + +# URL to a long-form description of this issue, e.g. a GitHub issue/PR, +# a change log entry, or a blogpost announcing the release (optional) +url = "https://github.com/crossbeam-rs/crossbeam-epoch/issues/82" + +# Keywords which describe this vulnerability, similar to Cargo (optional) +keywords = ["concurrency", "memory-management"] + +# Vulnerability aliases, e.g. CVE IDs (optional but recommended) +# Request a CVE for your RustSec vulns: https://iwantacve.org/ +#aliases = ["CVE-2018-XXXX"] + +# References to related vulnerabilities (optional) +# e.g. CVE for a C library wrapped by a -sys crate) +#references = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"] + +# CPU architectures impacted by this vulnerability (optional) +# For a list of CPU architecture strings, see the "platforms" crate: +# +#affected_arch = ["x86", "x86_64"] + +# Operating systems impacted by this vulnerability (optional) +# For a list of OS strings, see the "platforms" crate: +# +#affected_os = ["windows"]