Security Finding: Update package `crossbeam-channel`

XMLWordPrintableJSON

      Priority from VULN: Medium
      This is a copy of the linked VULN ticket issue. You only need to update this ticket and the VULN ticket will be synced accordingly.

      Vulnerability Details

      The following vulnerabilities were found in the third party component pkg:cargo/crossbeam-channel@0.5.14 used in the repo: https://github.com/10gen/schema-manager-rs:

      CVE Severity CVSS Fixed Version(s)
      GHSA-pg9f-39pc-qf8g Medium 6 crossbeam-channel:0.5.15

      You are responsible for fixing it by and ensuring the fix is released, if required, by the relevant Due Date.

      • A new release is required if the finding is on a stable branch that customers may be using. Stable branches refer to any branch excluding main or master, for products that do not trigger releases directly from main or master branches.

      How do I fix this?
      You need to update the package to a version that does not contain the vulnerability. Please reference the Fixed Version(s) column above for options. If there are multiple CVEs, updating to the latest fixed version that addresses all CVEs is recommended.If you are still unable to find a fixed version or need additional assistance, please reach out in the #secure-sdlc-program channel.

      References:

      Tool Description: The internal `Channel` type's `Drop` method has a race
      which could, in some circumstances, lead to a double-free.
      This could result in memory corruption.

      Quoting from the
      upstream description in merge request #1187(https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131):

      > The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer.

      The bug was introduced while fixing a memory leak, in
      upstream MR #1084(https://github.com/crossbeam-rs/crossbeam/pull/1084),
      first published in 0.5.12.

      The fix is in
      upstream MR #1187(https://github.com/crossbeam-rs/crossbeam/pull/1187)
      and has been published in 0.5.15

      🔥 Please see go/vuln-flow for detailed guidance.

            Assignee:
            Nathan Leniz
            Reporter:
            Mothra Jira Bot
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: