CVE-2020-15254

2020-10-1617:15:00

Debian Security Bug Tracker

security-tracker.debian.org

0.005 Low

EPSS

Percentile

76.1%

JSON

Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that Vec::from_iter has allocated capacity that same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when Vec::from_iter has allocated different sizes with the number of iterator elements. This has been fixed in crossbeam-channel 0.4.4.

OSVersionArchitecturePackageVersionFilename
Debian999allfirefox< 82.0-1firefox_82.0-1_all.deb
Debian12allrust-crossbeam-channel< 0.5.6-1rust-crossbeam-channel_0.5.6-1_all.deb
Debian11allrust-crossbeam-channel< 0.4.4-1rust-crossbeam-channel_0.4.4-1_all.deb
Debian10allrust-crossbeam-channel< 0.3.8-1rust-crossbeam-channel_0.3.8-1_all.deb
Debian999allrust-crossbeam-channel< 0.5.11-1rust-crossbeam-channel_0.5.11-1_all.deb
Debian13allrust-crossbeam-channel< 0.5.11-1rust-crossbeam-channel_0.5.11-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	999	all	firefox	< 82.0-1	firefox_82.0-1_all.deb
Debian	12	all	rust-crossbeam-channel	< 0.5.6-1	rust-crossbeam-channel_0.5.6-1_all.deb
Debian	11	all	rust-crossbeam-channel	< 0.4.4-1	rust-crossbeam-channel_0.4.4-1_all.deb
Debian	10	all	rust-crossbeam-channel	< 0.3.8-1	rust-crossbeam-channel_0.3.8-1_all.deb
Debian	999	all	rust-crossbeam-channel	< 0.5.11-1	rust-crossbeam-channel_0.5.11-1_all.deb
Debian	13	all	rust-crossbeam-channel	< 0.5.11-1	rust-crossbeam-channel_0.5.11-1_all.deb