[I] RUSTSEC-2025-0024: crossbeam-channel: double free on Drop [iceberg-rust]

Thu, 10 Apr 2025 17:34:52 -0700 


github-actions[bot] opened a new issue, #1192:
URL: https://github.com/apache/iceberg-rust/issues/1192

   
   > crossbeam-channel: double free on Drop
   
   | Details             |                                                |
   | ------------------- | ---------------------------------------------- |
   | Package             | `crossbeam-channel`                      |
   | Version             | `0.5.14`                   |
   | URL                 | 
[https://github.com/crossbeam-rs/crossbeam/pull/1187](https://github.com/crossbeam-rs/crossbeam/pull/1187)
 |
   | Date                | 2025-04-08                         |
   | Patched versions    | `>=0.5.15`                  |
   | Unaffected versions | `<=0.5.11`               |
   
   The internal `Channel` type&#39;s `Drop` method has a race
   which could, in some circumstances, lead to a double-free.
   This could result in memory corruption.
   
   Quoting from the
   [upstream description in merge request 
&#92;#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131):
   
   &gt; The problem lies in the fact that `dicard_all_messages` contained two 
paths that could lead to `head.block` being read but only one of them would 
swap the value. This meant that `dicard_all_messages` could end up observing a 
non-null block pointer (and therefore attempting to free it) without setting 
`head.block` to null. This would then lead to `Channel::drop` making a second 
attempt at dropping the same pointer.
   
   The bug was introduced while fixing a memory leak, in
   upstream [MR 
&#92;#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084),
   first published in 0.5.12.
   
   The fix is in
   upstream [MR &#92;#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187)
   and has been published in 0.5.15
   
   See [advisory page](https://rustsec.org/advisories/RUSTSEC-2025-0024.html) 
for additional details.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to