First published: Tue Nov 14 2023(Updated: )
All public versions prior to `1.02` used an insufficient check to ensure that users correctly marked the dependent type as either `covariant` or `not_covariant`. This allowed users to mark a dependent as covariant even though its type was not covariant but invariant, for certain invariant types involving trait object lifetimes. One example for such a dependent type is `type Dependent<'a> = RefCell<Box<dyn fmt::Display + 'a>>`. Such a type allowed unsound usage in purely safe user code that leads to undefined behavior. The patched versions now produce a compile time error if such a type is marked as `covariant`.
Affected Software | Affected Version | How to fix |
---|---|---|
rust/self_cell | >=1.0.0<1.0.2 | 1.0.2 |
rust/self_cell | <0.10.3 | 0.10.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is GHSA-48m6-wm5p-rr6h.
The title of the vulnerability is 'All public versions prior to `1.02` used an insufficient check to ensure that users correctly marked...'
All public versions prior to 1.02 are affected.
To fix this vulnerability, update to version 1.02 or higher.
Yes, you can check the following references for more information: [GitHub issue #49](https://github.com/Voultapher/self_cell/issues/49), [RustSec advisory RUSTSEC-2023-0070](https://rustsec.org/advisories/RUSTSEC-2023-0070.html), [GitHub advisory GHSA-48m6-wm5p-rr6h](https://github.com/advisories/GHSA-48m6-wm5p-rr6h).