Deadlock Affecting github.com/rclone/rclone/vfs/vfscache/downloaders Open this link in a new tab package, versions <1.54.0
Attack Complexity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-GOLANG-GITHUBCOMRCLONERCLONEVFSVFSCACHEDOWNLOADERS-1244107
-
published
9 Apr 2021
-
disclosed
8 Apr 2021
-
credit
Unknown
Introduced: 8 Apr 2021
CWE-833 Open this link in a new tabHow to fix?
Upgrade github.com/rclone/rclone/vfs/vfscache/downloaders to version 1.54.0 or higher.
Overview
github.com/rclone/rclone/vfs/vfscache/downloaders is a rsync for cloud storage.
Affected versions of this package are vulnerable to Deadlock. The downloaders.Close() call acquires the downloaders' mutex before calling the wait group wait and the main downloaders' thread has a periodical (5 seconds interval) call to kick its waiters, and the waiter dispatch function tries to get the mutex. A deadlock can occur if the Close() call starts and gets the mutex, while the main downloader thread already got the timer's tick and proceeded to call kickWaiters. The deadlock happens when the Close call gets the mutex between the timer's kick and when the main downloaders' thread gets the mutex first.