Race Condition Affecting windows package, versions <0.32.0
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUST-WINDOWS-2395467
- published 7 Feb 2022
- disclosed 2 Jan 2022
- credit nico-abram
How to fix?
Upgrade windows to version 0.32.0 or higher.
Overview
windows is a windows crate that lets you call any Windows API past, present, and future using code generated on the fly directly from the metadata describing the API and right into your Rust package where you can call them as if they were just another Rust module. The Rust language projection follows in the tradition established by C++/WinRT of building language projections for Windows using standard languages and compilers, providing a natural and idiomatic way for Rust developers to call Windows APIs.
Affected versions of this package are vulnerable to Race Condition as it doesn't require event handlers to have Send bound despite there being no guarantee of them being called on any particular thread, this behavior allows safe code to send !Send types from one thread to another, which can potentially lead to data races and undefined behavior.