{"id":"RUSTSEC-2022-0012","summary":"Arrow2 allows double free in `safe` code","details":"The struct `Ffi_ArrowArray` implements `#derive(Clone)` that is inconsistent with\nits custom implementation of `Drop`, resulting in a double free when cloned.\n\nCloning this struct in `safe` results in a segmentation fault, which is unsound.\n\nThis derive was removed from this struct. All users are advised to either:\n* bump the patch version of this crate (for versions `v0.7,v0.8,v0.9`), or\n* migrate to a more recent version of  the crate (when using `\u003c0.7`).\n\nDoing so elimitates this vulnerability (code no longer compiles).","aliases":["GHSA-5j8w-r7g8-5472"],"modified":"2023-11-08T04:15:47.037496Z","published":"2022-03-04T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/arrow2"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2022-0012.html"},{"type":"REPORT","url":"https://github.com/jorgecarleitao/arrow2/issues/880"}],"affected":[{"package":{"name":"arrow2","ecosystem":"crates.io","purl":"pkg:cargo/arrow2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.7.1"},{"introduced":"0.8.0"},{"fixed":"0.8.2"},{"introduced":"0.9.0"},{"fixed":"0.9.2"},{"introduced":"0.10.0"},{"fixed":"0.10.0"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":[]},"affected_functions":null},"database_specific":{"informational":null,"categories":["memory-corruption"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0012.json","cvss":null}}],"schema_version":"1.7.3"}