RUSTSEC-2020-0151: Generators can cause data races if non-Send types are used in their generator functions

[github-actions[bot]]

Generators can cause data races if non-Send types are used in their generator functions

Details
Package	generator
Version	0.6.25
URL	https://github.com/Xudong-Huang/generator-rs/issues/27
Date	2020-11-16
Patched versions	>=0.7.0

The Generator type is an iterable which uses a generator function that yields values. In affected versions of the crate, the provided function yielding values had no Send bounds despite the Generator itself implementing Send.

The generator function lacking a Send bound means that types that are dangerous to send across threads such as Rc could be sent as part of a generator, potentially leading to data races.

This flaw was fixed in commit f7d120a3b by enforcing that the generator function be bound by Send.

See advisory page for additional details.

[sfackler]

As far as I can tell, this crate doesn't appear in tokio's dependency tree. Is the bot misconfigured?

[taiki-e]

this crate is a dependency of loom. https://github.com/tokio-rs/loom/blob/master/Cargo.toml#L34

(It only appears in the dependency tree if cfg(loom) is enabled.)

[carllerche]

I transferred the issue to loom