Update RUSTSEC-0000-0000.md

Clarification
rustsec · Jan 23, 2025 · 09303e9 · 09303e9
1 parent ece1d78
commit 09303e9
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md
@@ -25,8 +25,15 @@ patched = [">= 0.1.6"]
 
 `openssl-probe` offers non-`unsafe` methods that call `std::env::set_var`, which may be called
 in a multithreaded environment, and potentially clash with environment access on other threads.
-
-When these methods are called while other threads are active and accessing the environment, it
+In pure Rust code, concurrent read and write access to the environment is actually safe due to a lock
+taken in the platform implementations of the environment accessors (the documentation does not
+state this, and it's possible it _could_ change in the future). Libraries using other runtimes
+(including Python, those written in pure C and others) do not make use of these internal Rust
+environment locks, however, and instead use their own locks, or unprotected raw access to `libc`'s 
+`getenv`, `setenv`, or even worse, `char** environ`.
+
+When these methods in `openssl-probe` (or that matter, any other pure Rust code calling `std::env::set_env`)
+are called while other threads are active and accessing the environment, it
 may cause other threads to access dangling environment pointers in the cases where the underlying
 environment data is moved or resized in response to an additional environment variable being
 added, or a variable's contents being enlarged.