RUSTSEC-2020-0071: Potential segfault in the time crate #244
Comments
|
Looks like we may want to look into replacing
It will take a little digging to figure out if we can replace chrono easily. If we want to do this it will require a major version bump since we use the |
|
We don't directly depend on |
…`time::OffsetDateTime`. This change should not have any semantic meaning and is being done to address RUSTSEC-2020-0071 (see #244) and RUSTSEC-20200159 (see #245). This is a breaking API change because some result types include create/updated timestamps. Consumers of the library will need to add a direct dependency on `time`. Note that `chrono` already uses `time` internally, so this change should not bloat transitive dependencies. For those needing serialization support of `OffsetDateTime` timestamps, the `time` crate offers this support with the `serde` feature flag. One small point of friction here is rfc3339 support. `time` has this support on [a branch](time-rs/time#387) that is blocked on a rust feature hitting stable, so I copied in a few lines of code from that branch to support deserializing rfc3339 timestamps.
…`time::OffsetDateTime` (#249) * Removes `chrono` and usages of `DateTime<Utc>` and replaces them with`time::OffsetDateTime`. This change should not have any semantic meaning and is being done to address RUSTSEC-2020-0071 (see #244) and RUSTSEC-20200159 (see #245). This is a breaking API change because some result types include create/updated timestamps. Consumers of the library will need to add a direct dependency on `time`. Note that `chrono` already uses `time` internally, so this change should not bloat transitive dependencies. For those needing serialization support of `OffsetDateTime` timestamps, the `time` crate offers this support with the `serde` feature flag. One small point of friction here is rfc3339 support. `time` has this support on [a branch](time-rs/time#387) that is blocked on a rust feature hitting stable, so I copied in a few lines of code from that branch to support deserializing rfc3339 timestamps. * depend on our fork of jsonwebtoken * cargo fmt * lock to specific rev on jsonwebtoken fork * self review changes * Update to new jsonwebtoken Co-authored-by: Colt Frederickson <coltfred@gmail.com>
time0.1.43>=0.2.23=0.2.0,=0.2.1,=0.2.2,=0.2.3,=0.2.4,=0.2.5,=0.2.6Impact
Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
The affected functions from time 0.2.7 through 0.2.22 are:
time::UtcOffset::local_offset_attime::UtcOffset::try_local_offset_attime::UtcOffset::current_local_offsettime::UtcOffset::try_current_local_offsettime::OffsetDateTime::now_localtime::OffsetDateTime::try_now_localThe affected functions in time 0.1 (all versions) are:
atat_utcNon-Unix targets (including Windows and wasm) are unaffected.
Patches
Pending a proper fix, the internal method that determines the local offset has been modified to always return
Noneon the affected operating systems. This has the effect of returning anErron thetry_*methods andUTCon the non-try_*methods.Users and library authors with time in their dependency tree should perform
cargo update, which will pull in the updated, unaffected code.Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3. series.
Workarounds
No workarounds are known.
References
time-rs/time#293
See advisory page for additional details.
The text was updated successfully, but these errors were encountered: