Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

time/iana-time-zone 0.1.45 suffer from CVE-2020-26235 #1002

Closed
nyetwurk opened this issue Mar 28, 2023 · 12 comments
Closed

time/iana-time-zone 0.1.45 suffer from CVE-2020-26235 #1002

nyetwurk opened this issue Mar 28, 2023 · 12 comments

Comments

@nyetwurk
Copy link

The iana-time-zone dependency on fixed version 0.1.45 makes it impossible to fix CVE-2020-26235
@nyetwurk
Copy link
Author 


updater | 2023/03/28 16:34:14 INFO <job_634926950> Checking if time 0.1.45 needs updating
  proxy | 2023/03/28 16:34:14 [016] GET https://crates.io:443/api/v1/crates/time
  proxy | 2023/03/28 16:34:14 [016] 200 https://crates.io:443/api/v1/crates/time
updater | 2023/03/28 16:34:15 INFO <job_634926950> Latest version is 0.3.20
  proxy | 2023/03/28 16:34:15 [018] GET https://static.rust-lang.org:443/dist/channel-rust-1.60.0.toml.sha256
  proxy | 2023/03/28 16:34:15 [018] 200 https://static.rust-lang.org:443/dist/channel-rust-1.60.0.toml.sha256
  proxy | 2023/03/28 16:34:15 [020] GET https://static.rust-lang.org:443/dist/channel-rust-1.60.0.toml
  proxy | 2023/03/28 16:34:15 [020] 200 https://static.rust-lang.org:443/dist/channel-rust-1.60.0.toml
  proxy | 2023/03/28 16:34:15 [022] GET https://static.rust-lang.org:443/dist/channel-rust-1.60.0.toml.asc
  proxy | 2023/03/28 16:34:15 [022] 200 https://static.rust-lang.org:443/dist/channel-rust-1.60.0.toml.asc
  proxy | 2023/03/28 16:34:15 [024] GET https://static.rust-lang.org:443/dist/2022-04-07/cargo-1.60.0-x86_64-unknown-linux-gnu.tar.xz
  proxy | 2023/03/28 16:34:15 [024] 200 https://static.rust-lang.org:443/dist/2022-04-07/cargo-1.60.0-x86_64-unknown-linux-gnu.tar.xz
  proxy | 2023/03/28 16:34:16 [026] GET https://static.rust-lang.org:443/dist/2022-04-07/rust-std-1.60.0-x86_64-unknown-linux-gnu.tar.xz
  proxy | 2023/03/28 16:34:16 [026] 200 https://static.rust-lang.org:443/dist/2022-04-07/rust-std-1.60.0-x86_64-unknown-linux-gnu.tar.xz
  proxy | 2023/03/28 16:34:16 [028] GET https://static.rust-lang.org:443/dist/2022-04-07/rustc-1.60.0-x86_64-unknown-linux-gnu.tar.xz
  proxy | 2023/03/28 16:34:16 [028] 200 https://static.rust-lang.org:443/dist/2022-04-07/rustc-1.60.0-x86_64-unknown-linux-gnu.tar.xz
  proxy | 2023/03/28 16:34:28 [030] GET https://github.com:443/rust-lang/crates.io-index/info/refs?service=git-upload-pack
  proxy | 2023/03/28 16:34:28 [030] * authenticating git server request (host: github.com)
  proxy | 2023/03/28 16:34:28 [030] 200 https://github.com:443/rust-lang/crates.io-index/info/refs?service=git-upload-pack
  proxy | 2023/03/28 16:34:28 [032] POST https://github.com:443/rust-lang/crates.io-index/git-upload-pack
  proxy | 2023/03/28 16:34:28 [032] * authenticating git server request (host: github.com)
  proxy | 2023/03/28 16:34:28 [032] 200 https://github.com:443/rust-lang/crates.io-index/git-upload-pack
  proxy | 2023/03/28 16:35:17 [034] GET https://api.github.com:443/repos/rust-lang/crates.io-index/commits/HEAD
  proxy | 2023/03/28 16:35:17 [034] * authenticating github api request
  proxy | 2023/03/28 16:35:17 [034] 200 https://api.github.com:443/repos/rust-lang/crates.io-index/commits/HEAD
  proxy | 2023/03/28 16:35:17 [036] GET https://github.com:443/rust-lang/crates.io-index/info/refs?service=git-upload-pack
  proxy | 2023/03/28 16:35:17 [036] * authenticating git server request (host: github.com)
  proxy | 2023/03/28 16:35:17 [036] 200 https://github.com:443/rust-lang/crates.io-index/info/refs?service=git-upload-pack
  proxy | 2023/03/28 16:35:17 [038] POST https://github.com:443/rust-lang/crates.io-index/git-upload-pack
  proxy | 2023/03/28 16:35:17 [038] * authenticating git server request (host: github.com)
  proxy | 2023/03/28 16:35:17 [038] 200 https://github.com:443/rust-lang/crates.io-index/git-upload-pack
updater | 2023/03/28 16:35:20 INFO <job_634926950> Requirements to unlock update_not_possible
updater | 2023/03/28 16:35:20 INFO <job_634926950> Requirements update strategy bump_versions
updater | 2023/03/28 16:35:20 INFO <job_634926950> The latest possible version of time that can be installed is 0.1.45
updater | 2023/03/28 16:35:20 INFO <job_634926950> The earliest fixed version is 0.2.0.

@djc
Copy link
Member

djc commented Mar 28, 2023

This is about time, not iana-time-zone. See #602.

@djc djc closed this as not planned Won't fix, can't repro, duplicate, stale Mar 28, 2023
@nyetwurk
Copy link
Author

https://github.com/Blockdaemon/solana-accountsdb-plugin-kafka/security/dependabot/1 for reference

@nyetwurk
Copy link
Author 

$ cargo update -v -p time --precise 0.3.20
    Updating crates.io index
error: failed to select a version for the requirement `time = "^0.1.43"`
candidate versions found which didn't match: 0.3.20
location searched: crates.io index
required by package `chrono v0.4.24`
    ... which satisfies dependency `chrono = "^0.4.11"` (locked to 0.4.24) of package `solana-config-program v1.14.16`
    ... which satisfies dependency `solana-config-program = "=1.14.16"` (locked to 1.14.16) of package `solana-account-decoder v1.14.16`
    ... which satisfies dependency `solana-account-decoder = "=1.14.16"` (locked to 1.14.16) of package `solana-transaction-status v1.14.16`
    ... which satisfies dependency `solana-transaction-status = "=1.14.16"` (locked to 1.14.16) of package `solana-accountsdb-plugin-kafka v0.1.4+solana.1.14.16 (/Users/nyet/src/blockdaemon/solana-accountsdb-plugin-kafka)`

@nyetwurk
Copy link
Author

#602 (comment)
I see.

@nyetwurk
Copy link
Author

#602 (comment)

@nyetwurk
Copy link
Author

nyetwurk commented Mar 28, 2023
edited
Loading

In any case, looks like the best solution (which is what many others are doing) is to simply not use chrono.

@djc
Copy link
Member

djc commented Mar 28, 2023

I mean, you could certainly use time. But also know that the advisory is actually irrelevant here -- chrono does not use the vulnerable parts of the time 0.1.45 package, so there's actually no issue here. Unfortunately due to compatibility issues we cannot just easily drop it.

@nyetwurk
Copy link
Author

Yes, i understand the advisory does not apply.

@mickvangelderen
Copy link

@djc if this CVE does not affect chrono, should it be added to

chrono/deny.toml

Lines 5 to 10 in daa86a7

[advisories]
ignore = [
"RUSTSEC-2020-0071", # time 0.1, doesn't affect the API we use
"RUSTSEC-2021-0145", # atty (dev-deps only, dependency of criterion)
"RUSTSEC-2022-0004", # rustc_serialize, cannot remove due to compatibility
]
?

@esheppa
Copy link
Collaborator

esheppa commented Mar 30, 2023

@nyetwurk in the short term you could use a [patch.crates-io] to depend on the main branch of chrono, which will eventually become the 0.5 version (this will only work if your dependencies don't themselves depend on chrono due to breaking changes). You can follow #970 for updates on the 0.5 release

@esheppa
Copy link
Collaborator

esheppa commented Mar 30, 2023

@mickvangelderen - I believe this will only stop the warning in our own CI runs, but not in others

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@djc @nyetwurk @mickvangelderen @esheppa