Closed github-actions[bot] closed 2 years ago
Looks like we may want to look into replacing chrono
with time 0.3 according to: https://github.com/chronotope/chrono/issues/602
chrono
is going to open a CVE as well since it is doing something similar to time
(in addition to actually depending on time
). I suspect this will start a mass transition away from chrono
.
It will take a little digging to figure out if we can replace chrono easily. If we want to do this it will require a major version bump since we use the chrono::DateTime
type in our public API.
We don't directly depend on time
and our usages of chrono aren't doing anything with localtime, so we probably aren't affected. I still think replacing our usages of chrono
is worth consideration. We'll see if chrono fixes their issue in a timely manner or not, I guess.
time
0.1.43
>=0.2.23
=0.2.0,=0.2.1,=0.2.2,=0.2.3,=0.2.4,=0.2.5,=0.2.6
Impact
Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
The affected functions from time 0.2.7 through 0.2.22 are:
time::UtcOffset::local_offset_at
time::UtcOffset::try_local_offset_at
time::UtcOffset::current_local_offset
time::UtcOffset::try_current_local_offset
time::OffsetDateTime::now_local
time::OffsetDateTime::try_now_local
The affected functions in time 0.1 (all versions) are:
at
at_utc
Non-Unix targets (including Windows and wasm) are unaffected.
Patches
Pending a proper fix, the internal method that determines the local offset has been modified to always return
None
on the affected operating systems. This has the effect of returning anErr
on thetry_*
methods andUTC
on the non-try_*
methods.Users and library authors with time in their dependency tree should perform
cargo update
, which will pull in the updated, unaffected code.Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3. series.
Workarounds
No workarounds are known.
References
time-rs/time#293
See advisory page for additional details.