In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23.
CVE-2020-26235 - Medium Severity Vulnerability
chrono-0.4.15.crate
Date and time library for Rust
Library home page: https://crates.io/api/v1/crates/chrono/0.4.15/download
Path to dependency file: /third_party/rust_crates/vendor/gpt/Cargo.toml
Path to vulnerable library: /third_party/rust_crates/vendor/gpt/Cargo.toml
Dependency Hierarchy: - simplelog-0.8.0.crate (Root Library) - :x: **chrono-0.4.15.crate** (Vulnerable Library)
chrono-0.4.7.crate
Date and time library for Rust
Library home page: https://crates.io/api/v1/crates/chrono/0.4.7/download
Path to dependency file: /third_party/rust_crates/vendor/simplelog/Cargo.toml
Path to vulnerable library: /third_party/rust_crates/vendor/simplelog/Cargo.toml
Dependency Hierarchy: - :x: **chrono-0.4.7.crate** (Vulnerable Library)
chrono-0.4.11.crate
Date and time library for Rust
Library home page: https://crates.io/api/v1/crates/chrono/0.4.11/download
Path to dependency file: /third_party/rust_crates/Cargo.toml
Path to vulnerable library: /third_party/rust_crates/Cargo.toml
Dependency Hierarchy: - :x: **chrono-0.4.11.crate** (Vulnerable Library)
chrono-0.4.10.crate
Date and time library for Rust
Library home page: https://crates.io/api/v1/crates/chrono/0.4.10/download
Path to dependency file: /third_party/rust_crates/vendor/trust-dns-resolver/Cargo.toml
Path to vulnerable library: /third_party/rust_crates/vendor/trust-dns-resolver/Cargo.toml
Dependency Hierarchy: - trust-dns-https-0.19.2.crate (Root Library) - typed-headers-0.2.0.crate - :x: **chrono-0.4.10.crate** (Vulnerable Library)
Found in base branch: master
In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23.
Publish Date: 2020-11-24
URL: CVE-2020-26235
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2020-0071.html
Release Date: 2020-11-24
Fix Resolution: chrono - 0.4.20,time - 0.2.23
Step up your Open Source Security Game with Mend here