Closed jmwample closed 10 months ago
Turns out this is not a solution to the security notice. However, which chrono imports the older version of time that is vulnerable, chrono itself shouldn't have that in any execution path according to
$ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 562 security advisories (from /.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (126 crate dependencies)
Crate: time
Version: 0.1.45
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity: 6.2 (medium)
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
└── chrono 0.4.27
└── rust_dark_decoy 0.0.1
error: 1 vulnerability found!
The solution seems to be replacing chrono with the time crate.
$ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 562 security advisories (from /.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (113 crate dependencies)
We can achieve equivalent logging with:
use chrono::Local;
use time::OffsetDateTime;
use time::macros::format_description;
fn main() {
let t = Local::now();
let t_s = t.format("%Y-%m-%d %H:%M:%S.%f %z").to_string();
println!("{t_s}");
let t_1 = OffsetDateTime::now_local().unwrap();
let formatter = format_description!("[year]-[month]-[day] [hour]:[minute]:[second].[subsecond digits:9] [offset_hour][offset_minute]");
println!("{}", t_1.format(formatter).unwrap());
}
2023-08-30 15:15:40.956179666 -0600
2023-08-30 15:15:40.956287238 -0600
The dependency on the chrono crate in
src/logging.rs
forLocal::Now()
which returns aDateTime
and then the subsequent formatting mean that we import chrono. On some execution paths chrono callslibc::localtime_r
which can crash. I don't think that we run that execution path, but it isn't impossible.Hopefully updating to 0.4.27 fixes this. Chrono is a widely used datetime crate in rust.
https://github.com/refraction-networking/conjure/security/dependabot/8