Closed github-actions[bot] closed 2 years ago
Hi!
Is anyone currently looking at this issue? I'd be interested to get a fix for this in (and also for CVE-2020-26235, by replacing chrono
with a recent version of time
) and hopefully a release afterwards, as cargo audit
has been pestering us. Does this sound sensible?
This issue is really annoying ...
chrono
does not seems really maintainedtime
to chrono
in 559f7072d947ff4d37193b3834d00f90d22b5e80 mainly because time
broke compatibility in an upgrade and could not parse timezones anymore - I have not tested sincex509-parser
does not depend at all on time
, since chrono
has the feature disabled (see 59d3f598ee903714cb0cda1e0b874693cd65bca6)I do not fully get if x509-parser
is affected or not by this advisory (it does not call localtime_r
directly, but I'm not sure there is no indirect path), but for sure cargo-audit
is noisy about that :/
We have a similar problem - we don't know if anything in our call stack even touches localtime_r
. Something like this would've been helpful.
Are there any alternatives to chrono
, because I am having a problem where I can't use the crate due to cargo-audit
complaining. Security team won't allow it.
Are there any alternatives to
chrono
, because I am having a problem where I can't use the crate due tocargo-audit
complaining. Security team won't allow it.
I'm removing chrono
in the upcoming commits, at least for master
. I'll see if a backport is possible (not sure, this would break the API) or if a new major release is required.
Just adding a note, version 0.13.0 has been released and does not depend on chrono
anymore (now it uses time
).
chrono
0.4.19
Impact
Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
Workarounds
No workarounds are known.
References
See advisory page for additional details.