1973226 - Crate depends on a vulnerable version of time.

Status: NEW

(Core :: Graphics: WebRender, task)

Description

[Sylvestre Ledru [:Sylvestre]]

used by wr:

Advisory:
Potential segfault in the time crate
Package: time
ID: RUSTSEC-2020-0071
CVSS: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Report date: 2020-11-18
### Impact

The affected functions set environment variables without synchronization. On Unix-like operating systems, this can crash in multithreaded programs. Programs may segfault due to dereferencing a dangling pointer if an environment variable is read in a different thread than the affected functions. This may occur without the user's knowledge, notably in the Rust standard library or third-party libraries.

The affected functions from time 0.2.7 through 0.2.22 are:

- `time::UtcOffset::local_offset_at`
- `time::UtcOffset::try_local_offset_at`
- `time::UtcOffset::current_local_offset`
- `time::UtcOffset::try_current_local_offset`
- `time::OffsetDateTime::now_local`
- `time::OffsetDateTime::try_now_local`

The affected functions in time 0.1 (all versions) are:

- `time::at_utc`
- `time::at`
- `time::now`
- `time::tzset`

Non-Unix targets (including Windows and wasm) are unaffected.

### Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.

Users and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.

Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.

### Workarounds

A possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.

#### Examples:

`Cargo.toml`:

```toml
chrono = { version = "0.4", default-features = false, features = ["serde"] }

chrono = { version = "0.4.22", default-features = false, features = ["clock"] }

Commandline:

cargo add chrono --no-default-features -F clock

Sources:

• chronotope/chrono#602 (comment)
• vityafx/serde-aux#21
  URL: https://github.com/time-rs/time/issues/293
  Patched versions: [
  ">=0.2.23"
  ]
  Unaffected versions: [
  "=0.2.0",
  "=0.2.1",
  "=0.2.2",
  "=0.2.3",
  "=0.2.4",
  "=0.2.5",
  "=0.2.6"
  ]
  Affected operating systems: [
  "linux",
  "redox",
  "solaris",
  "android",
  "ios",
  "macos",
  "netbsd",
  "openbsd",
  "freebsd"
  ]
  Affected functions: {
  "time::OffsetDateTime::now_local": [
  "<0.2.23"
  ],
  "time::OffsetDateTime::try_now_local": [
  "<0.2.23"
  ],
  "time::UtcOffset::current_local_offset": [
  "<0.2.23"
  ],
  "time::UtcOffset::local_offset_at": [
  "<0.2.23"
  ],
  "time::UtcOffset::try_current_local_offset": [
  "<0.2.23"
  ],
  "time::UtcOffset::try_local_offset_at": [
  "<0.2.23"
  ],
  "time::at": [
  "^0.1"
  ],
  "time::at_utc": [
  "^0.1"
  ],
  "time::now": [
  "^0.1"
  ]
  }

Package info: {
"name": "time",
"version": "0.1.45",
"source": "registry+https://github.com/rust-lang/crates.io-index",
"checksum": "1b797afad3f312d1c66a56d11d0316f916356d11bd158fbc6ca6389ff6bf805a",
"dependencies": [
{
"name": "libc",
"version": "0.2.171",
"source": "registry+https://github.com/rust-lang/crates.io-index"
},
{
"name": "wasi",
"version": "0.10.0+wasi-snapshot-preview999",
"source": null
},
{
"name": "winapi",
"version": "0.3.9",
"source": "registry+https://github.com/rust-lang/crates.io-index"
}
],
"replace": null
} (cargo-audit)

Comment 1

[Mark Banner (:standard8)]

Moving across to Core: Graphics WebRender, since presumably that'll be the team that needs to look/know about this.

Comment 2

[Sylvestre Ledru [:Sylvestre]]

I think i have a patch