Project

General

Profile

Actions

Bug #20141

closed

Vulnerability in time crate

Added by Alexis MOUSSET 7 months ago. Updated 6 months ago.

Status:
Released
Priority:
N/A
Category:
Relay server or API
Target version:
Severity:
User visibility:
Effort required:
Priority:
0

Description

[2021-10-18T00:55:49.556Z] error[A001]: Potential segfault in the time crate
[2021-10-18T00:55:49.556Z]     ┌─ /srv/jenkins/workspace/pendencies_branches_rudder_6.1_3/relay/sources/relayd/Cargo.lock:203:1
[2021-10-18T00:55:49.556Z]     │
[2021-10-18T00:55:49.556Z] 203 │ time 0.1.43 registry+https://github.com/rust-lang/crates.io-index
[2021-10-18T00:55:49.556Z]     │ ----------------------------------------------------------------- security vulnerability detected
[2021-10-18T00:55:49.556Z]     │
[2021-10-18T00:55:49.556Z]     = ID: RUSTSEC-2020-0071
[2021-10-18T00:55:49.556Z]     = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0071
[2021-10-18T00:55:49.556Z]     = ### Impact
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       The affected functions from time 0.2.7 through 0.2.22 are:
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       - `time::UtcOffset::local_offset_at`
[2021-10-18T00:55:49.556Z]       - `time::UtcOffset::try_local_offset_at`
[2021-10-18T00:55:49.556Z]       - `time::UtcOffset::current_local_offset`
[2021-10-18T00:55:49.556Z]       - `time::UtcOffset::try_current_local_offset`
[2021-10-18T00:55:49.556Z]       - `time::OffsetDateTime::now_local`
[2021-10-18T00:55:49.556Z]       - `time::OffsetDateTime::try_now_local`
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       The affected functions in time 0.1 (all versions) are:
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       - `at`
[2021-10-18T00:55:49.556Z]       - `at_utc`
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       Non-Unix targets (including Windows and wasm) are unaffected.
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       ### Patches
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       Pending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       Users and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3. series.
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       ### Workarounds
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       No workarounds are known.
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       ### References
[2021-10-18T00:55:49.556Z]       
[2021-10-18T00:55:49.556Z]       time-rs/time#293
[2021-10-18T00:55:49.556Z]     = Announcement: https://github.com/time-rs/time/issues/293
[2021-10-18T00:55:49.556Z]     = Solution: Upgrade to >=0.2.23
[2021-10-18T00:55:49.556Z]     = time v0.1.43
[2021-10-18T00:55:49.556Z]       ├── chrono v0.4.11
[2021-10-18T00:55:49.556Z]       │   ├── diesel v1.4.6
[2021-10-18T00:55:49.556Z]       │   │   └── relayd v0.0.0-dev
[2021-10-18T00:55:49.556Z]       │   └── relayd v0.0.0-dev (*)
[2021-10-18T00:55:49.556Z]       ├── cookie v0.12.0
[2021-10-18T00:55:49.556Z]       │   ├── cookie_store v0.7.0
[2021-10-18T00:55:49.556Z]       │   │   └── reqwest v0.9.24
[2021-10-18T00:55:49.556Z]       │   │       └── relayd v0.0.0-dev (*)
[2021-10-18T00:55:49.556Z]       │   └── reqwest v0.9.24 (*)
[2021-10-18T00:55:49.556Z]       ├── cookie_store v0.7.0 (*)
[2021-10-18T00:55:49.556Z]       ├── headers v0.2.3
[2021-10-18T00:55:49.556Z]       │   └── warp v0.1.22
[2021-10-18T00:55:49.556Z]       │       └── relayd v0.0.0-dev (*)
[2021-10-18T00:55:49.556Z]       ├── hyper v0.12.36
[2021-10-18T00:55:49.556Z]       │   ├── hyper-tls v0.3.2
[2021-10-18T00:55:49.556Z]       │   │   └── reqwest v0.9.24 (*)
[2021-10-18T00:55:49.556Z]       │   ├── relayd v0.0.0-dev (*)
[2021-10-18T00:55:49.556Z]       │   ├── reqwest v0.9.24 (*)
[2021-10-18T00:55:49.556Z]       │   └── warp v0.1.22 (*)
[2021-10-18T00:55:49.556Z]       ├── reqwest v0.9.24 (*)
[2021-10-18T00:55:49.556Z]       └── zip v0.5.5
[2021-10-18T00:55:49.556Z]           └── relayd v0.0.0-dev (*)

Subtasks 1 (0 open1 closed)

Bug #20144: Vulnerability in time crate - 7.0ReleasedVincent MEMBRÉActions
Actions #1

Updated by Alexis MOUSSET 7 months ago

  • Status changed from New to In progress
  • Assignee set to Alexis MOUSSET
Actions #2

Updated by Alexis MOUSSET 7 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis MOUSSET to Vincent MEMBRÉ
  • Pull Request set to https://github.com/Normation/rudder/pull/3944
Actions #3

Updated by Alexis MOUSSET 7 months ago

  • Status changed from Pending technical review to Pending release
Actions #5

Updated by Vincent MEMBRÉ 6 months ago

  • Status changed from Pending release to Released
Actions

Also available in: Atom PDF