Project

General

Profile

Actions

Bug #21555

open

Potential segfault in chrono

Added by Alexis Mousset 15 days ago. Updated 9 days ago.

Status:
Pending release
Priority:
N/A
Category:
Relay server or API
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Regression:
Yes

Description

+ cargo deny check
[2022-08-04T20:49:12.666Z] error[A001]: Potential segfault in `localtime_r` invocations
[2022-08-04T20:49:12.666Z]    ┌─ /srv/jenkins/workspace/dependencies_branches_rudder_7.2/relay/sources/relayd/Cargo.lock:19:1
[2022-08-04T20:49:12.667Z]    │
[2022-08-04T20:49:12.667Z] 19 │ chrono 0.4.19 registry+https://github.com/rust-lang/crates.io-index
[2022-08-04T20:49:12.667Z]    │ ------------------------------------------------------------------- security vulnerability detected
[2022-08-04T20:49:12.667Z]    │
[2022-08-04T20:49:12.667Z]    = ID: RUSTSEC-2020-0159
[2022-08-04T20:49:12.667Z]    = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0159
[2022-08-04T20:49:12.667Z]    = ### Impact
[2022-08-04T20:49:12.667Z]      
[2022-08-04T20:49:12.667Z]      Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
[2022-08-04T20:49:12.667Z]      
[2022-08-04T20:49:12.667Z]      ### Workarounds
[2022-08-04T20:49:12.667Z]      
[2022-08-04T20:49:12.667Z]      No workarounds are known.
[2022-08-04T20:49:12.667Z]      
[2022-08-04T20:49:12.667Z]      ### References
[2022-08-04T20:49:12.667Z]      
[2022-08-04T20:49:12.667Z]      - [time-rs/time#293](https://github.com/time-rs/time/issues/293)
[2022-08-04T20:49:12.667Z]    = Announcement: https://github.com/chronotope/chrono/issues/499
[2022-08-04T20:49:12.667Z]    = Solution: Upgrade to >=0.4.20
[2022-08-04T20:49:12.667Z]    = chrono v0.4.19
[2022-08-04T20:49:12.667Z]      ├── diesel v1.4.8
[2022-08-04T20:49:12.667Z]      │   └── rudder-relayd v0.0.0-dev
[2022-08-04T20:49:12.667Z]      └── rudder-relayd v0.0.0-dev (*)
Actions #1

Updated by Alexis Mousset 15 days ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #2

Updated by Alexis Mousset 15 days ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/4421
Actions #3

Updated by Alexis Mousset 15 days ago

  • Description updated (diff)
Actions #4

Updated by Alexis Mousset 15 days ago

  • Status changed from Pending technical review to Pending release
Actions

Also available in: Atom PDF