-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RUSTSEC-2020-0159: Potential segfault in localtime_r
invocations
#304
Comments
I don't think this is a serious issue for us since (a) we don't do much with local time and (b) we're not operating on untrusted data or with any privilege escalation. Also we're not at 1.0 yet :) But, when there's a workaround or fix available, let's adopt it. |
Agreed, doesn't seem particularly relevant to TC chronotope/chrono#499 (comment)
chronotope/chrono#499 (comment) is also interesting - essentially this seems to basically be a problem in libc Most interestingly I learned that chrono, despite seeming quite a core Rust crate, was only maintained by a single person. Hopefully that situation is helped by all this noise around this bug |
I had a look through that issue -- yeah, this does seem a very tough one to solve. I wish the security audit wouldn't make all the PRs fail because of it! |
I think this is no longer an issue, but was never really an issue for TC. |
See discussion at GothenburgBitFactory/taskchampion#304. Note that RUSTSEC-2020-0159 is the same bug as RUSTSEC-2020-0071.
chrono
0.4.19
Impact
Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
Workarounds
No workarounds are known.
References
See advisory page for additional details.
The text was updated successfully, but these errors were encountered: