The call to localtime_r may be unsound
#293
Comments
|
First off: thanks! It's a nice find. What would be an appropriate fix for this? Mainly for myself: this is the sole location this function is called. |
|
I don't think there is any quick solution, we may have to reimplement |
|
Ping @ymtvx, who created the original implementation. I'm not terribly familiar with these C APIs. What output are you expecting from the snippet provided? |
|
@jhpratt Oh, I realized that I paste wrong code and it has been updated. POC code will crash. |
|
|
|
In addition, I found that when using |
|
So what is actually causing the segfault? Just trying to determine the true root cause so that I can figure out what action to take. I've never used lldb before, so all I see is the basic segfault message when running. |
|
To be more specific, Rust's libstd avoids this problem by locking |
|
Rust libstd has a similar, long open issue, for its own calls to Like In the linked issue, it is contemplated using the libstd internal ENV lock around calls to |
|
So instead of worrying about concurrent env modification, you could read the env variable on startup and cache it, and avoid any calls to real getenv. If you want to be fancy you could intercept setenv and update the cached value in a thread safe way. |
|
@hlavaatch That would add an up-front cost for everyone, which isn't desirable. It would also prevent the user from changing the TZ while the program is running. With regard to intercepting setenv, what do you mean? This crate has no control over what users write. |
|
I have created a draft security advisory on GitHub for this, and have requested a CVE. If granted, I will then file an advisory over at RustSec/advisory-db. Time 0.2.23 was released earlier today, which avoids the issue entirely by not attempting to determine the local offset on Unix-like operating systems. |
|
A security advisory has been published on GitHub. This issue has been assigned CVE-2020-26235. |
|
Closing this issue as the unsoundness does not exist on the most recent release. In addition, a security advisory has been issued on this repository, a CVE has been issued, and a rustsec advisory has been issued. I don't think there's much more I can do at this point. |
|
Couldn't we implement |
|
@osa1 There is presumably some way to work around this, yes. Feel free to put together a pull request if you have sufficient knowledge — the previous code was just commented out, not removed completely. The problem is more the call to |
What do you mean by this? |
|
Note to anyone else finding this. It is marked "closed", but as of 2020-12-18, all the local-offset methods are still unusable on the main branch on unix platforms, as they always return Err. |
To avoid bring `time` v0.1.x into dependency graph, see time-rs/time#293
To avoid bringing `time` v0.1.x into dependency graph, see time-rs/time#293
2939: Disable default features of `chrono` r=adamreichold a=messense To avoid bringing `time` v0.1.x into dependency graph, see time-rs/time#293 Co-authored-by: messense <messense@icloud.com>
Bumps [chrono](https://github.com/chronotope/chrono) from 0.4.19 to 0.4.23 - [Release notes](https://github.com/chronotope/chrono/releases)) - [Commits](chronotope/chrono@v0.4.19...v0.4.23) The main purpose of this bump is fixing the [security alert from dependabot](https://github.com/unrenamed/daedalus/security/dependabot/2) that describes the soundness issues with calls to localtime_r() as first reported in [time-rs/time#293](time-rs/time#293) which chrono depends on as to the [RUSTSEC-2020-0159](https://rustsec.org/advisories/RUSTSEC-2020-0159) advisory.
Bumps [chrono](https://github.com/chronotope/chrono) from 0.4.19 to 0.4.23 - [Release notes](https://github.com/chronotope/chrono/releases) - [Commits](chronotope/chrono@v0.4.19...v0.4.23) The main purpose of this bump is fixing the [security alert from dependabot](https://github.com/unrenamed/daedalus/security/dependabot/2) that describes the soundness issues with calls to localtime_r() as first reported in [time-rs/time#293](time-rs/time#293) which chrono depends on as to the [RUSTSEC-2020-0159](https://rustsec.org/advisories/RUSTSEC-2020-0159) advisory.
To avoid bringing `time` v0.1.x into dependency graph, see time-rs/time#293
chrono 0.4's default features include the `oldtime` feature which pulls in time 0.1.44. This is an unmaintained version with soundness issues (time-rs/time#293) and is rarely needed. If downstream users require this dependency, they can enable the feature themselves.
chrono 0.4's default features include the `oldtime` feature which pulls in time 0.1.44. This is an unmaintained version with soundness issues (time-rs/time#293) and is rarely needed. If downstream users require this dependency, they can enable the feature themselves.
because
getenvandsetenvare not thread-safe,localtime_rin time may data race withstd::env::set_varin libstd.I described this problem in chrono issue, and time is also affected.
Edit from @jhpratt:
Chrono users please see this comment.
The text was updated successfully, but these errors were encountered: