cargo audit vulnerability found on the time crate

[endafarrell]

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
    Loaded 457 security advisories (from /usr/local/cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (46 crate dependencies)
Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── pbr 1.0.4
    └── split-building-footprints 0.1.0 (my code)
error: 1 vulnerability found!

Hi. I've just started using pbr and cargo add pbr gave me version 1.0.4 but a cargo audit has found a vulnerability on the version of time used.

[endafarrell]

I observe that pbr doesn't have a dependency on the time crate - so it ... might ... be a false positive.

Searching through the code shows that all "time" is from the std::time. Is it possible that line 8 of the [examples/multi_bg.rs](https://github.com/endafarrell/pb/tree/master/examples/multi_bg.rs) might have a role to play in this?

[LingMan]

It's not a false positive. The time dependency was dropped in https://github.com/a8m/pb/pull/100, but there hasn't been a release since then, so version 1.0.4 is still affected.

Sadly, requests for a new release (https://github.com/a8m/pb/issues/113) have thus far not been responded to.

[a8m]

See: https://github.com/a8m/pb/issues/113#issuecomment-1421439691

Thanks for rasing it up.