esp-idf-sys icon indicating copy to clipboard operation
esp-idf-sys copied to clipboard

Published 20 hours ago verified publisher icon esp-rs

Cargo audit reports a security vulnerability in the `time` crate dependency

Open reinhardbluelab opened this issue 2 years ago • 2 comments
trafficstars

Running cargo audit on my project results in the following report:

Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
  Loaded 481 security advisories (from /Users/r/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (196 crate dependencies)

Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── chrono 0.4.22
    └── build-time 0.1.2
        └── esp-idf-sys 0.32.1
            ├── esp-idf-svc 0.45.0
...
error: 1 vulnerability found!

Note: I have also reported this issue for the build-time crate repository.

reinhardbluelab avatar Jan 13 '23 09:01 reinhardbluelab

Is this still a problem now that time 0.1.45 had been released?

ivmarkov avatar Feb 01 '23 06:02 ivmarkov

Not sure - according to the output it's only resolved from >=0.2.23. According to the repo time 0.1.x is deprecated.

reinhardbluelab avatar Feb 02 '23 02:02 reinhardbluelab

i dont think that is a problem for us. We only use build-time for the esp_app_desc macro. Furthermore in the original report they mention this problem arrises if chrono is used with the oldtime feature. But clearly that is not used in build-time crate so its not an issue.

Vollbrecht avatar Jun 21 '24 12:06 Vollbrecht