stacks-core icon indicating copy to clipboard operation
stacks-core copied to clipboard

Published 20 hours ago verified publisher icon stacks-network

chore: upgrade `chronos` to address RUSTSEC-2020-0159

Open diwakergupta opened this issue 3 years ago • 3 comments

From cargo audit:

Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in `localtime_r` invocations
Date:      2020-11-10
ID:        RUSTSEC-2020-0159
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:  Upgrade to >=0.4.20

Changelog: https://github.com/chronotope/chrono/releases/tag/v0.4.20

Note that I did not upgrade to the latest dependency -- 0.4.22 -- as it pulls in a few other depenendencies that I wasn't sure about, notably iana-time-zone.

diwakergupta avatar Sep 13 '22 16:09 diwakergupta

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Sep 13 '22 16:09 CLAassistant

Codecov Report

Merging #3290 (c913920) into develop (74f0d99) will increase coverage by 0.65%. The diff coverage is n/a.

@@             Coverage Diff             @@
##           develop    #3290      +/-   ##
===========================================
+ Coverage    30.28%   30.93%   +0.65%     
===========================================
  Files          262      262              
  Lines       205147   205155       +8     
===========================================
+ Hits         62130    63473    +1343     
+ Misses      143017   141682    -1335
Impacted Files Coverage Δ
stacks-common/src/util/macros.rs 78.31% <0.00%> (-3.10%) :arrow_down:
...n/src/deps_common/bitcoin/blockdata/transaction.rs 16.29% <0.00%> (-1.19%) :arrow_down:
src/net/poll.rs 46.70% <0.00%> (-0.51%) :arrow_down:
...ommon/src/deps_common/bitcoin/network/encodable.rs 22.82% <0.00%> (-0.50%) :arrow_down:
src/burnchains/bitcoin/network.rs 81.01% <0.00%> (-0.47%) :arrow_down:
src/util_lib/strings.rs 42.06% <0.00%> (-0.35%) :arrow_down:
src/chainstate/stacks/block.rs 31.06% <0.00%> (-0.29%) :arrow_down:
src/burnchains/bitcoin/spv.rs 42.14% <0.00%> (-0.27%) :arrow_down:
src/chainstate/stacks/index/storage.rs 70.77% <0.00%> (-0.17%) :arrow_down:
testnet/stacks-node/src/tests/neon_integrations.rs 81.72% <0.00%> (-0.12%) :arrow_down:
... and 35 more

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

codecov[bot] avatar Sep 13 '22 16:09 codecov[bot]

I rebased on top of Aaron's commit to fix the build, and incorporated @jcnelson's suggestion. But looks like iana-time-zone also pulls in js-sys. Sadly I'm at the limit of my cargo-fu and couldn't figure out how to get rid of the wasm related dependencies.

If this PR is unacceptable as-is -- someone wants to commandeer this PR, go for it, otherwise feel free to close it out for now.

diwakergupta avatar Sep 16 '22 15:09 diwakergupta

I looked into the CVE for this. Basically, someone needs to be able to race the call to localtime_r with a call to setenv in a different thread of the process in order to create a dangling pointer which will lead to a segfault.

This is basically unexploitable for us -- we don't set envars on-the-fly in production, and we certainly don't set the TZ environment variable anywhere (which is ready by localtime_r).

I'm fine with just closing this PR, and maybe documenting this choice somewhere.

jcnelson avatar Sep 27 '22 18:09 jcnelson

I'm fine with just closing this PR, and maybe documenting this choice somewhere.

Thanks for looking into this @jcnelson , closing for now. If someone's motivated enough to address all audit flags and incorporate that into CI, go for it!

diwakergupta avatar Sep 28 '22 17:09 diwakergupta