tremor-runtime icon indicating copy to clipboard operation
tremor-runtime copied to clipboard

Published 20 hours ago verified publisher icon tremor-rs

RUSTSEC-2020-0159: Potential segfault in `localtime_r` invocations

Open github-actions[bot] opened this issue 4 years ago • 1 comments
trafficstars

Potential segfault in localtime_r invocations

Details
Package chrono
Version 0.4.19
URL https://github.com/chronotope/chrono/issues/499
Date 2020-11-10

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

See advisory page for additional details.

github-actions[bot] avatar Oct 19 '21 01:10 github-actions[bot]

Dependencies that reference chrono::Local::now() which seems to be the only path that executes localtime_r are:

  • syslog_loose - but we don't use that path anywhere in our code.
  • log4rs - if a pattern like {d(%Y...)(local)} is used, which is totally up to the users, we cannot control this.

mfelsche avatar Oct 19 '21 10:10 mfelsche

this seems to have been resolved in current versions

Licenser avatar Oct 09 '23 10:10 Licenser