Bug #5259
closed
rust: update time dependency
Added by Victor Julien over 2 years ago.
Updated about 2 years ago.
Description
Crate: time
Version: 0.1.44
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── x509-parser 0.6.5
└── suricata 7.0.0-dev
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jason Ish
- Copied to Bug #5265: rust: update time dependency added
- Copied to Bug #5266: rust: update time dependency added
Updating to x509-parser v0.13.0 which uses a fixed version of time brings our MSRV up to Rust 1.53 which is not acceptable for backports.
While its hard to quantify how this issue affects us, I believe it has to do with calls with `localtime_r` in one thread while another thread is fiddling with the TZ environment variable. The only calls we have to localtime_r come from Suricata itself, or the time crate via x509-parser, neither of which are fiddling with environment variables around their calls to localtime_r.
- Label deleted (
Needs backport to 5.0, Needs backport to 6.0)
- Target version changed from TBD to 7.0.0-beta1
time is now at 0.3.13, so this can be closed @Jason Ish ?
- Status changed from Assigned to Closed
Closing. Confirmed that this is no longer an issue with cargo audit.
Also available in: Atom
PDF