CVE-2020-26235 advisory for time 0.1 dependency

[acim]

Please update time dependency.

Inverse Dependency graph
time 0.1.44 (registry+https://github.com/rust-lang/crates.io-index)
└── chrono 0.4.19 (registry+https://github.com/rust-lang/crates.io-index)

[timvisee]

Yes!

I've prepared a PR for it some time ago, but it hasn't been merged yet: #578

[CryZe]

Everything below 0.2.7 is unaffected:
https://github.com/rustsec/advisory-db/blob/main/crates/time/RUSTSEC-2020-0071.md?plain=1#L36

However chrono does seem somewhat unmaintained, so maybe it makes sense to just switch to time 0.3 as your dependency entirely, which covers a lot of chrono's surface area, while also reducing the dependency count.

[acim]

Many projects are using chrono, they all have to drop chrono and use time 0.3, as you suggested.

 time 0.1.44 (registry+https://github.com/rust-lang/crates.io-index)
└── chrono 0.4.19 (registry+https://github.com/rust-lang/crates.io-index)
    └── mysql_common 0.27.5 (registry+https://github.com/rust-lang/crates.io-index)
        └── mysql_async 0.28.1 (registry+https://github.com/rust-lang/crates.io-index)

time 0.1.44 (registry+https://github.com/rust-lang/crates.io-index)
├── chrono 0.4.19 (registry+https://github.com/rust-lang/crates.io-index)
│   ├── json_env_logger 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)
│   │   └── bond 0.1.5 (path+file:///home/runner/work/bond/bond)
│   ├── k8s-openapi 0.13.1 (registry+https://github.com/rust-lang/crates.io-index)
│   │   ├── bond 0.1.5 (path+file:///home/runner/work/bond/bond)
│   │   ├── kube 0.61.0 (registry+https://github.com/rust-lang/crates.io-index)
│   │   │   ├── bond 0.1.5 (path+file:///home/runner/work/bond/bond)
│   │   │   └── kube-runtime 0.61.0 (registry+https://github.com/rust-lang/crates.io-index)
│   │   │       └── bond 0.1.5 (path+file:///home/runner/work/bond/bond)
│   │   ├── kube-core 0.61.0 (registry+https://github.com/rust-lang/crates.io-index)
│   │   │   └── kube 0.61.0 (registry+https://github.com/rust-lang/crates.io-index)
│   │   │       ├── bond 0.1.5 (path+file:///home/runner/work/bond/bond)
│   │   │       └── kube-runtime 0.61.0 (registry+https://github.com/rust-lang/crates.io-index)
│   │   │           └── bond 0.1.5 (path+file:///home/runner/work/bond/bond)
│   │   └── kube-runtime 0.61.0 (registry+https://github.com/rust-lang/crates.io-index)
│   │       └── bond 0.1.5 (path+file:///home/runner/work/bond/bond)
│   ├── kube 0.61.0 (registry+https://github.com/rust-lang/crates.io-index)
│   │   ├── bond 0.1.5 (path+file:///home/runner/work/bond/bond)
│   │   └── kube-runtime 0.61.0 (registry+https://github.com/rust-lang/crates.io-index)
│   │       └── bond 0.1.5 (path+file:///home/runner/work/bond/bond)
│   └── kube-core 0.61.0 (registry+https://github.com/rust-lang/crates.io-index)
│       └── kube 0.61.0 (registry+https://github.com/rust-lang/crates.io-index)
│           ├── bond 0.1.5 (path+file:///home/runner/work/bond/bond)
│           └── kube-runtime 0.61.0 (registry+https://github.com/rust-lang/crates.io-index)
│               └── bond 0.1.5 (path+file:///home/runner/work/bond/bond)

[Arnavion]

Actually, this conversation is founded on a wrong assumption. chrono has the issue not because of its time 0.1 dependency, but because it directly calls localtime_r in the same way that time 0.1 does. AFAICT the code from time 0.1 that calls localtime_r is never called by chrono, at least not in the Local::now call path.

So unless I'm missing something, while it's unfortunate that the PR to update to time 0.3 hasn't been merged for a long time, it also won't actually fix the crash reported here.

[legoktm]

@Arnavion wrote:

Actually, this conversation is founded on a wrong assumption. chrono has the issue not because of its time 0.1 dependency, but because it directly calls localtime_r in the same way that time 0.1 does. AFAICT the code from time 0.1 that calls localtime_r is never called by chrono, at least not in the Local::now call path.

Should a separate security advisory be issued for chrono then, in addition to the one for time that transitively affects chrono?

[CryZe]

Yeah definitely.

[tarcieri]

I've opened a PR to add an advisory for chrono here: rustsec/advisory-db#1082

[timvisee]

Actually, this conversation is founded on a wrong assumption. chrono has the issue not because of its time 0.1 dependency, but because it directly calls localtime_r in the same way that time 0.1 does. AFAICT the code from time 0.1 that calls localtime_r is never called by chrono, at least not in the Local::now call path.

So unless I'm missing something, while it's unfortunate that the PR to update to time 0.3 hasn't been merged for a long time, it also won't actually fix the crash reported here.

After reading through the issues: would using a shared lock for set_var and the localtime_r invocation fix this issue?

If so, I'd be happy to try and implement it. In the hopes of it getting merged of course.

[tarcieri]

Per the discussion on time#293 it sounds like the best solution would be to reimplement localtime_r in pure Rust, possibly translating the implementation from Musl.

[jnicholls]

Per the discussion on time#293 it sounds like the best solution would be to reimplement localtime_r in pure Rust, possibly translating the implementation from Musl.

Yep I think that would be the proper thing to do longterm. And the less explicit dependency on libc, the better.

[djc]

FWIW, we've released chrono 0.4.30 without the time 0.1 dependency. See the release notes for more context.