RUSTSEC-2020-0159: Potential segfault in localtime_r invocations

[github-actions]

Potential segfault in localtime_r invocations

Details
Package	chrono
Version	0.4.19
URL	chronotope/chrono#499
Date	2020-11-10

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

• time-rs/time#293

See advisory page for additional details.

[PSeitz]

Just wanted to add that at quickwit/tantivy we removed chrono in favor of time (https://crates.io/crates/time), since chrono is unmaintained.

quickwit-oss/tantivy#1304
quickwit-oss/quickwit#1232

[weiznich]

@PSeitz We do not have any planes to remove chrono as:

• That would be a huge breaking change for anyone using chrono and diesel (I assume there are quite a lot users out there)
• Our API usage is not affected by this issue
• Chrono is behind a optional feature flag, so users can choose if they want to depend on chrono or not

As for using time: I would accept a PR adding support for the corresponding time types, but I personally do not have any plan to implement that in the next weeks/months.

[Ten0]

Considering the advisory has been withdrawn (https://rustsec.org/advisories/RUSTSEC-2020-0159.html) and chrono is an opt-in we can probably close this.