Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2020-0159 #50

Closed
brayniac opened this issue May 2, 2022 · 4 comments
Closed

RUSTSEC-2020-0159 #50

brayniac opened this issue May 2, 2022 · 4 comments

Comments

@brayniac
Copy link
Collaborator

brayniac commented May 2, 2022

Cargo audit reports the following:

client-sdk-rust]$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 405 security advisories (from /home/brian/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (151 crate dependencies)
Crate:         chrono
Version:       0.4.19
Title:         Potential segfault in `localtime_r` invocations
Date:          2020-11-10
ID:            RUSTSEC-2020-0159
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:      No safe upgrade is available!
Dependency tree: 
chrono 0.4.19
└── momento 0.1.0

Crate:         time
Version:       0.1.44
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree: 
time 0.1.44

error: 2 vulnerabilities found!

If possible, it might be better to avoid using chrono - according to cargo tree it looks like time 0.1.44 is only in the dependency tree due to chrono 0.4.19. It seems that if the code can be refactored to avoid chrono, that both RUSTSEC advisories would be addressed.

We may want to add cargo audit into the CI workflow as well.
@tylerburdsall
Copy link
Contributor

Just for context, we took a dependency on chrono for supporting a new API that displays a timestamp in human-readable format and I'm not familiar with any other Rust library that can parse timestamps and calculate time deltas like chrono does.

Looking at chronotope/chrono#499 it looks like there are some open PRs ready to be merged and fixed when chrono-0.4.20 is released which should address this

@tylerburdsall
Copy link
Contributor

tylerburdsall commented May 2, 2022
edited

We may want to add cargo audit into the CI workflow as well.

That's a great idea, might be worth introducing as long as we are okay with overriding merges when we hit scenarios like these

@brayniac
Copy link
Collaborator Author

I think this one can be closed at this point

@nand4011
Copy link
Contributor

The vulnerable chrono dependency was removed in #124

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nand4011 @tylerburdsall @brayniac