RUSTSEC-2020-0071: Potential segfault in the time crate

[github-actions]

Potential segfault in the time crate

Details
Package	time
Version	0.1.44
URL	time-rs/time#293
Date	2020-11-18
Patched versions	>=0.2.23
Unaffected versions	=0.2.0,=0.2.1,=0.2.2,=0.2.3,=0.2.4,=0.2.5,=0.2.6

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

The affected functions from time 0.2.7 through 0.2.22 are:

• time::UtcOffset::local_offset_at
• time::UtcOffset::try_local_offset_at
• time::UtcOffset::current_local_offset
• time::UtcOffset::try_current_local_offset
• time::OffsetDateTime::now_local
• time::OffsetDateTime::try_now_local

The affected functions in time 0.1 (all versions) are:

• at
• at_utc

Non-Unix targets (including Windows and wasm) are unaffected.

Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

Users and library authors with time in their dependency tree should perform cargo update, which will pull in the updated, unaffected code.

Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3. series.

Workarounds

No workarounds are known.

References

time-rs/time#293

See advisory page for additional details.

[therustmonk]

Related: chronotope/chrono#602

[therustmonk]

Two ways to solve that:

1. Use chrono from git (blocked by Bump time to 0.3 chronotope/chrono#578)
2. Wait for the new chrono release: CVE-2020-26235 advisory for time 0.1 dependency chronotope/chrono#602

Crates to update:

• tari_console_wallet
• tari_wallet
• tari_app_grpc
• tari_merge_mining_proxy (in jsonrpc dependency)
• tari_mining_node (time crate used directly)

[brianp]

My current interpritation of this is a PR was made to remove all the uses of chrono::Duration which under the hood used time::Duration from the time crate version 0.1.44. This time::Duration from 0.1.44 was the problem.

Chrono continues to ship with the older version of the time crate as a dependency but it is only brought in via features that we have explicitly turned off. We are explicitly using std::time::Duration through the codebase.

More confusion will eventually arise as it seems in newer versions of chrono they're suggesting moving all instances of time::Duration back to chrono::Duration with a new implementation under the hood. It leaves space for the confusion but as long as we continue to use std::time::Duration then I don't think there's an issue.

The advisory, unfortunately, isn't going to go away so having run the audit our best path forward is to probably add an ignore for it, and potentially create another backlog issue for a future re-assessment when chrono release's an eventual new version that removes the time dependency entirely.