Project

General

Profile

Actions

Bug #5259

closed

rust: update time dependency

Added by Victor Julien over 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Crate:         time
Version:       0.1.44
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree: 
time 0.1.44
└── x509-parser 0.6.5
    └── suricata 7.0.0-dev

Related issues 2 (0 open2 closed)

Copied to Suricata - Bug #5265: rust: update time dependencyRejectedActions
Copied to Suricata - Bug #5266: rust: update time dependencyRejectedActions
Actions #1

Updated by Victor Julien over 2 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jason Ish
Actions #2

Updated by Jeff Lucovsky over 2 years ago

  • Copied to Bug #5265: rust: update time dependency added
Actions #3

Updated by Jeff Lucovsky over 2 years ago

  • Copied to Bug #5266: rust: update time dependency added
Actions #4

Updated by Jason Ish over 2 years ago

Updating to x509-parser v0.13.0 which uses a fixed version of time brings our MSRV up to Rust 1.53 which is not acceptable for backports.

While its hard to quantify how this issue affects us, I believe it has to do with calls with `localtime_r` in one thread while another thread is fiddling with the TZ environment variable. The only calls we have to localtime_r come from Suricata itself, or the time crate via x509-parser, neither of which are fiddling with environment variables around their calls to localtime_r.

Actions #5

Updated by Victor Julien over 2 years ago

  • Label deleted (Needs backport to 5.0, Needs backport to 6.0)
Actions #6

Updated by Victor Julien about 2 years ago

  • Target version changed from TBD to 7.0.0-beta1
Actions #7

Updated by Victor Julien about 2 years ago

time is now at 0.3.13, so this can be closed @Jason Ish ?

Actions #8

Updated by Jason Ish about 2 years ago

  • Status changed from Assigned to Closed

Closing. Confirmed that this is no longer an issue with cargo audit.

Actions

Also available in: Atom PDF