Project

General

Profile

Actions

Bug #5259

open

rust: update time dependency

Added by Victor Julien 6 months ago. Updated 9 days ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Crate:         time
Version:       0.1.44
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree: 
time 0.1.44
└── x509-parser 0.6.5
    └── suricata 7.0.0-dev

Related issues 2 (1 open1 closed)

Copied to Bug #5265: rust: update time dependencyRejectedActions
Copied to Bug #5266: rust: update time dependencyAssignedJason IshActions
Actions #1

Updated by Victor Julien 6 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jason Ish
Actions #2

Updated by Jeff Lucovsky 6 months ago

  • Copied to Bug #5265: rust: update time dependency added
Actions #3

Updated by Jeff Lucovsky 6 months ago

  • Copied to Bug #5266: rust: update time dependency added
Actions #4

Updated by Jason Ish 5 months ago

Updating to x509-parser v0.13.0 which uses a fixed version of time brings our MSRV up to Rust 1.53 which is not acceptable for backports.

While its hard to quantify how this issue affects us, I believe it has to do with calls with `localtime_r` in one thread while another thread is fiddling with the TZ environment variable. The only calls we have to localtime_r come from Suricata itself, or the time crate via x509-parser, neither of which are fiddling with environment variables around their calls to localtime_r.

Actions #5

Updated by Victor Julien about 2 months ago

  • Label deleted (Needs backport to 5.0, Needs backport to 6.0)
Actions #6

Updated by Victor Julien 9 days ago

  • Target version changed from TBD to 7.0rc1
Actions

Also available in: Atom PDF