Upgrade time crate to 0.3 (CVE-2020-26235)

Question

Upgrade time crate to 0.3 (CVE-2020-26235)

Closed this issue 2 years ago · 2 comments

This crate depends on chrono 0.4 which pulls in time 0.1 which is vulnerable to RUSTSEC-2020-0071 / CVE-2020-26235.
There seems to be no fix for chrono released yet, and the fix is not trivial.

Crate:     time
Version:   0.1.43
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.43
└── chrono 0.4.19
    ├── dtparse 1.2.0
    │   └── fclones 0.26.0
    └── chrono-tz 0.5.3
        └── dtparse 1.2.0

Because this crate's responsibility is mostly parsing, and I guess it doesn't use most of chrono's features, can you make it compatible with other time formats so chrono or time 0.1 are not needed? E.g. parsing a string into SystemTime or OffsetDateTime. That could be enabled by a feature flag + optional dendencies.

Answer 1 · 2022-07-24T20:10:49.000Z

SystemTime can only be created via SystemTime::now(), so it's not possible to parse strings into SystemTime.

The proper fix seems to be removing chrono entirely in favor of parsing in terms of PrimitiveDateTime/UtcOffset from the time crate, and releasing that as a major semver upgrade. Will take a look when I can, pull requests always appreciated.

Answer 2 · 2022-07-27T00:43:34.000Z

Seems like chrono is publishing an updated crate with fixes as part of 0.4.20. Given a dependency on chrono 0.4 as a minor release, the patch will get picked up.

I'm not opposed to pull requests that move to time directly, but I'm fine to simply pick up the upstream fixes.