RUSTSEC-2020-0159
Closed this issue · 4 comments
Cargo audit reports the following:
client-sdk-rust]$ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 405 security advisories (from /home/brian/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (151 crate dependencies)
Crate: chrono
Version: 0.4.19
Title: Potential segfault in `localtime_r` invocations
Date: 2020-11-10
ID: RUSTSEC-2020-0159
URL: https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution: No safe upgrade is available!
Dependency tree:
chrono 0.4.19
└── momento 0.1.0
Crate: time
Version: 0.1.44
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
error: 2 vulnerabilities found!
If possible, it might be better to avoid using chrono - according to cargo tree it looks like time 0.1.44 is only in the dependency tree due to chrono 0.4.19. It seems that if the code can be refactored to avoid chrono, that both RUSTSEC advisories would be addressed.
We may want to add cargo audit into the CI workflow as well.
Just for context, we took a dependency on chrono for supporting a new API that displays a timestamp in human-readable format and I'm not familiar with any other Rust library that can parse timestamps and calculate time deltas like chrono does.
Looking at chronotope/chrono#499 it looks like there are some open PRs ready to be merged and fixed when chrono-0.4.20 is released which should address this
We may want to add cargo audit into the CI workflow as well.
That's a great idea, might be worth introducing as long as we are okay with overriding merges when we hit scenarios like these
I think this one can be closed at this point