Add chrono advisory for chrono#499 (localtime_r)
#1082
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is an advisory similar to `RUSTSEC-2020-0071` impacting usages of `localtime_r` within `chrono` itself, since the API is used in a cross-thread manner in an unsound way.
tarcieri
force-pushed
the
chrono/localtime_r-unsound
branch
from
11b1440
to
d7dad3f
Compare
|
Note that there are reports of this impacting real-world code. |
|
Is it possible to whitelist a crate using |
|
It's been suggested before but not something we support: #288. More generally we've wanted to support false positive elimination via call graph analysis: rustsec/rustsec#21 |
|
Thanks for pointers! Call graph analysis sounds useful but not perfect because in some situations there may be multiple factors, so I think #288 is still valuable and probably easier to implement. |
alexjg
added a commit
to alexjg/jsonschema-rs
that referenced
this pull request
Oct 20, 2021
Due to a CVE in chrono[0] we switch to time 0.3.3. Chrono actually depends on an older, similarly vulnerable version of `time` but newer versions of `time` seem to offer everything we need to validate dates and times anyway. [0] rustsec/advisory-db#1082 Signed-off-by: Alex Good <[email protected]>
alexjg
added a commit
to alexjg/jsonschema-rs
that referenced
this pull request
Oct 20, 2021
Due to a CVE in chrono[0] we switch to time 0.3.3. Chrono actually depends on an older, similarly vulnerable version of `time` but newer versions of `time` seem to offer everything we need to validate dates and times anyway. [0] rustsec/advisory-db#1082 Signed-off-by: Alex Good <[email protected]>
alexjg
added a commit
to alexjg/jsonschema-rs
that referenced
this pull request
Oct 20, 2021
Due to a CVE in chrono[0] we switch to time 0.3.3. Chrono actually depends on an older, similarly vulnerable version of `time` but newer versions of `time` seem to offer everything we need to validate dates and times anyway. [0] rustsec/advisory-db#1082 Signed-off-by: Alex Good <[email protected]>
Stranger6667
pushed a commit
to Stranger6667/jsonschema
that referenced
this pull request
Oct 20, 2021
Due to a CVE in chrono[0] we switch to time 0.3.3. Chrono actually depends on an older, similarly vulnerable version of `time` but newer versions of `time` seem to offer everything we need to validate dates and times anyway. [0] rustsec/advisory-db#1082 Signed-off-by: Alex Good <[email protected]>
Stranger6667
pushed a commit
to Stranger6667/jsonschema
that referenced
this pull request
Oct 21, 2021
Due to a CVE in chrono[0] we switch to time 0.3.3. Chrono actually depends on an older, similarly vulnerable version of `time` but newer versions of `time` seem to offer everything we need to validate dates and times anyway. [0] rustsec/advisory-db#1082 Signed-off-by: Alex Good <[email protected]> (cherry picked from commit 625c66e)
This was referenced Dec 15, 2021
ghost
mentioned this pull request
9 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an advisory similar to
RUSTSEC-2020-0071impacting usages oflocaltime_rwithinchronoitself, since the API is used in a cross-thread manner in an unsound way.