cargo audit vulnerability found on the time crate

Question

cargo audit vulnerability found on the time crate

endafarrell opened this issue 2 years ago · comments

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
    Loaded 457 security advisories (from /usr/local/cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (46 crate dependencies)
Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── pbr 1.0.4
    └── split-building-footprints 0.1.0 (my code)
error: 1 vulnerability found!

Hi. I've just started using pbr and cargo add pbr gave me version 1.0.4 but a cargo audit has found a vulnerability on the version of time used.

Enda Farrell · Answer 1 · Wed Sep 21 2022 22:47:52 GMT+0800 (China Standard Time)

I observe that pbr doesn't have a dependency on the time crate - so it ... might ... be a false positive.

Searching through the code shows that all "time" is from the std::time. Is it possible that line 8 of the [examples/multi_bg.rs](https://github.com/endafarrell/pb/tree/master/examples/multi_bg.rs) might have a role to play in this?

LingMan · Answer 2 · Wed Feb 08 2023 03:46:42 GMT+0800 (China Standard Time)

It's not a false positive. The time dependency was dropped in #100, but there hasn't been a release since then, so version 1.0.4 is still affected.

Sadly, requests for a new release (#113) have thus far not been responded to.

Ariel Mashraki · Answer 3 · Wed Feb 08 2023 05:00:20 GMT+0800 (China Standard Time)

See: #113 (comment)

Thanks for rasing it up.