RUSTSEC-2020-0159

Potential segfault in localtime_r invocations

Reported

November 10, 2020

Issued

October 18, 2021 (last modified: August 4, 2022)

Package

chrono (crates.io)

Type

Vulnerability

Categories

code-execution
memory-corruption

Keywords

#segfault

References

https://github.com/chronotope/chrono/issues/499

Related

CVE-2020-26235
RUSTSEC-2020-0071

Patched

>=0.4.20

Description

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

time-rs/time#293

Advisory available under CC0-1.0 license.