Reported

August 15, 2022

Issued

August 17, 2022 (last modified: June 13, 2023)

Package

iana-time-zone (crates.io)

Type

INFO Unsound

Categories

• memory-exposure

Aliases

• GHSA-3fg9-hcq5-vxrc

References

• https://github.com/strawlab/iana-time-zone/pull/54
• https://github.com/strawlab/iana-time-zone/pull/50#discussion_r945353515

Patched

• >=0.1.45

Unaffected

• <0.1.43

Affected OSes

• ios
• macos

Affected Functions

Version

iana_time_zone::get_timezone

• >0.1.42, <0.1.45

Description

In iana-time-zone v0.1.43 a use-after-free bug in the MacOS / iOS implementation was introduced.

The copied system time zone was released before its name was copied. If the system time zone was changed between the call of CFRelease and str::to_owned(), random memory would be copied.

Advisory available under CC0-1.0 license.