Skip to content

Comments

Replace chrono with time (address RUSTSEC-2020-0071)#6

Open
jeff-hiner wants to merge 1 commit intoAxcient:mainfrom
jeff-hiner:rustsec-2020-0071
Open

Replace chrono with time (address RUSTSEC-2020-0071)#6
jeff-hiner wants to merge 1 commit intoAxcient:mainfrom
jeff-hiner:rustsec-2020-0071

Conversation

@jeff-hiner
Copy link

@jeff-hiner jeff-hiner commented Jan 26, 2023
edited
Loading

This library is unfortunately more susceptible than normal to the env var race conditions in the RUSTSEC, because it uses local time calls extensively.

This PR addresses the vulnerability by replacing chrono with time 0.3. This is a semver breaking change, because it touches quite a few public interfaces.

@jssblck
Copy link

jssblck commented Mar 2, 2023

@kevinhoffman is there anything blocking this from being merged and released? Would be happy to help if I can.

@jeff-hiner
Copy link
Author

jeff-hiner commented Mar 28, 2023

Bump?

@adrianbenavides adrianbenavides mentioned this pull request Apr 25, 2023
Merged
@adrianbenavides
Copy link

adrianbenavides commented Apr 25, 2023

Any update on this @kevinhoffman? Would be awesome to have this so we can use this crate in projects where we enforce cargo deny passing.

@keehun
Copy link

keehun commented Oct 9, 2023

I want to ➕ what others' have been asking for: any update on getting this merged?

aw-cf
aw-cf reviewed Jan 31, 2024
View reviewed changes
src/lib.rs
fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
let now = Local::now();
self.write_with_datetime(buf, &now)
let now = OffsetDateTime::now_local().unwrap_or_else(|_| OffsetDateTime::now_utc());
Copy link

@aw-cf aw-cf Jan 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: This change can introduce a memory leak due to time-rs/time#651

Copy link
Author

@jeff-hiner jeff-hiner Feb 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A mach ports leak is better than a segfault, but this is something best addressed via a PR to the num_threads crate.

Copy link

@aw-cf aw-cf Feb 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is called quite frequently and every call will leak at least numberOfThreads mach ports. This can easily accumulate to several GB of leaked memory for long-running processes like daemons.

It's also worth pointing out that OffsetDateTime::now_local() will always fail for macOS (unless the process is single threaded). Which makes this equivalent to let now = OffsetDateTime::now_utc(); (on Apple platforms).
It might make sense to consider rotating based on UTC instead of local time in general. This would save quite a few CPU cycles and it's what would happen on Apple platforms with the suggested code anyway.

Copy link
Author

@jeff-hiner jeff-hiner Feb 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think rotating on UTC is a totally acceptable solution. I'm happy to modify the PR, but I haven't heard anything from the maintainer in over a year so I'm not sure if the crate is still being maintained.

@pitdicker
Copy link

pitdicker commented Mar 13, 2024

Out of curiosity. Since version 0.4.30 chrono no longer depends on time 0.1 (https://github.com/chronotope/chrono/releases/tag/v0.4.30). And before that it didn't use the code that was vulnerable to RUSTSEC-2020-0071 since chrono 4.20.
Would this change still be needed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@aw-cf aw-cf aw-cf left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@jeff-hiner @jssblck @adrianbenavides @keehun @pitdicker @aw-cf