CVE-2020-26235

NameCVE-2020-26235
DescriptionIn Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-time (PTS)buster, bullseye0.1.42-1fixed
bookworm0.3.9-1fixed
sid, trixie0.3.31-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-timesource(unstable)(not affected)

Notes

- rust-time <not-affected> (Vulnerable methods introduced in v0.2.7)
https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396
https://rustsec.org/advisories/RUSTSEC-2020-0071.html
https://github.com/time-rs/time/issues/293
Introduced by: https://github.com/time-rs/time/commit/5f1c4927124fefbd8d2886f83a574beb381411e9 (v0.2.7)
Deprecated in: https://github.com/time-rs/time/commit/f153a1ca5fdfec979f16c49619e6034cc67e186d (v0.2.23)
Search for package or bug name: Reporting problems