erglabs / commondatalayer Goto Github PK

Potential segfault in the time crate

Details
Package	time
Version	0.1.43
URL	time-rs/time#293
Date	2020-11-18
Patched versions	>=0.2.23
Unaffected versions	=0.2.0,=0.2.1,=0.2.2,=0.2.3,=0.2.4,=0.2.5,=0.2.6

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

The affected functions from time 0.2.7 through 0.2.22 are:

• time::UtcOffset::local_offset_at
• time::UtcOffset::try_local_offset_at
• time::UtcOffset::current_local_offset
• time::UtcOffset::try_current_local_offset
• time::OffsetDateTime::now_local
• time::OffsetDateTime::try_now_local

The affected functions in time 0.1 (all versions) are:

• at
• at_utc
• now

Non-Unix targets (including Windows and wasm) are unaffected.

Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

Users and library authors with time in their dependency tree should perform cargo update, which will pull in the updated, unaffected code.

Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.

Workarounds

No workarounds are known.

See advisory page for additional details.

Use after free in lru crate

Details
Package	lru
Version	0.6.6
URL	jeromefroe/lru-rs#120
Date	2021-12-21
Patched versions	>=0.7.1

Lru crate has use after free vulnerability.

Lru crate has two functions for getting an iterator. Both iterators give
references to key and value. Calling specific functions, like pop(), will remove
and free the value, and but it's still possible to access the reference of value
which is already dropped causing use after free.

See advisory page for additional details.

ansi_term is Unmaintained

Details
Status	unmaintained
Package	ansi_term
Version	0.12.1
URL	ogham/rust-ansi-term#72
Date	2021-08-18

The maintainer has adviced that this crate is deprecated and will not receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

• anstyle
• console
• nu-ansi-term
• owo-colors
• yansi

Dependency Specific Migration(s)

• structopt, clap2

See advisory page for additional details.

Cache<K>: Send/Sync impls needs trait bounds on K

Details
Package	cache
Version	0.1.0
URL	https://github.com/krl/cache/issues/1
Date	2020-11-24

Affected versions of this crate unconditionally implement Send/Sync for Cache<K>.
This allows users to insert K that is not Send or not Sync.

This allows users to create data races by using non-Send types like Arc<Cell<T>> or Rc<T> as K in Cache<K>. It is also possible to create data races by using types like Cell<T> or RefCell<T> (types that are Send but not Sync).
Such data races can lead to memory corruption.

See advisory page for additional details.

Denial of service on deeply nested fragment requests

Details
Package	async-graphql
Version	2.11.3
URL	async-graphql/async-graphql@521769b
Date	2022-07-21
Patched versions	>=4.0.6

Deeply nested fragments in a GraphQL request may cause a stack overflow in the server.

See advisory page for additional details.

dotenv is Unmaintained

Details
Status	unmaintained
Package	dotenv
Version	0.15.0
URL	dotenv-rs/dotenv#74
Date	2021-12-24

dotenv by description is meant to be used in development or testing only.

Using this in production may or may not be advisable.

Alternatives

The below may or may not be feasible alternative(s):

• dotenvy

See advisory page for additional details.