RUSTSEC-2020-0159: Potential segfault in localtime_r invocations

[github-actions]

Potential segfault in localtime_r invocations

Details
Package	chrono
Version	0.4.19
URL	chronotope/chrono#499
Date	2020-11-10

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

• time-rs/time#293

See advisory page for additional details.

[olivereanderson]

Short status: The Bee team is currently in the process of moving from chrono to time where the issue is not present in the latest release according to this comment and we should be able to do the same.

Longer status on how we can mitigate this issue:
From this command: cargo tree -i chrono we see that the external dependencies (of ours) that depend on that crate are bee and simple_asn1 v0.5.4 . The latter has the following dependents that we use :
simple_asn1 v0.5.4
└── rsa v0.4.0
└── libjose v0.1.0 (/home/oliveranderson/iota_foundation_code/identity.rs/libjose)
└── identity-comm v0.4.0 (/home/oliveranderson/iota_foundation_code/identity.rs/identity-comm)
Now rsa v0.5.0 no longer depends on simple_asn1 and simple_asn1 v 0.6.0 no longer depends on chrono hence we believe that if the Bee team can move away from chrono then so can we.

Longer status on where the Bee team is currently at with regards to this issue: The bee-common crate depends on jsonwebtoken whose latest stable version currently depends on chrono. However the Bee team has submitted a (now merged) PR to the aforementioned repository that changes that. Currently the Bee team is waiting a few more days to see if jsonwebtoken will release a new stable version without the chrono dependency and they will make a decision on how to proceed further after that.

[olivereanderson]

Update:
Progress is blocked by a transitive dependency on der 0.4 in rsa 0.5.0 which does not compile to wasm-32-unknown-unknown, this means that this branch: #517 cannot be merged as of now. This can be fixed either by rsa upgrading its dependencies which will probably take some time (see RustCrypto/RSA#120), or by rustc improving its support for the wasm-32-unknown-unknown target (see the discussion in: RustCrypto/formats#146)

[olivereanderson]

Update: The Wasm compilation error in rsa 0.5.0 was fixed by der releasing 0.4.5 with a backported fix. RustCrypto/formats#146. Thanks RustCrypto for responding so fast!

We now need to migrate from chrono to time and the Bee team needs to do the same in order for this issue to be resolved.

[olivereanderson]

Update: We are waiting for iota-client to update their dependencies which there is a PR for. Once that is done we can merge #529 which will then (to the best of my knowledge) close this issue.