CVE-2020-26235

Name of the Vulnerable Software and Affected Versions time versions 0.2.7 through 0.2.22 time version 0.1

Description Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. The affected functions are time::UtcOffset::local offset at, time::UtcOffset::try local offset at, time::UtcOffset::current local offset, time::UtcOffset::try current local offset, time::OffsetDateTime::now local, and time::OffsetDateTime::try now local. Non-Unix targets, including Windows and wasm, are unaffected.

Recommendations For time versions 0.2.7 through 0.2.22, perform cargo update to pull in the updated, unaffected code. For time version 0.1, upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series. As a temporary workaround, ensure that the program only has one running thread at the time of calling any affected method. Binary authors may also ensure that no other thread is actively mutating the environment. A possible workaround for crates affected through the transitive dependency in chrono is to avoid using the default oldtime feature dependency of the chrono crate by disabling its default-features and manually specifying the required features instead.