This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate may

Dependencies

(12 total, 7 outdated, 1 insecure, 3 possibly insecure)

CrateRequiredLatestStatus
 crossbeam^0.70.8.4out of date
 generator ⚠️^0.60.8.1out of date
 libc^0.20.2.153up to date
 log^0.40.4.21up to date
 may_queue ⚠️^0.10.1.22insecure
 miow^0.30.6.0out of date
 nix^0.140.28.0out of date
 num_cpus^1.101.16.0up to date
 smallvec ⚠️^0.61.13.2out of date
 socket2^0.30.5.6out of date
 time ⚠️^0.10.3.34out of date
 winapi^0.30.3.9up to date

Dev dependencies

(8 total, 2 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 bytes^0.41.6.0out of date
 docopt^1.01.1.1up to date
 httparse^1.11.8.0up to date
 native-tls^0.20.2.11up to date
 serde^1.01.0.197up to date
 serde_derive^1.01.0.197up to date
 tempdir^0.30.3.7up to date
 tungstenite ⚠️^0.80.21.0out of date

Security Vulnerabilities

time: Potential segfault in the time crate

RUSTSEC-2020-0071

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

The affected functions from time 0.2.7 through 0.2.22 are:

  • time::UtcOffset::local_offset_at
  • time::UtcOffset::try_local_offset_at
  • time::UtcOffset::current_local_offset
  • time::UtcOffset::try_current_local_offset
  • time::OffsetDateTime::now_local
  • time::OffsetDateTime::try_now_local

The affected functions in time 0.1 (all versions) are:

  • at
  • at_utc
  • now

Non-Unix targets (including Windows and wasm) are unaffected.

Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

Users and library authors with time in their dependency tree should perform cargo update, which will pull in the updated, unaffected code.

Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.

Workarounds

A possible workaround for crates affected through the transitive dependency in chrono, is to avoid using the default oldtime feature dependency of the chrono crate by disabling its default-features and manually specifying the required features instead.

Examples:

Cargo.toml:

chrono = { version = "0.4", default-features = false, features = ["serde"] }
chrono = { version = "0.4.22", default-features = false, features = ["clock"] }

Commandline:

cargo add chrono --no-default-features -F clock

Sources:

may_queue: may_queue's Queue lacks Send/Sync bound for its Send/Sync trait.

RUSTSEC-2020-0111

Affected versions of may_queue implements Send/Sync for its Queue type without restricting it to Sendable types and Syncable types.

This allows non-Sync types such as Cell to be shared across threads leading to undefined behavior and memory corruption in concurrent programs.

generator: Generators can cause data races if non-Send types are used in their generator functions

RUSTSEC-2020-0151

The Generator type is an iterable which uses a generator function that yields values. In affected versions of the crate, the provided function yielding values had no Send bounds despite the Generator itself implementing Send.

The generator function lacking a Send bound means that types that are dangerous to send across threads such as Rc could be sent as part of a generator, potentially leading to data races.

This flaw was fixed in commit f7d120a3b by enforcing that the generator function be bound by Send.

smallvec: Buffer overflow in SmallVec::insert_many

RUSTSEC-2021-0003

A bug in the SmallVec::insert_many method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap.

This bug was only triggered if the iterator passed to insert_many yielded more items than the lower bound returned from its size_hint method.

The flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of insert_many to use less unsafe code, so it is easier to verify its correctness.

Thank you to Yechan Bae (@Qwaz) and the Rust group at Georgia Tech’s SSLab for finding and reporting this bug.

tungstenite: Tungstenite allows remote attackers to cause a denial of service

RUSTSEC-2023-0065

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).