GHSA-cqpr-pcm7-m3jc: Potential segfault in `localtime_r` invocations

June 16, 2022 (updated August 4, 2022)

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user’s knowledge, notably in a third-party library.

References

github.com/advisories/GHSA-cqpr-pcm7-m3jc
github.com/chronotope/chrono
github.com/chronotope/chrono/issues/499
github.com/time-rs/time/issues/293
rustsec.org/advisories/RUSTSEC-2020-0159.html

Code Behaviors & Features

Detect and mitigate GHSA-cqpr-pcm7-m3jc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →