{"id":"RUSTSEC-2020-0071","summary":"Potential segfault in the time crate","details":"### Impact\n\nThe affected functions set environment variables without synchronization. On Unix-like operating systems, this can crash in multithreaded programs. Programs may segfault due to dereferencing a dangling pointer if an environment variable is read in a different thread than the affected functions. This may occur without the user's knowledge, notably in the Rust standard library or third-party libraries.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `time::at_utc`\n- `time::at`\n- `time::now`\n- `time::tzset`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`:  \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline:  \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources:  \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249)  \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)","aliases":["CVE-2020-26235","GHSA-wcg3-cvx6-7396"],"modified":"2026-02-04T02:31:56.682937Z","published":"2020-11-18T12:00:00Z","related":["RUSTSEC-2020-0159"],"database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/time"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2020-0071.html"},{"type":"REPORT","url":"https://github.com/time-rs/time/issues/293"}],"affected":[{"package":{"name":"time","ecosystem":"crates.io","purl":"pkg:cargo/time"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.2.0"},{"introduced":"0.2.1-0"},{"fixed":"0.2.1"},{"introduced":"0.2.2-0"},{"fixed":"0.2.2"},{"introduced":"0.2.3-0"},{"fixed":"0.2.3"},{"introduced":"0.2.4-0"},{"fixed":"0.2.4"},{"introduced":"0.2.5-0"},{"fixed":"0.2.5"},{"introduced":"0.2.6-0"},{"fixed":"0.2.6"},{"introduced":"0.2.7-0"},{"fixed":"0.2.23"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"os":["linux","redox","solaris","android","ios","macos","netbsd","openbsd","freebsd"],"arch":[],"functions":["time::OffsetDateTime::now_local","time::OffsetDateTime::try_now_local","time::UtcOffset::current_local_offset","time::UtcOffset::local_offset_at","time::UtcOffset::try_current_local_offset","time::UtcOffset::try_local_offset_at","time::at","time::at_utc","time::now"]}},"database_specific":{"categories":["code-execution","memory-corruption"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json","cvss":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","informational":null}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}