{"id":"RUSTSEC-2022-0049","summary":"Use after free in MacOS / iOS implementation","details":"In iana-time-zone v0.1.43 a use-after-free bug in the MacOS / iOS implementation was introduced.\n\nThe copied system time zone was released before its name was copied.\nIf the system time zone was changed between the call of `CFRelease` and `str::to_owned()`,\nrandom memory would be copied.","aliases":["GHSA-3fg9-hcq5-vxrc"],"modified":"2023-11-08T04:14:35.913675Z","published":"2022-08-15T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/iana-time-zone"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2022-0049.html"},{"type":"WEB","url":"https://github.com/strawlab/iana-time-zone/pull/54"},{"type":"WEB","url":"https://github.com/strawlab/iana-time-zone/pull/50#discussion_r945353515"}],"affected":[{"package":{"name":"iana-time-zone","ecosystem":"crates.io","purl":"pkg:cargo/iana-time-zone"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.1.43"},{"fixed":"0.1.45"}]}],"ecosystem_specific":{"affects":{"functions":["iana_time_zone::get_timezone"],"arch":[],"os":["ios","macos"]},"affected_functions":null},"database_specific":{"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0049.json","informational":"unsound","categories":["memory-exposure"]}}],"schema_version":"1.7.3"}