Segmentation fault in Rust time crate

Vulnerability

The Rust time crate versions 0.2.7 through 0.2.22 contain a memory safety bug that can lead to a segfault on Unix-like operating systems. The issue arises from dereferencing a dangling pointer when the affected functions — time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local, and time::OffsetDateTime::try_now_local — are called. Internally, these functions access environment variables, and if an environment variable is set by a different thread concurrently, the internal pointer may become invalid [1][2].

Exploitation

Exploitation requires the attacker or a third-party library to set any environment variable in a thread separate from the one calling an affected function. No special privileges or user interaction are needed beyond the presence of multi-threaded execution. The attack vector is local, meaning the attacker must already have code execution capability within the process [2][3]. Non-Unix targets, including Windows and WebAssembly, are unaffected because they do not implement the same internal mechanism [3].

Impact

Successful exploitation results in a segfault, causing a denial of service (availability impact). There is no confidentiality or integrity impact. The CVSS v3.1 score is 6.2 (Medium) with vector AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [2].

Mitigation

The vulnerability is fixed in time version 0.2.23 and later. Users of time 0.1 must upgrade to 0.2.23 or the 0.3 series, as no patch exists for 0.1. The recommended action is to run cargo update to pull in the patched version. A workaround is to ensure that only one thread runs when calling the affected functions and that no other thread modifies environment variables concurrently [3].