Skip to content

iana-time-zone vulnerable to use after free in MacOS / iOS implementation

Moderate severity GitHub Reviewed Published Aug 30, 2022 to the GitHub Advisory Database • Updated Jan 12, 2023

Package

cargo iana-time-zone (Rust)

Affected versions

>= 0.1.43, < 0.1.45

Patched versions

0.1.45

Description

In iana-time-zone v0.1.43 a use-after-free bug in the MacOS / iOS implementation was introduced.

The copied system time zone was released before its name was copied.
If the system time zone was changed between the call of CFRelease and str::to_owned(),
random memory would be copied.

References

Published to the GitHub Advisory Database Aug 30, 2022
Reviewed Aug 30, 2022
Last updated Jan 12, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-3fg9-hcq5-vxrc

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.