[Pkg-rust-maintainers] Bug#1103628: rust-gix-features: CVE-2025-31130 / RUSTSEC-2025-0021
Salvatore Bonaccorso
carnil at debian.org
Sat Apr 19 20:26:47 BST 2025
Source: rust-gix-features
Version: 0.39.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for rust-gix-features.
CVE-2025-31130[0]:
| gitoxide is an implementation of git written in Rust. Before 0.42.0,
| gitoxide uses SHA-1 hash implementations without any collision
| detection, leaving it vulnerable to hash collision attacks. gitoxide
| uses the sha1_smol or sha1 crate, both of which implement standard
| SHA-1 without any mitigations for collision attacks. This means that
| two distinct Git objects with colliding SHA-1 hashes would break the
| Git object model and integrity checks when used with gitoxide. This
| vulnerability is fixed in 0.42.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-31130
https://www.cve.org/CVERecord?id=CVE-2025-31130
[1] https://rustsec.org/advisories/RUSTSEC-2025-0021.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list