[Pkg-rust-maintainers] Bug#1124687: rust-gix-date: RUSTSEC-2025-0140
Fabian Grünbichler
debian at fabian.gruenbichler.email
Sat Feb 14 09:40:49 GMT 2026
On Mon, 05 Jan 2026 17:38:15 +0100 Salvatore Bonaccorso <carnil at debian.org> wrote:
> Source: rust-gix-date
> Version: 0.9.3-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/GitoxideLabs/gitoxide/issues/2305
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi
>
> From https://rustsec.org/advisories/RUSTSEC-2025-0140.html:
> | The function gix_date::parse::TimeBuf::as_str can create an illegal
> | string containing non-utf8 characters. This violates the safety
> | invariant of TimeBuf and can lead to undefined behavior when consuming
> | the string.
> |
> | The bug can be prevented by adding str::from_utf8 to the function
> | TimeBuf::write.
FWIW, upstream considers this a non-issue within the reference frame of
gitoxide[0], for which this crate was packaged (it's used by cargo). As such,
I think we can wait for the upgrade to 0.12 to happen naturally (which
will still take a bit), and not considers this issue important.
If you disagree, and want the Rust team to evaluate backporting the fix,
please say so!
Thanks,
Fabian
0: https://github.com/GitoxideLabs/gitoxide/issues/2305#issuecomment-3717598012
More information about the Pkg-rust-maintainers
mailing list