[Pkg-rust-maintainers] Bug#1124687: rust-gix-date: RUSTSEC-2025-0140
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 14 14:25:46 GMT 2026
Hi Fabian,
On Sat, Feb 14, 2026 at 10:40:49AM +0100, Fabian Grünbichler wrote:
> On Mon, 05 Jan 2026 17:38:15 +0100 Salvatore Bonaccorso <carnil at debian.org> wrote:
> > Source: rust-gix-date
> > Version: 0.9.3-1
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://github.com/GitoxideLabs/gitoxide/issues/2305
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> >
> > Hi
> >
> > From https://rustsec.org/advisories/RUSTSEC-2025-0140.html:
> > | The function gix_date::parse::TimeBuf::as_str can create an illegal
> > | string containing non-utf8 characters. This violates the safety
> > | invariant of TimeBuf and can lead to undefined behavior when consuming
> > | the string.
> > |
> > | The bug can be prevented by adding str::from_utf8 to the function
> > | TimeBuf::write.
>
> FWIW, upstream considers this a non-issue within the reference frame of
> gitoxide[0], for which this crate was packaged (it's used by cargo). As such,
> I think we can wait for the upgrade to 0.12 to happen naturally (which
> will still take a bit), and not considers this issue important.
>
> If you disagree, and want the Rust team to evaluate backporting the fix,
> please say so!
Yes sounds good, thank you. FWIW, we marked it as well no-dsa for
trixie.
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list