[Pkg-rust-maintainers] Bug#1139958: rust-http-types: RUSTSEC-2026-0174: Authorization::value and WwwAuthenticate::value can violate ASCII invariants
Salvatore Bonaccorso
carnil at debian.org
Sun Jun 14 06:48:34 BST 2026
Source: rust-http-types
Version: 2.12.0-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/http-rs/http-types/issues/534
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
From https://rustsec.org/advisories/RUSTSEC-2026-0174.html
> Description
>
> Authorization::value uses HeaderValue::value with the claim that the
> internal string is ASCII, but Authorization::new and
> Authorization::set_credentials accept arbitrary String credentials
> without validation. As a result, safe code can construct a header
> value containing non-ASCII UTF-8 while the implementation assumes
> ASCII.
>
> WwwAuthenticate::new and WwwAuthenticate::set_realm similarly
> accepts arbitrary String input, so WwwAuthenticate::value can also
> produce a header value that violates the crate’s documented ASCII
> invariants.
>
> This issue has not been confirmed as Undefined Behavior, but the
> unsafe justification in Authorization::value and
> WwwAuthenticate::value appears incorrect and can produce values
> outside the expected ASCII-only constraints.
>
> The http-types crate is unmaintained and the issue is unlikely to be
> fixed.
Given the last statement this is more about tracking.
Can the package OTOH be worked towards beeing removed?
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list