- Package:
- src:rust-gix-date
- Source:
- src:rust-gix-date
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-02-14 14:27:02 UTC
- Severity:
- normal
- Tags:
Hi From https://rustsec.org/advisories/RUSTSEC-2025-0140.html: | The function gix_date::parse::TimeBuf::as_str can create an illegal | string containing non-utf8 characters. This violates the safety | invariant of TimeBuf and can lead to undefined behavior when consuming | the string. | | The bug can be prevented by adding str::from_utf8 to the function | TimeBuf::write. https://github.com/GitoxideLabs/gitoxide/issues/2305 Regards, Salvatore
FWIW, upstream considers this a non-issue within the reference frame of gitoxide[0], for which this crate was packaged (it's used by cargo). As such, I think we can wait for the upgrade to 0.12 to happen naturally (which will still take a bit), and not considers this issue important. If you disagree, and want the Rust team to evaluate backporting the fix, please say so! Thanks, Fabian 0: https://github.com/GitoxideLabs/gitoxide/issues/2305#issuecomment-3717598012
Hi Fabian, Yes sounds good, thank you. FWIW, we marked it as well no-dsa for trixie. Regards, Salvatore