#1124687 rust-gix-date: RUSTSEC-2025-0140

Package:
src:rust-gix-date
Source:
src:rust-gix-date
Submitter:
Salvatore Bonaccorso
Date:
2026-02-14 14:27:02 UTC
Severity:
normal
Tags:
#1124687#5
Date:
2026-01-05 16:38:15 UTC
From:
To:
Hi

From https://rustsec.org/advisories/RUSTSEC-2025-0140.html:
| The function gix_date::parse::TimeBuf::as_str can create an illegal
| string containing non-utf8 characters. This violates the safety
| invariant of TimeBuf and can lead to undefined behavior when consuming
| the string.
|
| The bug can be prevented by adding str::from_utf8 to the function
| TimeBuf::write.

https://github.com/GitoxideLabs/gitoxide/issues/2305

Regards,
Salvatore

#1124687#12
Date:
2026-02-14 09:40:49 UTC
From:
To:
FWIW, upstream considers this a non-issue within the reference frame of
gitoxide[0], for which this crate was packaged (it's used by cargo). As such,
I think we can wait for the upgrade to 0.12 to happen naturally (which
will still take a bit), and not considers this issue important.

If you disagree, and want the Rust team to evaluate backporting the fix,
please say so!

Thanks,
Fabian

0: https://github.com/GitoxideLabs/gitoxide/issues/2305#issuecomment-3717598012

#1124687#17
Date:
2026-02-14 14:25:46 UTC
From:
To:
Hi Fabian,

Yes sounds good, thank you. FWIW, we marked it as well no-dsa for
trixie.

Regards,
Salvatore