On Mon, 05 Jan 2026 17:38:15 +0100 Salvatore Bonaccorso <[email protected]> wrote: > Source: rust-gix-date > Version: 0.9.3-1 > Severity: important > Tags: security upstream > Forwarded: https://github.com/GitoxideLabs/gitoxide/issues/2305 > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi > > From https://rustsec.org/advisories/RUSTSEC-2025-0140.html: > | The function gix_date::parse::TimeBuf::as_str can create an illegal > | string containing non-utf8 characters. This violates the safety > | invariant of TimeBuf and can lead to undefined behavior when consuming > | the string. > | > | The bug can be prevented by adding str::from_utf8 to the function > | TimeBuf::write.
FWIW, upstream considers this a non-issue within the reference frame of gitoxide[0], for which this crate was packaged (it's used by cargo). As such, I think we can wait for the upgrade to 0.12 to happen naturally (which will still take a bit), and not considers this issue important. If you disagree, and want the Rust team to evaluate backporting the fix, please say so! Thanks, Fabian 0: https://github.com/GitoxideLabs/gitoxide/issues/2305#issuecomment-3717598012
