Debian Rust Security Tracker 🩺🦀

RUSTSEC-2025-0140: Non-utf8 String can be created with `TimeBuf::as_str`

2 affected
Crate
gix-date
Patched Versions
>=0.12.0
Debian Version
0.15.3-1
Issued
2025-12-29
Aliases
CVE-2026-0810
GHSA-6mw6-mj76-grwc
Patched:Affected

The function gix_date::parse::TimeBuf::as_str can create an illegal string containing non-utf8 characters. This violates the safety invariant of TimeBuf and can lead to undefined behavior when consuming the string.

The bug can be prevented by adding str::from_utf8 to the function TimeBuf::write.

Affected Packages

gix-date 0.10.7 cargo-c 0.10.16-2+b1
gix-date 0.10.7 cargo-outdated 0.19.0-1+b1