1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1103628: rust-gix-features: CVE-2025-31130 / RUSTSEC-2025-0021

    From Salvatore Bonaccorso@21:1/5 to All on Sat Apr 19 21:40:01 2025
    Source: rust-gix-features
    Version: 0.39.1-1
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

    Hi,

    The following vulnerability was published for rust-gix-features.

    CVE-2025-31130[0]:
    | gitoxide is an implementation of git written in Rust. Before 0.42.0,
    | gitoxide uses SHA-1 hash implementations without any collision
    | detection, leaving it vulnerable to hash collision attacks. gitoxide
    | uses the sha1_smol or sha1 crate, both of which implement standard
    | SHA-1 without any mitigations for collision attacks. This means that
    | two distinct Git objects with colliding SHA-1 hashes would break the
    | Git object model and integrity checks when used with gitoxide. This
    | vulnerability is fixed in 0.42.0.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-31130
    https://www.cve.org/CVERecord?id=CVE-2025-31130
    [1] https://rustsec.org/advisories/RUSTSEC-2025-0021.html

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Tue Apr 22 19:10:01 2025
    This is a multi-part message in MIME format...

    Your message dated Tue, 22 Apr 2025 17:05:55 +0000
    with message-id <[email protected]>
    and subject line Bug#1103628: fixed in rust-gix-features 0.39.1-2
    has caused the Debian Bug report #1103628,
    regarding rust-gix-features: CVE-2025-31130 / RUSTSEC-2025-0021
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected]
    immediately.)


    --
    1103628: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103628
    Debian Bug Tracking System
    Contact [email protected] with problems

    Received: (at submit) by bugs.debian.org; 19 Apr 2025 19:26:50 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-109.1 required=4.0 tests=BAYES_00,DKIMWL_WL_HIGH,
    DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FROMDEVELOPER,SPF_HELO_NONE,
    SPF_NONE,UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST,
    USER_IN_DKIM_WHITELIST,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 21; hammy, 150; neutral, 64; spammy,
    0. spammytokens:
    hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin,
    0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311,
    0.000-+--H*RT:311, 0.000-+--H*RT:108
    Return-path: <[email protected]>
    Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]: