Non-utf8 String can be created with `TimeBuf::as_str`

[shinmao]

We consider that the function as_str can create a illegal string, which contains non-utf8 characters.

gitoxide/gix-date/src/parse/mod.rs

Lines 27 to 38 in a000a73

	impl TimeBuf {
	/// Represent this instance as standard string, serialized in a format compatible with
	/// signature fields in Git commits, also known as anything parseable as [raw format](function::parse_header()).
	pub fn as_str(&self) -> &str {
	// SAFETY: We know that serialized times are pure ASCII, a subset of UTF-8.
	// `buf` and `len` are written only by time-serialization code.
	let time_bytes = self.buf.as_slice();
	#[allow(unsafe_code)]
	unsafe {
	std::str::from_utf8_unchecked(time_bytes)
	}
	}

The reason is that TimeBuf implements the trait Write, which allows to write arbitrary bytes.

gitoxide/gix-date/src/parse/mod.rs

Lines 46 to 49 in a000a73

	impl std::io::Write for TimeBuf {
	fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
	self.buf.write(buf)
	}

Following is a simple PoC to prove this reachable undefined behavior:

fn main() {
    let mut buf = TimeBuf::default();
    buf.write(&[0xff]).unwrap();
    println!("{}", buf.as_str()); // print �
}

Therefore, the safety invariant for TimeBuf mentioned at line 31 can be broken here.

[Byron]

Thanks a lot for reporting!

This is a critical issue and I want to get it fixed asap.

[shinmao]

Hi @Byron thanks for the response. Do you agree with me to submit the rustsec advisories with patched version for you?

[Byron]

Yes, please go ahead.

PS: CC @EliahKagan in case you haven't seen this, it's just an FYI.

[mfindra]

Hello,
Is there a CVE assigned for this issue? If not, we (Red Hat Product Security) can assign one.
Thanks

[Byron]

I am not aware of a CVE - please feel free to manage this. Also just in case: CC @EliahKagan .

[shinmao]

@mfindra Yes. I haven't applied apply CVE for it. I would appreciate it if there is one. Thanks.