gix-date Non-UTF-8 String Generation Vulnerability in TimeBuf Component
Vulnerability
A vulnerability exists in the gix-date library, specifically in the function gix_date::parse::TimeBuf::as_str. This function can produce strings with invalid non-UTF-8 characters, violating the internal safety rules of the TimeBuf component. When these malformed strings are processed, they can cause undefined behavior, potentially leading to application crashes or other unexpected issues.
Impact
Exploitation of this vulnerability can corrupt data in memory, disrupt application stability, and cause crashes in software that uses the gix-date library.
Reproduction
The vulnerability can be reproduced by writing non-UTF-8 bytes into a TimeBuf instance. Once the invalid data is written, the as_str() method can be called, which will return a string representation that includes the non-UTF-8 characters. This demonstrates the violation of the safety invariant, as the TimeBuf component is supposed to ensure that its string representation is always valid UTF-8.
Remediation
Users can upgrade to gix-date version 0.12.0 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.