Advisory for CVE-2025-31130 (weak SHA-1) in gix-features #2268
Conversation
This adds a notice for CVE-2025-31130 (GHSA-2frx-2596-x5r6) in `gix-features`. Co-authored-by: Emily <hello@emily.moe>
EliahKagan
force-pushed
the
cve-2025-31130-sha
branch
from
6d3e204 to
5227ee0
Compare
There was a problem hiding this comment.
I confirm that I agreed to release the advisory text under CC0 1.0 Universal. Thanks to @EliahKagan and @Byron for making handling this easy and enjoyable!
| license = "CC0-1.0" | ||
|
|
||
| [affected.functions] | ||
| "gix_features::hash::bytes_with_hasher" = ["< 0.41.0"] |
There was a problem hiding this comment.
Is there a reason not to list the other I/O hashing functions here? They all call into bytes_with_hasher, but then bytes_with_hasher calls into the methods on Hasher too.
There was a problem hiding this comment.
Thanks--this is probably just an oversight on my part. I'll look at this shortly and try to improve it.
There was a problem hiding this comment.
I've added bytes_of_file and bytes. I'm not sure why I had thought those shouldn't be listed in affected.functions, but you are correct that they should be: they are public functions in the affected crate that invoke the vulnerable functionality. Thanks again!
EliahKagan
force-pushed
the
cve-2025-31130-sha
branch
from
5227ee0 to
9dda478
Compare
Since it was added in rustsec#2268, RUSTSEC-2025-0021 (CVE-2025-31130) has an entry in the GitHub Advisory Database. As planned in rustsec#2268, this adds the link to that global GHSA, as well as to the National Vulnerability Database entry for the CVE.
Since it was added in #2268, RUSTSEC-2025-0021 (CVE-2025-31130) has an entry in the GitHub Advisory Database. As planned in #2268, this adds the link to that global GHSA, as well as to the National Vulnerability Database entry for the CVE.
This adds a notice for CVE-2025-31130 (GHSA-2frx-2596-x5r6) in
gix-features.Although
gix-featuresis usually used as a "knob" for adjusting features acrossgix-*crates, as well as being used internally:gix-features.gix-features.My understanding is that the usual practice for RUSTSEC advisories in such a situation is to have only an advisory for that one crate, as in #1705 (comment). So this adds a RUSTSEC notice only for
gix-features. (The published repository-local GHSA, and forthcoming global GHSA, are not limited to one affected crate per advisory, and accordingly list more crates.)As in some past advisories, when a global GHSA is published, I can open another PR to add a reference to that.
cc @Byron @emilazy