Skip to content

Add advisory for potato: invalid UTF-8 from safe code via RefStr#2854

Open
yaokunzhang wants to merge 1 commit into
rustsec:mainfrom
yaokunzhang:advisory-potato
Open

Add advisory for potato: invalid UTF-8 from safe code via RefStr#2854
yaokunzhang wants to merge 1 commit into
rustsec:mainfrom
yaokunzhang:advisory-potato

Conversation

@yaokunzhang
Copy link
Copy Markdown
Contributor

@yaokunzhang yaokunzhang commented May 12, 2026

Affected crate(s)

  • potato (375 recent downloads on crates.io)

Links to upstream issue(s) or PR(s)

Severity

Undefined behavior via invalid UTF-8 construction from safe code. RefStr::from_slice() is declared safe but uses unsafe internals without validation. Combined with to_str(), this allows producing invalid &str from safe code, violating Rust's safety guarantees.

Checklist

  • Advisory filename starts with RUSTSEC-0000-0000 as the ID
  • date field is set to the public disclosure date
  • Contains a concise and descriptive title after advisory metadata
  • Asked maintainer(s) if publishing an advisory is appropriate

djc
djc reviewed May 13, 2026
View reviewed changes
Comment thread crates/potato/RUSTSEC-0000-0000.md
keywords = ["undefined-behavior", "utf-8"]

[versions]
patched = []
Copy link
Copy Markdown
Member

@djc djc May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like a fix has been released for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djc djc djc left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yaokunzhang @djc