Small adjustments for advisory

EliahKagan · EliahKagan · commit 1a50df1998cd · 2024-07-24T19:22:26.000-04:00
This makes some minor changes to the advisory description to adapt the text from GitoxideLabs/gitoxide#1460 to be an advisory. For the most part it has remained the same. Changes: * Express the claim of unsoundness with more confidence, since it has been reviewed by the maintainer. * Modify the link to the affected code to point to the latest tag for gix-attributes that has that code. The original link was to a branch, so it was broken when the fix was applied. * Apply inline code formatting in a few more places, where doing so improves stylistic consistency.
diff --git a/crates/gix-attributes/RUSTSEC-0000-0000.md b/crates/gix-attributes/RUSTSEC-0000-0000.md
@@ -12,12 +12,12 @@ patched = [">= 0.22.3"]
 
 # The kstring integration in gix-attributes is unsound
 
-gix-attributes (in [state::ValueRef](https://github.com/Byron/gitoxide/blob/main/gix-attributes/src/state.rs#L19-L27)) unsafely creates a `&str` from a `&[u8]` containing non-UTF8 data, with the justification that so long as nothing reads the &str and relies on it being UTF-8 in the &str, there is no UB:
+`gix-attributes` (in [`state::ValueRef`](https://github.com/Byron/gitoxide/blob/gix-attributes-v0.22.2/gix-attributes/src/state.rs#L19-L27)) unsafely creates a `&str` from a `&[u8]` containing non-UTF8 data, with the justification that so long as nothing reads the `&str` and relies on it being UTF-8 in the `&str`, there is no UB:
 
 ```rust
 // SAFETY: our API makes accessing that value as `str` impossible, so illformed UTF8 is never exposed as such.
 ```
 
 The problem is that the non-UTF8 `str` **is** exposed to outside code: first to the `kstring` crate itself, which requires UTF-8 in its documentation and may have UB as a consequence of this, but also to `serde`, where it propagates to e.g. `serde_json`, `serde_yaml`, etc., where the same problems occur.
 
-As far as I know, this is not sound, and either is or can cause UB down the line in these places that can view the `&str`.
+This is not sound, and it could cause further UB down the line in these places that can view the `&str`.
