From 08da351294491b6f15e533ca8732d4a69efbaa4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20Kj=C3=A4ll?= <alexander.kjall@gmail.com>
Date: Wed, 4 Dec 2024 13:37:47 +0100
Subject: [PATCH] add information about unsoundness issue in anstream, found
 here: https://github.com/rust-cli/anstyle/issues/156 (#2075)

---
 crates/anstream/RUSTSEC-0000-0000.md | 30 ++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 crates/anstream/RUSTSEC-0000-0000.md

diff --git a/crates/anstream/RUSTSEC-0000-0000.md b/crates/anstream/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000000..815c7bfb9a
--- /dev/null
+++ b/crates/anstream/RUSTSEC-0000-0000.md
@@ -0,0 +1,30 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "anstream"
+date = "2024-09-08"
+url = "https://github.com/rust-cli/anstyle/issues/156"
+informational = "unsound"
+
+[affected]
+functions = { "anstream::adapter::strip_str" = ["< 0.6.8"] }
+
+[versions]
+patched = [">= 0.6.8"]
+
+```
+
+# Unsoundness in anstream
+
+When given a valid UTF8 string "ö\x1b😀", the function in
+crates/anstream/src/adapter/strip.rs will be confused. The UTF8
+bytes are \xc3\xb6 then \x1b then \xf0\x9f\x98\x80.
+
+When looping over "non-printable bytes" \x1b\xf0 will be
+considered as some non-printable sequence.
+
+This will produce a broken str from the incorrectly segmented
+bytes via str::from_utf8_unchecked, and that should never happen.
+
+Full credit goes to @Ralith who reviewed this code and
+asked @burakemir to follow up.