| 30 Jun 2026 |
Lach | Rustc 1.96.1 doesn't fix the avx512 problem | 17:48:54 |
whispers [& it/fae] | * | 17:49:17 |
emily | I see | 17:49:30 |
emily | I'm a bit confused though | 17:49:39 |
emily | if everything using zlib-rs should fail at build time, then we should be seeing a lot more fallout? | 17:49:50 |
emily | for instance, jujutsu builds | 17:50:19 |
emily | and that uses zlib-rs via gix | 17:50:25 |
Lach | Hmm, let me check if it isn't gated under #[cfg(feature...)]... | 17:50:28 |
Lach | Ah | 17:50:52 |
Lach | #[cfg(feature = "avx512")] | 17:50:54 |
Lach | https://github.com/trifectatechfoundation/zlib-rs/blob/5a96dcf8f36644074ca604dadae36591de5551a5/zlib-rs/src/adler32.rs#L5-L10 | 17:51:12 |
Lach | Let me check ndarray then | 17:51:18 |
emily | "Will the point release be on the latest stable version or will it target every impacted stable version (1.94-96)? Since without the fix 1.94- is dangerously unusable for anything doing branchless programming patterns, which could manifest as CVEs. I basically found the issue doing an innocent refactor in my project..." https://rust-lang.zulipchat.com/#narrow/stream/474880-xxx/topic/.23158214.3A.20stable-nominated | 17:51:56 |
emily | it sounds like the 1.96.1 miscompilation fix is for a bug that was introduced in 1.94 | 17:52:03 |
emily | which implies to me: not worth scrapping the cycle over | 17:52:13 |
Lach |  Download image.png | 17:53:44 |
Lach | It seems like upstream ndarray doesn't use avx512, ndarray that comes up in github search is this | 17:53:44 |
emily | I think the remaining question is, is the libssh2 vuln bad enough | 17:53:45 |
Lach | I think it is remote code execution, where malicious remote server can overflow local buffer?
So if some crate has git dependency with malicious server it is bad | 17:55:17 |
Lach | As for avx512... The only crates that I see affected at this moment are pgvecto-rs (deprecated) and vectorchord then...
zlib-rs users are only affected if avx512 feature is enabled, and as far as I can see it is enabled by firefox and no well-known crates
https://github.com/mozilla-firefox/firefox/blob/c681e91369f59d0efae43bdc465872b855e8b269/netwerk/socket/neqo_glue/Cargo.toml#L29 | 17:59:21 |
whispers [& it/fae] | oh nevermind, CVE-2026-7598 was last cycle and is on master. CVE-2025-15661, CVE-2026-55199, and CVE-2026-55200 (at least) are all unpatched for libssh2 afaik | 18:00:05 |
debtquity | *
```
rocksdb> cmake flags: -GNinja -DCMAKE_FIND_USE_SYSTEM_PACKAGE_REGISTRY=OFF -DCMAKE_FIND_USE_PACKAGE_REGISTRY=OFF -DCMAKE_EXPORT_NO_PACKAGE_REGISTRY=ON -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DCMAKE_INSTALL_LOCALEDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/share/locale -DCMAKE_INSTALL_LIBEXECDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/libexec -DCMAKE_INSTALL_LIBDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/lib -DCMAKE_INSTALL_DOCDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/share/doc/rocksdb -DCMAKE_INSTALL_INFODIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/share/info -DCMAKE_INSTALL_MANDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/share/man -DCMAKE_INSTALL_INCLUDEDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/include -DCMAKE_INSTALL_SBINDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/sbin -DCMAKE_INSTALL_BINDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocks
```
https://github.com/debtquity/nixpkgs-review-gha/actions/runs/28461253865/job/84349445690#step:6:5588
but this is missing all of the flags defined in `cmakeFlags`:
https://github.com/NixOS/nixpkgs/pull/537105/changes#diff-f169fc685573d8eaee885af02b69ba1a718da48f3a9ae1ee4bb64ca67cadef28R62-R82
I looked back at a hydra build for same package, but those flags are there: https://hydra.nixos.org/build/328605767/nixlog/1
only diff i can see is:
> -- The CXX compiler identification is Clang 21.1.8
> -- The C compiler identification is Clang 21.1.8
vs
> -- The CXX compiler identification is GNU 15.2.0
> -- The C compiler identification is GNU 15.2.0
(__structuredAttrs issue)
| 18:00:06 |
Lach | The only problem is that the bug was quite annoying to find and recognize that it is caused by nixpkgs rustc, and if someone will encounter that in their development environment... | 18:01:35 |
emily | I guess we didn't try to build Firefox yet: https://hydra.nixos.org/build/333514377 | 18:01:48 |
emily | so we might have to put a bodge in there for one cycle depending | 18:01:58 |
whispers [& it/fae] | i've built firefox on staging-next just fine for x86_64-linux, if it's just a build time thing | 18:02:26 |
emily | it's unfortunate, but it's a lot better than e.g. getting owned because security updates got delayed 5 days to fix it | 18:02:32 |
whispers [& it/fae] | * fwiw i've built firefox on staging-next just fine for x86_64-linux, if it's just a build time thing | 18:02:48 |
Lach |  Download image.png | 18:03:47 |
Lach | Ok, it was added in firefox 150 | 18:03:54 |