Staging | 394 Members | |
| Staging merges | Running staging cycles: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+head%3Astaging-next+head%3Astaging-next-25.11 | Review Reports: https://malob.github.io/nix-review-tools-reports/ | 126 Servers |
| Sender | Message | Time |
|---|---|---|
| 30 Jun 2026 | ||
and that uses zlib-rs via gix | 17:50:25 | |
| Hmm, let me check if it isn't gated under #[cfg(feature...)]... | 17:50:28 | |
| Ah | 17:50:52 | |
| #[cfg(feature = "avx512")] | 17:50:54 | |
| https://github.com/trifectatechfoundation/zlib-rs/blob/5a96dcf8f36644074ca604dadae36591de5551a5/zlib-rs/src/adler32.rs#L5-L10 | 17:51:12 | |
| Let me check ndarray then | 17:51:18 | |
| "Will the point release be on the latest stable version or will it target every impacted stable version (1.94-96)? Since without the fix 1.94- is dangerously unusable for anything doing branchless programming patterns, which could manifest as CVEs. I basically found the issue doing an innocent refactor in my project..." https://rust-lang.zulipchat.com/#narrow/stream/474880-xxx/topic/.23158214.3A.20stable-nominated | 17:51:56 | |
| it sounds like the 1.96.1 miscompilation fix is for a bug that was introduced in 1.94 | 17:52:03 | |
| which implies to me: not worth scrapping the cycle over | 17:52:13 | |
Download image.png | 17:53:44 | |
| It seems like upstream ndarray doesn't use avx512, ndarray that comes up in github search is this | 17:53:44 | |
I think the remaining question is, is the libssh2 vuln bad enough | 17:53:45 | |
| I think it is remote code execution, where malicious remote server can overflow local buffer? So if some crate has git dependency with malicious server it is bad | 17:55:17 | |
| As for avx512... The only crates that I see affected at this moment are pgvecto-rs (deprecated) and vectorchord then... zlib-rs users are only affected if avx512 feature is enabled, and as far as I can see it is enabled by firefox and no well-known crates https://github.com/mozilla-firefox/firefox/blob/c681e91369f59d0efae43bdc465872b855e8b269/netwerk/socket/neqo_glue/Cargo.toml#L29 | 17:59:21 | |
| oh nevermind, CVE-2026-7598 was last cycle and is on master. CVE-2025-15661, CVE-2026-55199, and CVE-2026-55200 (at least) are all unpatched for libssh2 afaik | 18:00:05 | |
*
(__structuredAttrs issue) | 18:00:06 | |
| The only problem is that the bug was quite annoying to find and recognize that it is caused by nixpkgs rustc, and if someone will encounter that in their development environment... | 18:01:35 | |
| I guess we didn't try to build Firefox yet: https://hydra.nixos.org/build/333514377 | 18:01:48 | |
| so we might have to put a bodge in there for one cycle depending | 18:01:58 | |
| i've built firefox on staging-next just fine for x86_64-linux, if it's just a build time thing | 18:02:26 | |
| it's unfortunate, but it's a lot better than e.g. getting owned because security updates got delayed 5 days to fix it | 18:02:32 | |
| * fwiw i've built firefox on staging-next just fine for x86_64-linux, if it's just a build time thing | 18:02:48 | |
Download image.png | 18:03:47 | |
| Ok, it was added in firefox 150 | 18:03:54 | |
| But on staging we have firefox 152... | 18:04:13 | |
otoh, if there's a PoC for an unpatched libssh2 RCE … then that might be worth rebuilding it all for anyway 😔 | 18:04:23 | |
| that might not be super scary for Cargo where you're executing a bunch of code anyway but it's pretty bad for other uses… | 18:04:55 | |
| * fwiw i've built firefox on staging-next just fine for x86_64-linux, if it's just a build time thing (and i'm running it right now, but runtime avx512 detection won't trigger on my machine if that's relevant) | 18:05:13 | |
| Ok, I'm overheated and have no idea what's going on, will submit a fix for vectorchord and lets hope there are not many packages affected by this | 18:05:41 | |
| * | 18:07:04 | |