!UNVBThoJtlIiVwiDjU:nixos.org

Staging

394 Members
Staging merges | Running staging cycles: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+head%3Astaging-next+head%3Astaging-next-25.11 | Review Reports: https://malob.github.io/nix-review-tools-reports/126 Servers

Load older messages


SenderMessageTime
30 Jun 2026
@emilazy:matrix.orgemily and that uses zlib-rs via gix 17:50:25
@lach:delta.rocksLachHmm, let me check if it isn't gated under #[cfg(feature...)]...17:50:28
@lach:delta.rocksLachAh17:50:52
@lach:delta.rocksLach#[cfg(feature = "avx512")]17:50:54
@lach:delta.rocksLachhttps://github.com/trifectatechfoundation/zlib-rs/blob/5a96dcf8f36644074ca604dadae36591de5551a5/zlib-rs/src/adler32.rs#L5-L1017:51:12
@lach:delta.rocksLachLet me check ndarray then17:51:18
@emilazy:matrix.orgemily"Will the point release be on the latest stable version or will it target every impacted stable version (1.94-96)? Since without the fix 1.94- is dangerously unusable for anything doing branchless programming patterns, which could manifest as CVEs. I basically found the issue doing an innocent refactor in my project..." https://rust-lang.zulipchat.com/#narrow/stream/474880-xxx/topic/.23158214.3A.20stable-nominated17:51:56
@emilazy:matrix.orgemilyit sounds like the 1.96.1 miscompilation fix is for a bug that was introduced in 1.9417:52:03
@emilazy:matrix.orgemilywhich implies to me: not worth scrapping the cycle over17:52:13
@lach:delta.rocksLachimage.png
Download image.png
17:53:44
@lach:delta.rocksLachIt seems like upstream ndarray doesn't use avx512, ndarray that comes up in github search is this17:53:44
@emilazy:matrix.orgemily I think the remaining question is, is the libssh2 vuln bad enough 17:53:45
@lach:delta.rocksLachI think it is remote code execution, where malicious remote server can overflow local buffer? So if some crate has git dependency with malicious server it is bad17:55:17
@lach:delta.rocksLachAs for avx512... The only crates that I see affected at this moment are pgvecto-rs (deprecated) and vectorchord then... zlib-rs users are only affected if avx512 feature is enabled, and as far as I can see it is enabled by firefox and no well-known crates https://github.com/mozilla-firefox/firefox/blob/c681e91369f59d0efae43bdc465872b855e8b269/netwerk/socket/neqo_glue/Cargo.toml#L2917:59:21
@whispers:catgirl.cloudwhispers [& it/fae]oh nevermind, CVE-2026-7598 was last cycle and is on master. CVE-2025-15661, CVE-2026-55199, and CVE-2026-55200 (at least) are all unpatched for libssh2 afaik18:00:05
@debtquity:matrix.orgdebtquity *

```
rocksdb> cmake flags: -GNinja -DCMAKE_FIND_USE_SYSTEM_PACKAGE_REGISTRY=OFF -DCMAKE_FIND_USE_PACKAGE_REGISTRY=OFF -DCMAKE_EXPORT_NO_PACKAGE_REGISTRY=ON -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DCMAKE_INSTALL_LOCALEDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/share/locale -DCMAKE_INSTALL_LIBEXECDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/libexec -DCMAKE_INSTALL_LIBDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/lib -DCMAKE_INSTALL_DOCDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/share/doc/rocksdb -DCMAKE_INSTALL_INFODIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/share/info -DCMAKE_INSTALL_MANDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/share/man -DCMAKE_INSTALL_INCLUDEDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/include -DCMAKE_INSTALL_SBINDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/sbin -DCMAKE_INSTALL_BINDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocks
```

https://github.com/debtquity/nixpkgs-review-gha/actions/runs/28461253865/job/84349445690#step:6:5588

but this is missing all of the flags defined in `cmakeFlags`:

https://github.com/NixOS/nixpkgs/pull/537105/changes#diff-f169fc685573d8eaee885af02b69ba1a718da48f3a9ae1ee4bb64ca67cadef28R62-R82

I looked back at a hydra build for same package, but those flags are there: https://hydra.nixos.org/build/328605767/nixlog/1

only diff i can see is:

> -- The CXX compiler identification is Clang 21.1.8
> -- The C compiler identification is Clang 21.1.8

vs

> -- The CXX compiler identification is GNU 15.2.0
> -- The C compiler identification is GNU 15.2.0

(__structuredAttrs issue)

18:00:06
@lach:delta.rocksLachThe only problem is that the bug was quite annoying to find and recognize that it is caused by nixpkgs rustc, and if someone will encounter that in their development environment...18:01:35
@emilazy:matrix.orgemilyI guess we didn't try to build Firefox yet: https://hydra.nixos.org/build/33351437718:01:48
@emilazy:matrix.orgemilyso we might have to put a bodge in there for one cycle depending18:01:58
@whispers:catgirl.cloudwhispers [& it/fae]i've built firefox on staging-next just fine for x86_64-linux, if it's just a build time thing18:02:26
@emilazy:matrix.orgemilyit's unfortunate, but it's a lot better than e.g. getting owned because security updates got delayed 5 days to fix it18:02:32
@whispers:catgirl.cloudwhispers [& it/fae]* fwiw i've built firefox on staging-next just fine for x86_64-linux, if it's just a build time thing18:02:48
@lach:delta.rocksLachimage.png
Download image.png
18:03:47
@lach:delta.rocksLachOk, it was added in firefox 15018:03:54
@lach:delta.rocksLachBut on staging we have firefox 152...18:04:13
@emilazy:matrix.orgemily otoh, if there's a PoC for an unpatched libssh2 RCE … then that might be worth rebuilding it all for anyway 😔 18:04:23
@emilazy:matrix.orgemilythat might not be super scary for Cargo where you're executing a bunch of code anyway but it's pretty bad for other uses…18:04:55
@whispers:catgirl.cloudwhispers [& it/fae]* fwiw i've built firefox on staging-next just fine for x86_64-linux, if it's just a build time thing (and i'm running it right now, but runtime avx512 detection won't trigger on my machine if that's relevant)18:05:13
@lach:delta.rocksLachOk, I'm overheated and have no idea what's going on, will submit a fix for vectorchord and lets hope there are not many packages affected by this18:05:41
@whispers:catgirl.cloudwhispers [& it/fae] * 18:07:04

Show newer messages


Back to Room ListRoom Version: 6