| 1 Jul 2026 |
emily | which scares me | 00:09:42 |
whispers [& it/fae] | just yoinking the three patches from debian seems very low-risk and sane. diffs are small | 00:11:10 |
hexa | yeah, could mean nothing is ready for the (breaking?) changes in there | 00:11:18 |
hexa | I'm not super sure about the full scope; do the three patches cover everything relevant? | 00:11:49 |
hexa | Redacted or Malformed Event | 00:11:58 |
whispers [& it/fae] | they cover the three CVEs I'm aware of and that the rust folks patched. i haven't tracked closely enough to know if there are others, though. | 00:13:25 |
whispers [& it/fae] | * | 00:14:09 |
whispers [& it/fae] | same three posted about on oss-sec too: https://seclists.org/oss-sec/2026/q2/1010 | 00:14:52 |
hexa | can you quickly check the pr? | 00:17:41 |
hexa | ^ | 00:17:48 |
hexa | Redacted or Malformed Event | 00:17:54 |
emily | https://github.com/rust-lang/cargo/pull/17140 has the rust backports | 00:18:50 |
emily | for comparison | 00:19:04 |
emily | 2026-55200 looks correct | 00:19:40 |
emily | as does 2026-55199 | 00:19:53 |
emily | 2025-15661 makes my eyes glaze over so I'll let someone else assess that one | 00:20:02 |
whispers [& it/fae] | this pr fails to build as-is, patches for 55200 don't apply | 00:33:31 |
hexa | does debian apply them to a different version? | 00:34:01 |
emily | we could perhaps just pick the ones from Rust | 00:36:58 |
emily | Debian seems to be on an older version and has a CVE fix from 2023 too and other patches | 00:37:25 |
emily | perhaps less likely to apply to our version | 00:37:30 |
whispers [& it/fae] | nah, they're not pulling the 2023 fix at all i think, it's commented here: https://salsa.debian.org/debian/libssh2/-/blob/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/series#L6. but yeah it seems like they're still on 1.11.1 | 00:38:17 |
whispers [& it/fae] | * nah, they're not pulling the 2023 fix at all i think, it's commented here: https://salsa.debian.org/debian/libssh2/-/blob/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/series#L6. it seems like they're also on 1.11.1 | 00:38:37 |
whispers [& it/fae] | just raw pulling the (3 CVE + libssh-unconst-backport.patch) debian patches as-is and applying them builds fine for me (ignoring that pr entirely) | 00:42:25 |
whispers [& it/fae] | some function names are different between the debian patch and the one in #533237, which looks like the cause of patch application failure | 00:43:08 |
hexa | great | 00:47:41 |
hexa | submit it :) | 00:47:45 |
whispers [& it/fae] | https://github.com/whispersofthedawn/nixpkgs/commit/221328822354d21491261889713272011e89dbcf builds with the unmodified debian patches | 00:47:43 |
whispers [& it/fae] | * https://github.com/whispersofthedawn/nixpkgs/commit/221328822354d21491261889713272011e89dbcf builds with the patches vendored from debian | 00:47:53 |
emily | looks like https://github.com/rust-lang/cargo/pull/17140/changes/353ce102e892a12a2fa04219ed4a6379c7e5031a avoids the macro backports | 00:48:27 |