| 1 Jul 2026 |
whispers [& it/fae] | * | 00:14:09 |
whispers [& it/fae] | same three posted about on oss-sec too: https://seclists.org/oss-sec/2026/q2/1010 | 00:14:52 |
hexa | can you quickly check the pr? | 00:17:41 |
hexa | ^ | 00:17:48 |
hexa | Redacted or Malformed Event | 00:17:54 |
emily | https://github.com/rust-lang/cargo/pull/17140 has the rust backports | 00:18:50 |
emily | for comparison | 00:19:04 |
emily | 2026-55200 looks correct | 00:19:40 |
emily | as does 2026-55199 | 00:19:53 |
emily | 2025-15661 makes my eyes glaze over so I'll let someone else assess that one | 00:20:02 |
whispers [& it/fae] | this pr fails to build as-is, patches for 55200 don't apply | 00:33:31 |
hexa | does debian apply them to a different version? | 00:34:01 |
emily | we could perhaps just pick the ones from Rust | 00:36:58 |
emily | Debian seems to be on an older version and has a CVE fix from 2023 too and other patches | 00:37:25 |
emily | perhaps less likely to apply to our version | 00:37:30 |
whispers [& it/fae] | nah, they're not pulling the 2023 fix at all i think, it's commented here: https://salsa.debian.org/debian/libssh2/-/blob/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/series#L6. but yeah it seems like they're still on 1.11.1 | 00:38:17 |
whispers [& it/fae] | * nah, they're not pulling the 2023 fix at all i think, it's commented here: https://salsa.debian.org/debian/libssh2/-/blob/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/series#L6. it seems like they're also on 1.11.1 | 00:38:37 |
whispers [& it/fae] | just raw pulling the (3 CVE + libssh-unconst-backport.patch) debian patches as-is and applying them builds fine for me (ignoring that pr entirely) | 00:42:25 |
whispers [& it/fae] | some function names are different between the debian patch and the one in #533237, which looks like the cause of patch application failure | 00:43:08 |
hexa | great | 00:47:41 |
hexa | submit it :) | 00:47:45 |
whispers [& it/fae] | https://github.com/whispersofthedawn/nixpkgs/commit/221328822354d21491261889713272011e89dbcf builds with the unmodified debian patches | 00:47:43 |
whispers [& it/fae] | * https://github.com/whispersofthedawn/nixpkgs/commit/221328822354d21491261889713272011e89dbcf builds with the patches vendored from debian | 00:47:53 |
emily | looks like https://github.com/rust-lang/cargo/pull/17140/changes/353ce102e892a12a2fa04219ed4a6379c7e5031a avoids the macro backports | 00:48:27 |
emily | but picking the macro backport should be good too / maybe better | 00:48:33 |
emily | you can fetchurl these directly from salsa | 00:49:03 |
emily | other than that LGTM, let's get a PR :) | 00:49:14 |
whispers [& it/fae] | …right, i forgot you didn't need to fetchpatch (which infrecs), will dop | 00:49:47 |
whispers [& it/fae] | * …right, i forgot you didn't need to fetchpatch (which infrecs), will do | 00:49:48 |
emily | yeah if you're fetching patch files vendored inside a repo from a commit-pinned URL fetchurl is fine | 00:51:17 |