[Pkg-rust-maintainers] Bug#1104114: unblock: rustc/1.85.0+dfsg3-1

Fabian Grünbichler debian at fabian.gruenbichler.email
Fri Apr 25 20:28:12 BST 2025 

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: rustc at packages.debian.org, debian-rust at lists.debian.org, debian at fabian.gruenbichler.email
Control: affects -1 + src:rustc
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package rustc

[ Reason ]

The update is a targeted fix for two security issues:

  * backport fix for gix-features CVE-2025-31130

which implements collision-resistant SHA1 in the vendored copy of the gix
stack used by cargo

  * cherry-pick fix for crossbeam-channel RUSTSEC-2025-0024

which fixes a double free in a synchronisation primitive in the std lib (which
is actually a fork of the crossbeam-channel crate)

and one other trivial bug that would be annoying to have in Trixie:

  * rust-lldb: fix lldb version (Closes: #1100950)

[ Impact ]

The issues mentioned above would not be fixed, making the rust-lldb package
broken, cargo at risk of SHA-1 collision attacks if using gix for fetching
crates.io index data or crate sources via git references, and code compiled
using rustc that uses the affected part of the std lib at risk of running into
the double free.

[ Tests ]

The quite extensive rustc test suite has been run as part of the build
and has shown no regression. The two security fixes are based on upstream fixes
and are almost bit-identical to the versions used to fix their standalone crate
packages. The rust-lldb change was manually tested by me.

[ Risks ]

The gix change is probably the biggest part of this update, as it completely
changes the SHA-1 implementation used. In case a problem is found with it,
cargo can be forced to use CLI git for git operations as a workaround. The
replacement crate is written by a reputable upstream and hasn't seen major
changes in over a year, so the associated risk should still be fairly low.
It also has been packaged as standalone crate in Debian, successfully being
built on all architectures including passing autopkgtests, with no patches
required so far.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock rustc/1.85.0+dfsg3-1

More information about the Pkg-rust-maintainers mailing list