[Pkg-rust-maintainers] Bug#1112471: Bug#1112471: rust-xcb: RUSTSEC-2025-0051
Salvatore Bonaccorso
carnil at debian.org
Sat Aug 30 08:21:42 BST 2025
Hi Peter,
Thanks for the quick followup.
On Sat, Aug 30, 2025 at 01:35:26AM +0100, Peter Green wrote:
> > There is the RUSTSEC-2025-0051 advisory for rust-xcb:
>
> I feel calling this a "security" issue is a stretch.
>
> > https://rustsec.org/advisories/RUSTSEC-2025-0051.html
> > | xcb::Connection::connect_to_fd* functions violate I/O safety
>
> The so-called "fixed version" doesn't seem to actually "fix"
> anything, it just marks some functions as deprecated and
> adds some new functions. The existing problematic functions
> remain present, they are just deprecated (which will trigger
> a compiler warning, but who reads those).
>
> There seem to be two reverse dependencies of rust-xcb in
> Debian, a quick look on Debian code search suggests that
> neither uses the problematic functions.
>
> I'll upload the new version anyway.
Do you know if they eventually will be dropped after deprecation? If
not we might just consider this then otherwise a non-issue?
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list