Package: release.debian.org Severity: normal X-Debbugs-Cc: ru...@packages.debian.org, debian-r...@lists.debian.org, debian@fabian.gruenbichler.email Control: affects -1 + src:rustc User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package rustc [ Reason ] The update is a targeted fix for two security issues: * backport fix for gix-features CVE-2025-31130 which implements collision-resistant SHA1 in the vendored copy of the gix stack used by cargo * cherry-pick fix for crossbeam-channel RUSTSEC-2025-0024 which fixes a double free in a synchronisation primitive in the std lib (which is actually a fork of the crossbeam-channel crate) and one other trivial bug that would be annoying to have in Trixie: * rust-lldb: fix lldb version (Closes: #1100950) [ Impact ] The issues mentioned above would not be fixed, making the rust-lldb package broken, cargo at risk of SHA-1 collision attacks if using gix for fetching crates.io index data or crate sources via git references, and code compiled using rustc that uses the affected part of the std lib at risk of running into the double free. [ Tests ] The quite extensive rustc test suite has been run as part of the build and has shown no regression. The two security fixes are based on upstream fixes and are almost bit-identical to the versions used to fix their standalone crate packages. The rust-lldb change was manually tested by me. [ Risks ] The gix change is probably the biggest part of this update, as it completely changes the SHA-1 implementation used. In case a problem is found with it, cargo can be forced to use CLI git for git operations as a workaround. The replacement crate is written by a reputable upstream and hasn't seen major changes in over a year, so the associated risk should still be fairly low. It also has been packaged as standalone crate in Debian, successfully being built on all architectures including passing autopkgtests, with no patches required so far. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock rustc/1.85.0+dfsg3-1
