- Package:
- src:rust-xcb
- Source:
- src:rust-xcb
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-08-30 07:23:01 UTC
- Severity:
- normal
- Tags:
Hi There is the RUSTSEC-2025-0051 advisory for rust-xcb: https://rustsec.org/advisories/RUSTSEC-2025-0051.html | xcb::Connection::connect_to_fd* functions violate I/O safety References: https://github.com/rust-x-bindings/rust-xcb/issues/282 https://github.com/rust-x-bindings/rust-xcb/issues/167 https://github.com/rust-x-bindings/rust-xcb/pull/283 Regards, Salvatore
I feel calling this a "security" issue is a stretch. The so-called "fixed version" doesn't seem to actually "fix" anything, it just marks some functions as deprecated and adds some new functions. The existing problematic functions remain present, they are just deprecated (which will trigger a compiler warning, but who reads those). There seem to be two reverse dependencies of rust-xcb in Debian, a quick look on Debian code search suggests that neither uses the problematic functions. I'll upload the new version anyway.
Hi Peter, Thanks for the quick followup. Do you know if they eventually will be dropped after deprecation? If not we might just consider this then otherwise a non-issue? Regards, Salvatore