#1112471 rust-xcb: RUSTSEC-2025-0051

Package:
src:rust-xcb
Source:
src:rust-xcb
Submitter:
Salvatore Bonaccorso
Date:
2025-08-30 07:23:01 UTC
Severity:
normal
Tags:
#1112471#5
Date:
2025-08-29 20:08:06 UTC
From:
To:
Hi

There is the RUSTSEC-2025-0051 advisory for rust-xcb:

https://rustsec.org/advisories/RUSTSEC-2025-0051.html
| xcb::Connection::connect_to_fd* functions violate I/O safety

References:
https://github.com/rust-x-bindings/rust-xcb/issues/282
https://github.com/rust-x-bindings/rust-xcb/issues/167
https://github.com/rust-x-bindings/rust-xcb/pull/283

Regards,
Salvatore

#1112471#10
Date:
2025-08-30 00:35:26 UTC
From:
To:
I feel calling this a "security" issue is a stretch.

The so-called "fixed version" doesn't seem to actually "fix"
anything, it just marks some functions as deprecated and
adds some new functions. The existing problematic functions
remain present, they are just deprecated (which will trigger
a compiler warning, but who reads those).

There seem to be two reverse dependencies of rust-xcb in
Debian, a quick look on Debian code search suggests that
neither uses the problematic functions.

I'll upload the new version anyway.

#1112471#15
Date:
2025-08-30 07:21:42 UTC
From:
To:
Hi Peter,

Thanks for the quick followup.

Do you know if they eventually will be dropped after deprecation? If
not we might just consider this then otherwise a non-issue?

Regards,
Salvatore