- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Fabian Grünbichler
- Date:
- 2026-05-30 15:09:01 UTC
- Severity:
- normal
- Tags:
[ Reason ] Trixie originally shipped with 1.85.0. There was an upstream stable update of 1.85.1 shortly after, which would fix building the Linux kernel for 32-bit arm targets. Additionally, the vendored copy of rust-tar used by cargo was affected by a security issue. [ Impact ] rustdoc for certain targets is broken, the tar CVE would remain unfixed. [ Tests ] There's an extensive test suite upstream that is also executed as part of the package build. I triggered a test run of autopkgtests using debusine that is still running. [ Risks ] The fixes are fairly minimal and well-tested. But this is still a toolchain package we are talking about. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable (filtered and unfiltered) [x] the issue is verified as fixed in unstable [ Changes ] Import of upstream "hotfix" 1.85.1 release, consisting of 5 changes - two are relating to the rustdoc bug referenced in d/changelog - one affects libstd for windows - one affects custom targets (not used in packaging context, a downgrade of a vendored dependency, which accounts for 10k of the 11k debdiff lines - one affects just the build of the toolchain itself Backport of the rust-tar CVE fixes adapted for the vendored version [ Other info ] The 1.85.1 upgrade would make the Rust-For-Linux people happy - they use Debian stable's version as baseline, but missed that we were still on 1.85.0 and not 1.85.1 which they test with.
I always forget to add this to the subject, doing it now in case it was not clear. I'd never upload rustc to p-u without first asking ;)
Hi, please allow me to refresh this request with the addition of two CVE fixes for cargo. Updated debdiffs (unfiltered, and without the vendor/ changes) attached. Thanks for your consideration! [ Reason ] Trixie originally shipped with 1.85.0. There was an upstream stable update of 1.85.1 shortly after, which would fix building the Linux kernel for 32-bit arm targets. Additionally, the vendored copy of rust-tar used by cargo, and cargo itself were affected by security issues. [ Impact ] rustdoc for certain targets is broken, the tar and cargo CVEs would remain unfixed. [ Tests ] There's an extensive test suite upstream that is also executed as part of the package build. I triggered a test run of autopkgtests using debusine that is still running. [ Risks ] The fixes are fairly minimal and well-tested. But this is still a toolchain package we are talking about. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable (filtered and unfiltered) [x] the issue is verified as fixed in unstable [ Changes ] Import of upstream "hotfix" 1.85.1 release, consisting of 5 changes - two are relating to the rustdoc bug referenced in d/changelog - one affects libstd for windows - one affects custom targets (not used in packaging context, a downgrade of a vendored dependency, which accounts for 10k of the 11k debdiff lines) - one affects just the build of the toolchain itself Backport of the rust-tar CVE fixes adapted for the vendored version. Backport of the cargo CVE fixes (trivially) adapted for 1.85.1. [ Other info ] The 1.85.1 upgrade would make the Rust-For-Linux people happy - they use Debian stable's version as baseline, but missed that we were still on 1.85.0 and not 1.85.1 which they test with. https://security-tracker.debian.org/tracker/CVE-2026-5222 https://security-tracker.debian.org/tracker/CVE-2026-5223 https://security-tracker.debian.org/tracker/CVE-2026-33055 https://security-tracker.debian.org/tracker/CVE-2026-33056