Your message dated Mon, 16 Feb 2026 17:04:50 +0000
with message-id <[email protected]>
and subject line Bug#1124688: fixed in rust-rkyv 0.8.15-1
has caused the Debian Bug report #1124688,
regarding rust-rkyv: RUSTSEC-2026-0001
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124688
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-rkyv
Version: 0.8.12-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/rkyv/rkyv/issues/644
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
>From https://github.com/rkyv/rkyv/issues/644
https://rustsec.org/advisories/RUSTSEC-2026-0001.html
| The SharedPointer::alloc implementation for sync::Arc<T> and rc::Rc<T>
| in rkyv/src/impls/alloc/rc/atomic.rs (and rc.rs) does not check if the
| allocator returns a null pointer on OOM (Out of Memory).
|
| This null pointer can flow through to SharedPointer::from_value, which
| calls Box::from_raw(ptr) with the null pointer. This triggers undefined
| behavior when utilizing safe deserialization APIs (such as
| rkyv::from_bytes or rkyv::deserialize_using) if an OOM condition occurs
| during the allocation of the shared pointer.
|
| The issue is reachable through safe code and violates Rust's safety
| guarantees.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-rkyv
Source-Version: 0.8.15-1
Done: Alexander Kjäll <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-rkyv, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Kjäll <[email protected]> (supplier of updated rust-rkyv
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Feb 2026 17:29:18 +0100
Source: rust-rkyv
Architecture: source
Version: 0.8.15-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: Alexander Kjäll <[email protected]>
Closes: 1124688
Changes:
rust-rkyv (0.8.15-1) unstable; urgency=medium
.
* Team upload.
* Package rkyv 0.8.15 from crates.io using debcargo 2.7.11 (Closes: #1124688)
Checksums-Sha1:
27b86cfd766ca21eb3744384e07daa94e5e1433b 2350 rust-rkyv_0.8.15-1.dsc
f919ab3d741a51a60ed8ee05d5218cafa0c27ea7 165972 rust-rkyv_0.8.15.orig.tar.gz
ff3d6bfcbbb843d8806d09e0ee003d6ff8c74bab 5976 rust-rkyv_0.8.15-1.debian.tar.xz
eee06605350cd3635dbdc326176329c9ab248393 7068
rust-rkyv_0.8.15-1_source.buildinfo
Checksums-Sha256:
6ebe5aec4a487bcb359a9c5660dedf80c89d45fe76da1a2b5edc8e87a6175a4f 2350
rust-rkyv_0.8.15-1.dsc
1a30e631b7f4a03dee9056b8ef6982e8ba371dd5bedb74d3ec86df4499132c70 165972
rust-rkyv_0.8.15.orig.tar.gz
0a682ed0e8297c27145ccdc2a4d0451813b1ce8f054e3ed011e12fa56e8ff7e8 5976
rust-rkyv_0.8.15-1.debian.tar.xz
047cf30bfc40a6823ee4ffe93f59de8ab59cdae768004504e905f88474e7f108 7068
rust-rkyv_0.8.15-1_source.buildinfo
Files:
f43a7e371457ffcf21c26ffcad3cdf3f 2350 rust optional rust-rkyv_0.8.15-1.dsc
9ca7d970500ead69b0ce441093e87aa9 165972 rust optional
rust-rkyv_0.8.15.orig.tar.gz
85a05f77ad81f4ca6ddb77061d744107 5976 rust optional
rust-rkyv_0.8.15-1.debian.tar.xz
f83e0f079b35e3b53a34f3d69c4a0328 7068 rust optional
rust-rkyv_0.8.15-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQTjXSWUWAMcT4Fcz+oDR6wEe1CAhQUCaZNF4gAKCRADR6wEe1CA
hUB2AQDQr9fuSi3KUegCASV4Am46xqMz+/RTfl4fpXat/lLNeQEAkPr9fx6gS5Fc
W1OG85WucvbIzjMCaiUZOJ+i3TWfqw4=
=ycwb
-----END PGP SIGNATURE-----
pgpvUFgNR1H4u.pgp
Description: PGP signature
--- End Message ---
