Bug#1069796: rust-abscissa-derive - (build-)depends unsatisfiable.
Thanks for the report. abscissa_derive is a dependency of abscissa_core but I have been waiting with the upload of that since tracing-subscriber have some features disabled and it's non-trivial to reenable them (due to the regex situation iirc). abscissa_core is a dependency of cargo-audit, and that is a very nice security tool to enable in your ci/cd, so I would like to get that into Debian so that it can be used more. But cargo-audit also needs gix, and I'm currently spending my time trying to package that stack. I'll circle back to this once gix is in Debian and hopefully upstream will have updated by then. //Alex
Bug#1056253: rust-ripasso-cursive - FTBFS with rust-ripasso 0.6.4
Hi I was waiting for another transition that was staged in experimental. Due to the quality of the different clipboard crates. But if this block something I will make a temporary solution. //Alex On Fri, 1 Mar 2024, 08:19 Salvatore Bonaccorso, wrote: > Hi > > On Mon, Dec 11, 2023 at 07:10:22PM +0100, Alexander Kjäll wrote: > > Hi > > > > I'm sorry for the semver breakage, the last version was a bit stressed > > out due to the security problems with libgit2 not verifying server > > signatures (that has since been fixed). > > > > I think the best path forward might be to package the latest versions, > > I have started that but not finished yet due to some real life things > > taking all my free time lately. > > Was there any progress on it (or can/should rust-ripasso-cursive be > removed from the archive)? > > I'm asking because an old version of libgit2-1.5 binary package cannot > be removed from unstable, as rust-ripasso-cursive cannot be rebuild > right now to pick up the new dependency. > > Regards, > Salvatore >
Bug#981301: elvish: please document where you want tab completion directives installed
I just ran into the same problem when trying to determine where to place the tab completions for Sequoia's gpg-sq and gpgv-sq //Alex
Bug#1062667: rust-h2: Resource exhaustion vulnerability in h2 may lead to Denial of Service
Source: rust-h2 Severity: important X-Debbugs-Cc: alexander.kj...@gmail.com Dear Maintainer, An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the generation of reset frames on the victim endpoint. By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion, resulting in Out Of Memory (OOM) and high CPU usage. This fix is corrected in hyperium/h2#737, which limits the total number of internal error resets emitted by default before the connection is closed. -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.6.11-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1062663: rust-snow: Unauthenticated Nonce Increment in snow
Source: rust-snow Severity: important X-Debbugs-Cc: alexander.kj...@gmail.com Dear Maintainer, There was a logic bug where unauthenticated payloads could still cause a nonce increment in snow's internal state. For an attacker with the ability to inject packets into the channel Noise is talking over, this allows a denial-of-service type attack which could prevent communication as it causes the sending and receiving side to be expecting different nonce values than would arrive. Note that this only affects those who are using the stateful TransportState, not those using StatelessTransportState. Patches This has been patched in version 0.9.5, and all users are recommended to update. -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.6.11-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1059675: rust-ahash - autopkgtest failure on s390x.
Hi That ahash is missing is blocking an upgrade of hashbrown, and that is blocking the packaging of gitoxide and cargo among other things. Is there something I can do to help out here? //Alex
Bug#1061705: rust-bendy: dependency on rust-failure, that has security problems
Source: rust-bendy Severity: normal X-Debbugs-Cc: alexander.kj...@gmail.com Dear Maintainer, Please consider pulling in this commit: https://github.com/P3KI/bendy/commit/5abd78e79f86766094a2e1841e8bbdd696089b01 As failure is unsound: https://rustsec.org/advisories/RUSTSEC-2019-0036.html //Alex -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.6.11-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1061577: rust-rio: use-after-free buffer access when a future is leaked
Source: rust-rio Severity: important X-Debbugs-Cc: alexander.kj...@gmail.com Dear Maintainer, https://rustsec.org/advisories/RUSTSEC-2020-0021.html Description When a rio::Completion is leaked, its drop code will not run. The drop code is responsible for waiting until the kernel completes the I/O operation into, or out of, the buffer borrowed by rio::Completion. Leaking the struct will allow one to access and/or drop the buffer, which can lead to a use-after-free, data races or leaking secrets. -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.6.11-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1058501: rust-ansi-parser: Stop using rust-nom-4
I wrote a patch to upgrade to nom 7, and it was somewhat non-trivial. I would like to run this by upstream before we pull this into Debian https://gitlab.com/davidbittner/ansi-parser/-/merge_requests/14 //Alex
Bug#1056253: rust-ripasso-cursive - FTBFS with rust-ripasso 0.6.4
Hi I'm sorry for the semver breakage, the last version was a bit stressed out due to the security problems with libgit2 not verifying server signatures (that has since been fixed). I think the best path forward might be to package the latest versions, I have started that but not finished yet due to some real life things taking all my free time lately. best regards Alexander Kjäll
Bug#1056366: RM: rust-signature-derive -- RoM; superfluous package
Package: ftp.debian.org Severity: normal Please drop package, as it is already provided by rust-signature. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051867
Bug#1002056: rust-gix-features seem to depend on zlib-ng
Hi Some rust code I'm trying to package seem to depend on zlib-ng, this can maybe be patched out, but I thought I should ask about status on this packaging effort before I undertake that work. best regards Alexander Kjäll
Bug#1052404: RFP: axum -- web application framework that focuses on ergonomics and modularity
I think the solution here is to mark some of the autopkgtests as broken. The dependency loop is only there if you take dev-dependencies into account and those are mostly optional to package. I can make an attempt on packaging them. //Alex Den tors 21 sep. 2023 kl 13:03 skrev Reinhard Tartler : > > Package: wnpp > Severity: wishlist > > * Package name: axum > Version : 0.8.0 > * URL or Web page : https://github.com/tokio-rs/axum > * License : MIT > Description : web application framework that focuses on ergonomics and > modularity > > Hey folks, I need help packaging axum. > > This package is a new dependency of https://github.com/hyperium/tonic, > which is needed by newer versions of netavark (which is the userspace > network stack for podman, the alternative to docker) > > I struggle with packaging this package because it consists of two crates > that depend on each other. Upstream uses a workspace build and publishes > all of them, that is, axum, axum-core and axum-macros at the same time. > Turns out that the debcargo-conf infrastructure is not suitable for > this. > > Can someone please give me a hand with packaging these three crates so > that they are built from a single debian source package? > > Thanks! >
Bug#1042909: RM: rust-sha3-0.9 -- NVIU; obsolete package, no rdeps
tags 1042909 - moreinfo thanks We needed some more time to handle a transition, sorry for filing this bug prematurely.
Bug#1050159: RM: rust-wasmer-enumset -- ROM
Package: ftp.debian.org Severity: normal As per #1050138 there is no longer any need for this package.
Bug#1050158: RM: rust-wasmer-enumset-derive -- ROM
Package: ftp.debian.org Severity: normal As per #1050138 there is no longer any need for this package.
Bug#1042909: RM: rust-sha3-0.9 -- NVIU; obsolete package, no rdeps
Package: ftp.debian.org Severity: normal Hi, please remove this package on all architectures. It is an old rust library used for transitioning with no reverse dependencies.
Bug#1039939: librust-wyz-dev: impossible to install
Hi The missing dependency is in new: https://ftp-master.debian.org/new/rust-typemap_0.3.3-1.html Maybe it would save everyone some time if you checked that before filing these kind of bugs? best regards Alexander Kjäll
Bug#1039694: librust-iai-dev: impossible to install due to missing build-dependency
Hi The missing dependency is in new: https://ftp-master.debian.org/new/rust-iai-macro_0.1.1-1.html best regards Alexander Kjäll
Bug#1026635: [Pkg-rust-maintainers] Bug#1026635: rust-packed-simd: FTBFS: dh_auto_test: error: /usr/share/cargo/bin/cargo build returned exit code 101
Hi I noticed that the upstream project seem to have regained access and started to publish new versions of packed_simd again: https://crates.io/crates/packed_simd I don't have a strong opinion regarding deleting this or not, but I checked and it wasn't hard to get it building, so I pushed a commit with the new version: https://salsa.debian.org/rust-team/debcargo-conf/-/commit/f7a718c857cb5d62053b90e0ad6c88d70aba0ab7 //Alex
Bug#1035062: RM: rust-tree-magic -- ROM; never entered testing, no longer needed as nothing depends on it
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: rust-tree-ma...@packages.debian.org Control: affects -1 + src:rust-tree-magic Package that depended on tree-magic have migrated to use other packages. rust-tree-magic never entered testing due to depending on nom-3 that won't enter testing either.
Bug#1035057: RM: rust-sloppy-rfc4880 -- NPOASR; unsatisfiable build-dependency, packaged as a dependency of a project that was never packaged for debian so it's no longer needed
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: rust-sloppy-rfc4...@packages.debian.org Control: affects -1 + src:rust-sloppy-rfc4880 This package has never been part of a stable release, and it's no longer needed as noone works on the project that this was a dependency for.
Bug#1034909: RM: rust-ncurses -- ROM; open security issues
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: rust-ncur...@packages.debian.org Control: affects -1 + src:rust-ncurses Please remove rust-ncurses. It was packaged for rust-curses, but have been patched out from that library as there is open security issues that the maintainer isn't willing to address.
Bug#1033335: Don't include in Bookworm
Hi The list-rdeps.sh script in https://salsa.debian.org/rust-team/debcargo-conf/ shows that it's in use: $ ./dev/list-rdeps.sh const-cstr Versions of rust-const-cstr in unstable: librust-const-cstr-dev 0.3.0-1+b1 Versions of rdeps of rust-const-cstr in unstable, that also exist in testing: librust-yeslogic-fontconfig-sys-dev 3.0.1-1+b1 depends on librust-const-cstr-0.3+default-dev, And since unmaintained is just a notification about how fast the maintainer responds, and not really a security problem in itself I would rather not remove it as it might set of further deletions. //Alex
Bug#1032589: sq-wot: Please update
Hi I have started to look at updating the group of sequoia packages as part of packaging https://crates.io/crates/sequoia-chameleon-gnupg But since we are in a freeze right now I haven't spent very much time on it, am very happy to collaborate on the effort. //Alex
Bug#1031954: ITP: cargo-auditable -- cargo subcommand for adding SBOM
Package: wnpp Severity: wishlist Description: Know the exact crate versions used to build your Rust executable. Audit binaries for known bugs or security vulnerabilities in production, at scale, with zero bookkeeping. This works by embedding data about the dependency tree in JSON format into a dedicated linker section of the compiled executable. URL: https://crates.io/crates/cargo-auditable License: MIT OR Apache-2.0 Copyright: Sergey "Shnatsel" Davidoff
Bug#996913: rust-chrono: Potential segfault in localtime_r invocations
Source: rust-chrono Severity: minor Tags: security Dear Maintainer, This package is affected by this security vulnerability that isn't tracked by debian yet: https://rustsec.org/advisories/RUSTSEC-2020-0159.html -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-1-amd64 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#995562: librust-nix-dev: Out-of-bounds write in nix::unistd::getgrouplist
Package: librust-nix-dev Version: 0.19.0-1 Severity: normal Tags: security Dear Maintainer, This package is affected by this security vulnerability that isn't tracked by debian yet: https://rustsec.org/advisories/RUSTSEC-2021-0119.html -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-1-amd64 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages librust-nix-dev depends on: pn librust-bitflags-1+default-dev pn librust-cc-1+default-dev pn librust-cfg-if-0.1+default-dev pn librust-libc-0.2+default-dev ii librust-libc-dev [librust-libc-0.2+extra-traits-dev] 0.2.80-1 librust-nix-dev recommends no packages. librust-nix-dev suggests no packages.
Bug#972100: [Pkg-rust-maintainers] Bug#972100: CVE-2019-15547 CVE-2019-15548 (rust-ncurses)
Hi I'm slowly working my way towards packaging ripasso, which doesn't use ncurses-rs due to the above security problems. But it does use cursive ( https://crates.io/crates/cursive ) which have ncurses-rs as an optional dependency. Currently the rust packaging system in debian requires all optional dependencies to be present in order to build the package. I have suggested to the cursive maintainer to remove ncurses-rs due to the above security concerns here ( https://github.com/gyscos/cursive/issues/488 ) but I suspect that this would be considered quite a disruptive change, I have also started to rewrite it to use ncursesw but haven't had the time/skill to finish that work yet. I'm not opposed to removing it, as that kind of unmaintained code with known security problems are exploits waiting to happen. But it would also require a lot of work to happen before we can package anything that depends on cursive into debian. best regards Alexander Kjäll Den ons 14 okt. 2020 kl 05:57 skrev peter green : > > I just looked at this issue. > > rust-ncurses is a thin wrapper around ncurses. It exposes unsafe (in the rust > sense) C > APIs to safe rust code. The rust security team consider this to be a > vulnerability. > > There is more discussion of this issue at > https://github.com/jeaye/ncurses-rs/issues/188 > the fix would be to mark most if not all of the functions exposed by the > library as > unsafe and release a new major version of the library. Any reverse > dependencies would > then need to be adapted to work with the new unsafe functions. The upstream > maintainer > has indicated they would be accepting of a pull request but is not interested > in doing > the work themselves. > > There is also another wrapper called ncursesw which seems to be better > maintained > and offers both low-level wrappers (correctly marked as unsafe) and > higher-level > wrappers (some of which are safe). It is not packaged in Debian. > > I looked to see what if-any packages in Debian use rust-ncurses and I did not > find > any in either buster, bullseye or sid. Is there a reason to keep this package > around? > > ___ > Pkg-rust-maintainers mailing list > pkg-rust-maintain...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-rust-maintainers
Bug#970586: rust-sized-chunks: Multiple soundness issues in Chunk and InlineArray
Source: rust-sized-chunks Version: 0.6.2-1 Severity: normal Tags: upstream, security Dear Maintainer, Chunk: Array size is not checked when constructed with unit() and pair(). Array size is not checked when constructed with From>. Clone and insert_from are not panic-safe; A panicking iterator causes memory safety issues with them. InlineArray: Generates unaligned references for types with a large alignment requirement. Rust advisory here: https://rustsec.org/advisories/RUSTSEC-2020-0041.html -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#970186: rust-rand-core-0.3: Unaligned memory access resulting in undefined behavior
Source: rust-rand-core-0.3 Version: 0.3.0-2 Severity: normal Tags: upstream, security Dear Maintainer, Versions under 0.4.2 violated alignment when casting byte slices to integer slices, resulting in undefined behavior. Advisory: https://rustsec.org/advisories/RUSTSEC-2019-0035.html -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#970185: rust-rand-core-0.2: Unaligned memory access resulting in undefined behavior
Package: rust-rand-core-0.2 Version: 0.2.2-1 Severity: normal Tags: upstream, security Dear Maintainer, Versions under 0.4.2 violated alignment when casting byte slices to integer slices, resulting in undefined behavior. Advisory: https://rustsec.org/advisories/RUSTSEC-2019-0035.html -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#969911: rust-rand-core: Unaligned memory access resulting in undefined behavior
Source: rust-rand-core Version: 0.3.0-1 Severity: normal Tags: upstream, security Dear Maintainer, Versions under 0.4.2 violated alignment when casting byte slices to integer slices, resulting in undefined behavior. Advisory: https://rustsec.org/advisories/RUSTSEC-2019-0035.html -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#969899: rust-libflate: use-after-free vulnerability on panic in client code
Source: rust-libflate Version: 0.1.19-1 Severity: normal Tags: upstream, security Dear Maintainer, The library have a use after free vulnerability in versions from 0.1.14 up to but not including 0.1.25 Advisory text: https://rustsec.org/advisories/RUSTSEC-2019-0010.html -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#969896: rust-http: Integer Overflow in HeaderMap::reserve() can cause Denial of Service
Source: rust-http Version: 0.1.19-1 Severity: normal Dear Maintainer, Versions below 0.1.20 of rust-http have a denial of service vulnerability. Description of the vulnerability: HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficently large number in release mode. If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS). The flaw was corrected in 0.1.20 release of http crate. Link to advisory: https://rustsec.org/advisories/RUSTSEC-2019-0033.html -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#969839: rust-failure: type confusion when downcasting, which is an undefined behavior
Source: rust-failure Severity: normal Tags: upstream Dear Maintainer, Security problem reported upstream: https://rustsec.org/advisories/RUSTSEC-2019-0036.html And the project is eol without a fix: https://rustsec.org/advisories/RUSTSEC-2020-0036.html -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#946112: RFP: ripasso-cursive -- ncurses based password maintainer written in rust
Package: wnpp Severity: wishlist Description: A simple password manager written in Rust. Is compatible with the pass filesystem layout and have a ncurses gui. URL: https://github.com/cortex/ripasso/ License: GPLv3 Copyright: Alexander Kjäll, Joakim Lundbord
