Patch musl's CVE-2026-6042 and CVE-2026-40200#155171
Merged
rust-bors[bot] merged 1 commit intorust-lang:mainfrom Apr 12, 2026
Merged
Patch musl's CVE-2026-6042 and CVE-2026-40200#155171rust-bors[bot] merged 1 commit intorust-lang:mainfrom
rust-bors[bot] merged 1 commit intorust-lang:mainfrom
Conversation
Collaborator
|
rustbot has assigned @Mark-Simulacrum. Use Why was this reviewer chosen?The reviewer was selected based on:
|
Member
Author
|
Nominating for 1.96-beta and 1.95-stable. @rustbot label +beta-nominated +stable-nominated |
Member
Author
|
@bors try jobs=dist-arm-linux-musl,dist-i586-gnu-i586-i686-musl,dist-various-1,dist-various-2,dist-x86_64-musl,test-various |
This comment has been minimized.
This comment has been minimized.
rust-bors bot
pushed a commit
that referenced
this pull request
Apr 11, 2026
Patch musl's CVE-2026-6042 and CVE-2025-26519 try-job: dist-arm-linux-musl try-job: dist-i586-gnu-i586-i686-musl try-job: dist-various-1 try-job: dist-various-2 try-job: dist-x86_64-musl try-job: test-various
- [CVE-2026-6042] is a denial of service in `iconv`. - [CVE-2026-40200] is an out-of-bounds write in `qsort`. Neither is relevant to Rust itself, but they could be used in mixed- language projects that link with our `self-contained/libc.a`. [CVE-2026-6042]: https://www.openwall.com/lists/oss-security/2026/04/09/19 [CVE-2026-40200]: https://www.openwall.com/lists/musl/2026/04/10/3
Member
Author
|
Sorry, I mixed up my CVE numbers and links when writing the commit message, now fixed. The patches were the right ones though, so the try build should still be testing the right thing. |
Member
|
r=me in principle, and I think I'll probably pull this into stable artifact building ~Monday. Not sure we really have a team to approve the backport (compiler? libs?) but it feels like it should be uncontroversial. |
Contributor
Member
|
@bors r+ p=1 |
Contributor
rust-bors bot
pushed a commit
that referenced
this pull request
Apr 12, 2026
Rollup of 4 pull requests Successful merges: - #155171 (Patch musl's CVE-2026-6042 and CVE-2026-40200) - #153630 (Deprioritize doc(hidden) re-exports in diagnostic paths) - #152613 (unsafe keyword docs: bring back unsafe_op_in_unsafe_fn lint discussion) - #155142 (impl const Residual for ControlFlow)
rust-timer
added a commit
that referenced
this pull request
Apr 12, 2026
Rollup merge of #155171 - cuviper:musl-cves, r=Mark-Simulacrum Patch musl's CVE-2026-6042 and CVE-2026-40200 - [CVE-2026-6042] is a denial of service in `iconv`. - [CVE-2026-40200] is an out-of-bounds write in `qsort`. Neither is relevant to Rust itself, but they could be used in mixed-language projects that link with our `self-contained/libc.a`. [CVE-2026-6042]: https://www.openwall.com/lists/oss-security/2026/04/09/19 [CVE-2026-40200]: https://www.openwall.com/lists/musl/2026/04/10/3
Member
|
Leaving the beta nomination (and acceptance) so this goes into 1.96, manually bringing it into 1.95 (not technically a stable backport). |
This was referenced Apr 12, 2026
Member
|
And included it in the beta branch PR as well, so should be handled. |
rust-bors bot
pushed a commit
that referenced
this pull request
Apr 12, 2026
[stable] Rust 1.95.0 release https://forge.rust-lang.org/release/process.html#stable-pr This also backports: * Patch musl's CVE-2026-6042 and CVE-2026-40200 #155171 and cherry picks latest release notes. r? me
rust-bors bot
pushed a commit
that referenced
this pull request
Apr 12, 2026
[beta] branch 1.96 release This follows https://forge.rust-lang.org/release/process.html#beta-pr to branch beta. It also includes a backport of: * Patch musl's CVE-2026-6042 and CVE-2026-40200 #155171 since it landed after beta branched but per security discussion is getting backported direct to stable. r? me
rust-bors bot
pushed a commit
that referenced
this pull request
Apr 13, 2026
[stable] Rust 1.95.0 release https://forge.rust-lang.org/release/process.html#stable-pr This also backports: * Patch musl's CVE-2026-6042 and CVE-2026-40200 #155171 and cherry picks latest release notes. r? me
rust-bors bot
pushed a commit
that referenced
this pull request
Apr 13, 2026
[beta] branch 1.96 release This follows https://forge.rust-lang.org/release/process.html#beta-pr to branch beta. It also includes a backport of: * Patch musl's CVE-2026-6042 and CVE-2026-40200 #155171 since it landed after beta branched but per security discussion is getting backported direct to stable. r? me
eleboucher
pushed a commit
to eleboucher/towonel
that referenced
this pull request
Apr 18, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [rust](https://github.com/rust-lang/rust) | | minor | `1.94.0` → `1.95.0` | | rust | stage | minor | `1.94-bookworm` → `1.95-bookworm` | --- ### Release Notes <details> <summary>rust-lang/rust (rust)</summary> ### [`v1.95.0`](https://github.com/rust-lang/rust/blob/HEAD/RELEASES.md#Version-1950-2026-04-16) [Compare Source](rust-lang/rust@1.94.1...1.95.0) \=========================== <a id="1.95-Language"></a> ## Language - [Stabilize `if let` guards on match arms](rust-lang/rust#141295) - [`irrefutable_let_patterns` lint no longer lints on let chains](rust-lang/rust#146832) - [Support importing path-segment keywords with renaming](rust-lang/rust#146972) - [Stabilize inline assembly for PowerPC and PowerPC64](rust-lang/rust#147996) - [const-eval: be more consistent in the behavior of padding during typed copies](rust-lang/rust#148967) - [Const blocks are no longer evaluated to determine if expressions involving fallible operations can implicitly be constant-promoted.](rust-lang/rust#150557). Expressions whose ability to implicitly be promoted would depend on the result of a const block are no longer implicitly promoted. - [Make operational semantics of pattern matching independent of crate and module](rust-lang/rust#150681) <a id="1.95-Compiler"></a> ## Compiler - [Stabilize `--remap-path-scope` for controlling the scoping of how paths get remapped in the resulting binary](rust-lang/rust#147611) - [Apply patches for CVE-2026-6042 and CVE-2026-40200 to vendored musl](rust-lang/rust#155171) <a id="1.95-Platform-Support"></a> ## Platform Support - [Promote `powerpc64-unknown-linux-musl` to Tier 2 with host tools](rust-lang/rust#149962) - [Promote `aarch64-apple-tvos` to Tier 2](rust-lang/rust#152021) - [Promote `aarch64-apple-tvos-sim` to Tier 2](rust-lang/rust#152021) - [Promote `aarch64-apple-watchos` to Tier 2](rust-lang/rust#152021) - [Promote `aarch64-apple-watchos-sim` to Tier 2](rust-lang/rust#152021) - [Promote `aarch64-apple-visionos` to Tier 2](rust-lang/rust#152021) - [Promote `aarch64-apple-visionos-sim` to Tier 2](rust-lang/rust#152021) Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. [platform-support-doc]: https://doc.rust-lang.org/rustc/platform-support.html <a id="1.95-Libraries"></a> ## Libraries - [`thread::scope`: document how join interacts with TLS destructors](rust-lang/rust#149482) - [Speed up `str::contains` on aarch64 targets with `neon` target feature enabled by default](rust-lang/rust#152176) <a id="1.95-Stabilized-APIs"></a> ## Stabilized APIs - [`MaybeUninit<[T; N]>: From<[MaybeUninit<T>; N]>`](https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#impl-From%3CMaybeUninit%3C%5BT;+N%5D%3E%3E-for-%5BMaybeUninit%3CT%3E;+N%5D) - [`MaybeUninit<[T; N]>: AsRef<[MaybeUninit<T>; N]>`](https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#impl-AsRef%3C%5BMaybeUninit%3CT%3E;+N%5D%3E-for-MaybeUninit%3C%5BT;+N%5D%3E) - [`MaybeUninit<[T; N]>: AsRef<[MaybeUninit<T>]>`](https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#impl-AsRef%3C%5BMaybeUninit%3CT%3E%5D%3E-for-MaybeUninit%3C%5BT;+N%5D%3E) - [`MaybeUninit<[T; N]>: AsMut<[MaybeUninit<T>; N]>`](https://doc.rust-lang.org/beta/std/mem/union.MaybeUninit.html#impl-AsMut%3C%5BMaybeUninit%3CT%3E;+N%5D%3E-for-MaybeUninit%3C%5BT;+N%5D%3E) - [`MaybeUninit<[T; N]>: AsMut<[MaybeUninit<T>]>`](https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#impl-AsMut%3C%5BMaybeUninit%3CT%3E%5D%3E-for-MaybeUninit%3C%5BT;+N%5D%3E) - [`[MaybeUninit<T>; N]: From<MaybeUninit<[T; N]>>`](https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#impl-From%3C%5BMaybeUninit%3CT%3E;+N%5D%3E-for-MaybeUninit%3C%5BT;+N%5D%3E) - [`Cell<[T; N]>: AsRef<[Cell<T>; N]>`](https://doc.rust-lang.org/stable/std/cell/struct.Cell.html#impl-AsRef%3C%5BCell%3CT%3E;+N%5D%3E-for-Cell%3C%5BT;+N%5D%3E) - [`Cell<[T; N]>: AsRef<[Cell<T>]>`](https://doc.rust-lang.org/stable/std/cell/struct.Cell.html#impl-AsRef%3C%5BCell%3CT%3E%5D%3E-for-Cell%3C%5BT;+N%5D%3E) - [`Cell<[T]>: AsRef<[Cell<T>]>`](https://doc.rust-lang.org/stable/std/cell/struct.Cell.html#impl-AsRef%3C%5BCell%3CT%3E%5D%3E-for-Cell%3C%5BT%5D%3E) - [`bool: TryFrom<{integer}>`](https://doc.rust-lang.org/stable/std/primitive.bool.html#impl-TryFrom%3Cu128%3E-for-bool) - [`AtomicPtr::update`](https://doc.rust-lang.org/stable/std/sync/atomic/struct.AtomicPtr.html#method.update) - [`AtomicPtr::try_update`](https://doc.rust-lang.org/stable/std/sync/atomic/struct.AtomicPtr.html#method.try_update) - [`AtomicBool::update`](https://doc.rust-lang.org/stable/std/sync/atomic/struct.AtomicBool.html#method.update) - [`AtomicBool::try_update`](https://doc.rust-lang.org/stable/std/sync/atomic/struct.AtomicBool.html#method.try_update) - [`AtomicIn::update`](https://doc.rust-lang.org/stable/std/sync/atomic/struct.AtomicIsize.html#method.update) - [`AtomicIn::try_update`](https://doc.rust-lang.org/stable/std/sync/atomic/struct.AtomicIsize.html#method.try_update) - [`AtomicUn::update`](https://doc.rust-lang.org/stable/std/sync/atomic/struct.AtomicUsize.html#method.update) - [`AtomicUn::try_update`](https://doc.rust-lang.org/stable/std/sync/atomic/struct.AtomicUsize.html#method.try_update) - [`cfg_select!`](https://doc.rust-lang.org/stable/std/macro.cfg_select.html) - [`mod core::range`](https://doc.rust-lang.org/stable/core/range/index.html) - [`core::range::RangeInclusive`](https://doc.rust-lang.org/stable/core/range/struct.RangeInclusive.html) - [`core::range::RangeInclusiveIter`](https://doc.rust-lang.org/stable/core/range/struct.RangeInclusiveIter.html) - [`core::hint::cold_path`](https://doc.rust-lang.org/stable/core/hint/fn.cold_path.html) - [`<*const T>::as_ref_unchecked`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.as_ref_unchecked) - [`<*mut T>::as_ref_unchecked`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.as_ref_unchecked-1) - [`<*mut T>::as_mut_unchecked`](https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.as_mut_unchecked) - [`Vec::push_mut`](https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.push_mut) - [`Vec::insert_mut`](https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.insert_mut) - [`VecDeque::push_front_mut`](https://doc.rust-lang.org/stable/std/collections/struct.VecDeque.html#method.push_front_mut) - [`VecDeque::push_back_mut`](https://doc.rust-lang.org/stable/std/collections/struct.VecDeque.html#method.push_back_mut) - [`VecDeque::insert_mut`](https://doc.rust-lang.org/stable/std/collections/struct.VecDeque.html#method.insert_mut) - [`LinkedList::push_front_mut`](https://doc.rust-lang.org/stable/std/collections/struct.LinkedList.html#method.push_front_mut) - [`LinkedList::push_back_mut`](https://doc.rust-lang.org/stable/std/collections/struct.LinkedList.html#method.push_back_mut) - [`Layout::dangling_ptr`](https://doc.rust-lang.org/stable/std/alloc/struct.Layout.html#method.dangling_ptr) - [`Layout::repeat`](https://doc.rust-lang.org/stable/std/alloc/struct.Layout.html#method.repeat) - [`Layout::repeat_packed`](https://doc.rust-lang.org/stable/std/alloc/struct.Layout.html#method.repeat_packed) - [`Layout::extend_packed`](https://doc.rust-lang.org/stable/std/alloc/struct.Layout.html#method.extend_packed) These previously stable APIs are now stable in const contexts: - [`fmt::from_fn`](https://doc.rust-lang.org/stable/std/fmt/fn.from_fn.html) - [`ControlFlow::is_break`](https://doc.rust-lang.org/stable/core/ops/enum.ControlFlow.html#method.is_break) - [`ControlFlow::is_continue`](https://doc.rust-lang.org/stable/core/ops/enum.ControlFlow.html#method.is_continue) <a id="1.95-Rustdoc"></a> ## Rustdoc - [In search results, rank unstable items lower](rust-lang/rust#149460) - [Add new "hide deprecated items" setting in rustdoc](rust-lang/rust#151091) <a id="1.95-Compatibility-Notes"></a> ## Compatibility Notes - [Array coercions may now result in less inference constraints than before](rust-lang/rust#140283) - Importing `$crate` without renaming, i.e. `use $crate::{self};`, is now no longer permitted due to stricter error checking for `self` imports. - [const-eval: be more consistent in the behavior of padding during typed copies.](rust-lang/rust#148967) In very rare cases, this may cause compilation errors due to bytes from parts of a pointer ending up in the padding bytes of a `const` or `static`. - [A future-incompatibility warning lint `ambiguous_glob_imported_traits` is now reported when using an ambiguously glob imported trait](rust-lang/rust#149058) - [Check lifetime bounds of types mentioning only type parameters](rust-lang/rust#149389) - [Report more visibility-related ambiguous import errors](rust-lang/rust#149596) - [Deprecate `Eq::assert_receiver_is_total_eq` and emit future compatibility warnings on manual impls](rust-lang/rust#149978) - [powerpc64: Use the ELF ABI version set in target spec instead of guessing](rust-lang/rust#150468) (fixes the ELF ABI used by the OpenBSD target) - Matching on a `#[non_exhaustive]` enum [now reads the discriminant, even if the enum has only one variant](rust-lang/rust#150681). This can cause closures to capture values that they previously wouldn't. - `mut ref` and `mut ref mut` patterns, part of the unstable [Match Ergonomics 2024 RFC](rust-lang/rust#123076), were accidentally allowed on stable within struct pattern field shorthand. These patterns are now correctly feature-gated as unstable in this position. - [Add future-compatibility warning for derive helper attributes which conflict with built-in attributes](rust-lang/rust#151152) - [JSON target specs](https://doc.rust-lang.org/rustc/targets/custom.html) have been destabilized and now require `-Z unstable-options` to use. Previously, they could not be used without the standard library, which has no stable build mechanism. In preparation for the `build-std` project adding that support, JSON target specs are being proactively gated to ensure they remain unstable even if `build-std` is stabilized. Cargo now includes the `-Z json-target-spec` CLI flag to automatically pass `-Z unstable-options` to the compiler when needed. See [#​150151](rust-lang/rust#150151), [#​151534](rust-lang/rust#150151), and [rust-lang/cargo#16557](rust-lang/cargo#16557). - [The arguments of `#[feature]` attributes on invalid targets are now checked](rust-lang/rust#153764) <a id="1.95-Internal-Changes"></a> ## Internal Changes These changes do not affect any public interfaces of Rust, but they represent significant improvements to the performance or internals of rustc and related tools. - [Update to LLVM 22](rust-lang/rust#150722) ### [`v1.94.1`](https://github.com/rust-lang/rust/blob/HEAD/RELEASES.md#Version-1941-2026-03-26) [Compare Source](rust-lang/rust@1.94.0...1.94.1) \=========================== <a id="1.94.1"></a> - [Fix `std::thread::spawn` on wasm32-wasip1-threads](rust-lang/rust#153634) - [Remove new methods added to `std::os::windows::fs::OpenOptionsExt`](rust-lang/rust#153491) The new methods were unstable, but the trait itself is not sealed and so cannot be extended with non-default methods. - [Clippy: fix ICE in `match_same_arms`](rust-lang/rust-clippy#16685) - [Cargo: update tar to 0.4.45](rust-lang/cargo#16769) This resolves CVE-2026-33055 and CVE-2026-33056. Users of crates.io are not affected. See [blog](https://blog.rust-lang.org/2026/03/21/cve-2026-33056/) for more details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEwMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL21pbm9yIl19--> Reviewed-on: https://git.erwanleboucher.dev/eleboucher/towonel/pulls/4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
iconv.qsort.Neither is relevant to Rust itself, but they could be used in mixed-language projects that link with our
self-contained/libc.a.