Patch musl's CVE-2026-6042 and CVE-2026-40200#155171
Merged
rust-bors[bot] merged 1 commit intorust-lang:mainfrom Apr 12, 2026
Merged
Patch musl's CVE-2026-6042 and CVE-2026-40200#155171rust-bors[bot] merged 1 commit intorust-lang:mainfrom
rust-bors[bot] merged 1 commit intorust-lang:mainfrom
Conversation
rustbot
added
A-CI
Collaborator
|
rustbot has assigned @Mark-Simulacrum. Use Why was this reviewer chosen?The reviewer was selected based on:
|
Member
Author
|
Nominating for 1.96-beta and 1.95-stable. @rustbot label +beta-nominated +stable-nominated |
rustbot
added
beta-nominated
Member
Author
|
@bors try jobs=dist-arm-linux-musl,dist-i586-gnu-i586-i686-musl,dist-various-1,dist-various-2,dist-x86_64-musl,test-various |
This comment has been minimized.
This comment has been minimized.
rust-bors bot
pushed a commit
that referenced
this pull request
Apr 11, 2026
Patch musl's CVE-2026-6042 and CVE-2025-26519 try-job: dist-arm-linux-musl try-job: dist-i586-gnu-i586-i686-musl try-job: dist-various-1 try-job: dist-various-2 try-job: dist-x86_64-musl try-job: test-various
cuviper
changed the title
- [CVE-2026-6042] is a denial of service in `iconv`. - [CVE-2026-40200] is an out-of-bounds write in `qsort`. Neither is relevant to Rust itself, but they could be used in mixed- language projects that link with our `self-contained/libc.a`. [CVE-2026-6042]: https://www.openwall.com/lists/oss-security/2026/04/09/19 [CVE-2026-40200]: https://www.openwall.com/lists/musl/2026/04/10/3
Member
Author
|
Sorry, I mixed up my CVE numbers and links when writing the commit message, now fixed. The patches were the right ones though, so the try build should still be testing the right thing. |
Member
|
r=me in principle, and I think I'll probably pull this into stable artifact building ~Monday. Not sure we really have a team to approve the backport (compiler? libs?) but it feels like it should be uncontroversial. |
Contributor
Member
|
@bors r+ p=1 |
Contributor
rust-bors
bot
added
S-waiting-on-bors
rust-bors bot
pushed a commit
that referenced
this pull request
Apr 12, 2026
Rollup of 4 pull requests Successful merges: - #155171 (Patch musl's CVE-2026-6042 and CVE-2026-40200) - #153630 (Deprioritize doc(hidden) re-exports in diagnostic paths) - #152613 (unsafe keyword docs: bring back unsafe_op_in_unsafe_fn lint discussion) - #155142 (impl const Residual for ControlFlow)
rust-timer
added a commit
that referenced
this pull request
Apr 12, 2026
Rollup merge of #155171 - cuviper:musl-cves, r=Mark-Simulacrum Patch musl's CVE-2026-6042 and CVE-2026-40200 - [CVE-2026-6042] is a denial of service in `iconv`. - [CVE-2026-40200] is an out-of-bounds write in `qsort`. Neither is relevant to Rust itself, but they could be used in mixed-language projects that link with our `self-contained/libc.a`. [CVE-2026-6042]: https://www.openwall.com/lists/oss-security/2026/04/09/19 [CVE-2026-40200]: https://www.openwall.com/lists/musl/2026/04/10/3
Mark-Simulacrum
added
beta-accepted
Member
|
Leaving the beta nomination (and acceptance) so this goes into 1.96, manually bringing it into 1.95 (not technically a stable backport). |
This was referenced Apr 12, 2026
Mark-Simulacrum
removed
the
beta-nominated
Member
|
And included it in the beta branch PR as well, so should be handled. |
rust-bors bot
pushed a commit
that referenced
this pull request
Apr 12, 2026
[stable] Rust 1.95.0 release https://forge.rust-lang.org/release/process.html#stable-pr This also backports: * Patch musl's CVE-2026-6042 and CVE-2026-40200 #155171 and cherry picks latest release notes. r? me
rust-bors bot
pushed a commit
that referenced
this pull request
Apr 12, 2026
[beta] branch 1.96 release This follows https://forge.rust-lang.org/release/process.html#beta-pr to branch beta. It also includes a backport of: * Patch musl's CVE-2026-6042 and CVE-2026-40200 #155171 since it landed after beta branched but per security discussion is getting backported direct to stable. r? me
rust-bors bot
pushed a commit
that referenced
this pull request
Apr 13, 2026
[stable] Rust 1.95.0 release https://forge.rust-lang.org/release/process.html#stable-pr This also backports: * Patch musl's CVE-2026-6042 and CVE-2026-40200 #155171 and cherry picks latest release notes. r? me
rust-bors bot
pushed a commit
that referenced
this pull request
Apr 13, 2026
[beta] branch 1.96 release This follows https://forge.rust-lang.org/release/process.html#beta-pr to branch beta. It also includes a backport of: * Patch musl's CVE-2026-6042 and CVE-2026-40200 #155171 since it landed after beta branched but per security discussion is getting backported direct to stable. r? me
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
iconv.qsort.Neither is relevant to Rust itself, but they could be used in mixed-language projects that link with our
self-contained/libc.a.