Skip to content

alsa-lib: apply patch for CVE-2026-25068#492079

Merged
jopejoe1 merged 1 commit intoNixOS:stagingfrom
LeSuisse:alsa-lib-CVE-2026-25068
Feb 20, 2026
Merged

alsa-lib: apply patch for CVE-2026-25068#492079
jopejoe1 merged 1 commit intoNixOS:stagingfrom
LeSuisse:alsa-lib-CVE-2026-25068

Conversation

@LeSuisse
Copy link
Member

@LeSuisse LeSuisse commented Feb 19, 2026

Fixes #488125

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

@LeSuisse LeSuisse added 1.severity: security Issues which raise a security issue, or PRs that fix one backport staging-25.11 Backport PR automatically labels Feb 19, 2026
@LeSuisse LeSuisse linked an issue Feb 19, 2026 that may be closed by this pull request
alsa-lib 1.2.15.2 Topology Decoder Heap-based Buffer Overflow #488125
Closed
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. labels Feb 19, 2026
@jopejoe1 jopejoe1 added this pull request to the merge queue Feb 20, 2026
@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 1 This PR was reviewed and approved by one person. and removed 9.needs: reviewer This PR currently has no reviewers requested and needs attention. labels Feb 20, 2026
Merged via the queue into NixOS:staging with commit 9928132 Feb 20, 2026
36 of 38 checks passed
@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Feb 20, 2026

Successfully created backport PR for staging-25.11:

@nixpkgs-ci nixpkgs-ci bot mentioned this pull request Feb 20, 2026
Merged
@github-actions github-actions bot added the 8.has: port to stable This PR already has a backport to the stable release. label Feb 20, 2026
@LeSuisse LeSuisse deleted the alsa-lib-CVE-2026-25068 branch February 20, 2026 12:52
@whispersofthedawn whispersofthedawn mentioned this pull request Feb 25, 2026
Merged
13 tasks
whispersofthedawn added a commit to whispersofthedawn/nixpkgs that referenced this pull request Feb 25, 2026
@whispersofthedawn
alsa-lib: fix patch for CVE-2026-25068 for v1.2.14
7b1d330 
NixOS#492079 introduced a patch for CVE-2026-25068, which was backported to
staging-25.11 in NixOS#492453. However, the patch fails to compile when
ported directly to 25.11 since the way of doing error handling changed
from an `SNDERR` macro to an `snd_error` function between v1.2.14 (which
is on 25.11) and on v1.2.15. In order to fix this, we vendor the patch
and change the offending line like so:

```diff
- +			snd_error(TOPOLOGY, "mixer: unexpected channel count %d", map->num_channels);
+ +			SNDERR("mixer: unexpected channel count %d", map->num_channels);
```

Not-cherry-picked-because: fix that does not apply to unstable since it is on a later version of package
@jopejoe1 jopejoe1 mentioned this pull request Mar 1, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jopejoe1 jopejoe1 jopejoe1 approved these changes

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: port to stable This PR already has a backport to the stable release. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 12.approvals: 1 This PR was reviewed and approved by one person. backport staging-25.11 Backport PR automatically

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

alsa-lib 1.2.15.2 Topology Decoder Heap-based Buffer Overflow

2 participants

@LeSuisse @jopejoe1