Skip to content

[Backport staging-25.11] alsa-lib: apply patch for CVE-2026-25068#492453

Merged
vcunat merged 1 commit intostaging-25.11from
backport-492079-to-staging-25.11
Feb 24, 2026
Merged

[Backport staging-25.11] alsa-lib: apply patch for CVE-2026-25068#492453
vcunat merged 1 commit intostaging-25.11from
backport-492079-to-staging-25.11

Conversation

@nixpkgs-ci
Copy link
Contributor

@nixpkgs-ci nixpkgs-ci bot commented Feb 20, 2026

Bot-based backport to staging-25.11, triggered by a label in #492079.

Before merging, ensure that this backport is acceptable for the release.

Even as a non-committer, if you find that it is not acceptable, leave a comment.

Tip

If you maintain all packages touched by this pull request, and they are all located under pkgs/by-name/*, you can comment @NixOS/nixpkgs-merge-bot merge to automatically merge this PR using the nixpkgs-merge-bot.

@LeSuisse @github-actions
alsa-lib: apply patch for CVE-2026-25068
49c0ad0 
Fixes #488125

(cherry picked from commit 4ba4d67)
@nixpkgs-ci nixpkgs-ci bot added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Feb 20, 2026
@nixpkgs-ci nixpkgs-ci bot mentioned this pull request Feb 20, 2026
Merged
13 tasks
@LeSuisse LeSuisse linked an issue Feb 20, 2026 that may be closed by this pull request
alsa-lib 1.2.15.2 Topology Decoder Heap-based Buffer Overflow #488125
Closed
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 4.workflow: backport This targets a stable branch labels Feb 20, 2026
@vcunat vcunat added this pull request to the merge queue Feb 24, 2026
Merged via the queue into staging-25.11 with commit 48f7dd6 Feb 24, 2026
34 of 36 checks passed
@vcunat vcunat deleted the backport-492079-to-staging-25.11 branch February 24, 2026 06:51
@whispersofthedawn whispersofthedawn mentioned this pull request Feb 25, 2026
Merged
13 tasks
whispersofthedawn added a commit to whispersofthedawn/nixpkgs that referenced this pull request Feb 25, 2026
@whispersofthedawn
alsa-lib: fix patch for CVE-2026-25068 for v1.2.14
7b1d330 
NixOS#492079 introduced a patch for CVE-2026-25068, which was backported to
staging-25.11 in NixOS#492453. However, the patch fails to compile when
ported directly to 25.11 since the way of doing error handling changed
from an `SNDERR` macro to an `snd_error` function between v1.2.14 (which
is on 25.11) and on v1.2.15. In order to fix this, we vendor the patch
and change the offending line like so:

```diff
- +			snd_error(TOPOLOGY, "mixer: unexpected channel count %d", map->num_channels);
+ +			SNDERR("mixer: unexpected channel count %d", map->num_channels);
```

Not-cherry-picked-because: fix that does not apply to unstable since it is on a later version of package
@jopejoe1 jopejoe1 mentioned this pull request Mar 1, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 4.workflow: backport This targets a stable branch 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

alsa-lib 1.2.15.2 Topology Decoder Heap-based Buffer Overflow

2 participants

@vcunat @LeSuisse