Skip to content

[staging-next-25.11] alsa-lib: fix patch for CVE-2026-25068 for v1.2.14#493885

Merged
mdaniels5757 merged 1 commit intoNixOS:staging-next-25.11from
whispersofthedawn:ps/alsa-lib
Feb 25, 2026
Merged

[staging-next-25.11] alsa-lib: fix patch for CVE-2026-25068 for v1.2.14#493885
mdaniels5757 merged 1 commit intoNixOS:staging-next-25.11from
whispersofthedawn:ps/alsa-lib

Conversation

@whispersofthedawn
Copy link
Contributor

@whispersofthedawn whispersofthedawn commented Feb 25, 2026
edited
Loading

#492079 introduced a patch for CVE-2026-25068, which was backported to staging-25.11 in #492453. However, the patch fails to compile when ported directly to 25.11 since the way of doing error handling changed from an SNDERR macro to an snd_error function between v1.2.14 (which is on 25.11) and on v1.2.15. In order to fix this, we vendor the patch and change the offending line like so:

- +			snd_error(TOPOLOGY, "mixer: unexpected channel count %d", map->num_channels);
+ +			SNDERR("mixer: unexpected channel count %d", map->num_channels);

Alternatively, the package itself could be updated? Not familiar enough with alsa-lib to assess whether that should happen/is liable to cause breakage. This is probably the lowest impact option, but I don't know if it's the best.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

github-actions[bot]
github-actions bot previously requested changes Feb 25, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This report is automatically generated by the PR / Check / cherry-pick CI workflow.

Some of the commits in this PR require the author's and reviewer's attention.

If you need to merge this PR despite the warnings, please dismiss this review shortly before merging.

Important

7b1d330 is not a cherry-pick, because: fix that does not apply to unstable since it is on a later version of package. Please review this commit manually.

Hint: The full diffs are also available in the runner logs with slightly better highlighting.

@whispersofthedawn
alsa-lib: fix patch for CVE-2026-25068 for v1.2.14
7b1d330 
NixOS#492079 introduced a patch for CVE-2026-25068, which was backported to
staging-25.11 in NixOS#492453. However, the patch fails to compile when
ported directly to 25.11 since the way of doing error handling changed
from an `SNDERR` macro to an `snd_error` function between v1.2.14 (which
is on 25.11) and on v1.2.15. In order to fix this, we vendor the patch
and change the offending line like so:

```diff
- +			snd_error(TOPOLOGY, "mixer: unexpected channel count %d", map->num_channels);
+ +			SNDERR("mixer: unexpected channel count %d", map->num_channels);
```

Not-cherry-picked-because: fix that does not apply to unstable since it is on a later version of package
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 4.workflow: backport This targets a stable branch labels Feb 25, 2026
mdaniels5757
mdaniels5757 approved these changes Feb 25, 2026
View reviewed changes
Copy link
Member

@mdaniels5757 mdaniels5757 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spacing in your patch is different, but I verified that it's the otherwise the same as Ubuntu's (from alsa-lib_1.2.14-1ubuntu1.1.debian.tar.xz, so not suitable for fetchpatch).

@mdaniels5757
Copy link
Member

mdaniels5757 commented Feb 25, 2026

Built on aarch64-linux at HEAD, I should've mentioned.

@mdaniels5757 mdaniels5757 added this pull request to the merge queue Feb 25, 2026
Merged via the queue into NixOS:staging-next-25.11 with commit fadd0c9 Feb 25, 2026
35 checks passed
@whispersofthedawn whispersofthedawn deleted the ps/alsa-lib branch February 25, 2026 05:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdaniels5757 mdaniels5757 mdaniels5757 approved these changes

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

4.workflow: backport This targets a stable branch 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@whispersofthedawn @mdaniels5757