rust-wasmtime - Debian Package Tracker

general

source: rust-wasmtime (main)
version: 36.0.5+dfsg-1
maintainer: Jonas Smedegaard (DMD) (LowNMU)
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 26.0.1+dfsg-3
testing: 29.0.1+dfsg-8
unstable: 36.0.5+dfsg-1

versioned links

26.0.1+dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
29.0.1+dfsg-8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
36.0.5+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

librust-cranelift-dev

action needed

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2025-53901: Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The corrupt state introduced in `fd_renumber` will lead to the subsequent opening of a file descriptor to panic. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic. This bug is in the implementation of Wasmtime's `wasmtime-wasi` crate which provides an implementation of WASIp1. The bug requires a specially crafted call to `fd_renumber` in addition to the ability to open a subsequent file descriptor. Opening a second file descriptor is only possible when a preopened directory was provided to the guest, and this is common amongst embeddings. A panic in the host is considered a denial-of-service vector for WebAssembly embedders and is thus a security issue in Wasmtime. This bug does not affect WASIp2 and embedders using components. In accordance with Wasmtime's release process, patch releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other release of Wasmtime are recommended to move to a supported release of Wasmtime. Embedders who are using components or are not providing guest access to create more file descriptors (e.g. via a preopened filesystem directory) are not affected by this issue. Otherwise, there is no workaround at this time, and affected embeddings are recommended to update to a patched version which will not cause a panic in the host.
CVE-2026-24116: Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.

Created: 2025-07-19 Last update: 2026-02-11 05:00

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2025-53901: Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The corrupt state introduced in `fd_renumber` will lead to the subsequent opening of a file descriptor to panic. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic. This bug is in the implementation of Wasmtime's `wasmtime-wasi` crate which provides an implementation of WASIp1. The bug requires a specially crafted call to `fd_renumber` in addition to the ability to open a subsequent file descriptor. Opening a second file descriptor is only possible when a preopened directory was provided to the guest, and this is common amongst embeddings. A panic in the host is considered a denial-of-service vector for WebAssembly embedders and is thus a security issue in Wasmtime. This bug does not affect WASIp2 and embedders using components. In accordance with Wasmtime's release process, patch releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other release of Wasmtime are recommended to move to a supported release of Wasmtime. Embedders who are using components or are not providing guest access to create more file descriptors (e.g. via a preopened filesystem directory) are not affected by this issue. Otherwise, there is no workaround at this time, and affected embeddings are recommended to update to a patched version which will not cause a panic in the host.
CVE-2026-24116: Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.

Created: 2025-08-09 Last update: 2026-02-11 05:00

lintian reports 5 warnings normal

Lintian reports 5 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-02-11 Last update: 2026-02-11 10:01

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit a623804df3729915bfa49f56fdcba61c63aa8366
Author: Jonas Smedegaard <dr@jones.dk>
Date:   Tue Feb 10 21:16:15 2026 +0100

    adjust patch 2000 to use feature component-model (not bogus customfeature)

Created: 2026-02-10 Last update: 2026-02-11 05:00

debian/patches: 7 patches to forward upstream low

Among the 31 debian patches available in version 36.0.5+dfsg-1 of the package, we noticed the following issues:

7 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-10-09 Last update: 2026-02-11 09:30

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2025-53901: (needs triaging) Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The corrupt state introduced in `fd_renumber` will lead to the subsequent opening of a file descriptor to panic. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic. This bug is in the implementation of Wasmtime's `wasmtime-wasi` crate which provides an implementation of WASIp1. The bug requires a specially crafted call to `fd_renumber` in addition to the ability to open a subsequent file descriptor. Opening a second file descriptor is only possible when a preopened directory was provided to the guest, and this is common amongst embeddings. A panic in the host is considered a denial-of-service vector for WebAssembly embedders and is thus a security issue in Wasmtime. This bug does not affect WASIp2 and embedders using components. In accordance with Wasmtime's release process, patch releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other release of Wasmtime are recommended to move to a supported release of Wasmtime. Embedders who are using components or are not providing guest access to create more file descriptors (e.g. via a preopened filesystem directory) are not affected by this issue. Otherwise, there is no workaround at this time, and affected embeddings are recommended to update to a patched version which will not cause a panic in the host.
CVE-2025-64345: (needs triaging) Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-07-19 Last update: 2026-02-11 05:00

testing migrations

excuses:
- Migrates after: rust-wasmprinter
- Migration status for rust-wasmtime (29.0.1+dfsg-8 to 36.0.5+dfsg-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for rust-wasmtime/36.0.5+dfsg-1: amd64: Regression ♻ (reference ♻), arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Too young, only 1 of 5 days old
- ∙ ∙ Build-Depends(-Arch): rust-wasmtime rust-wasmprinter
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/r/rust-wasmtime.html
- ∙ ∙ Reproducible on amd64
- ∙ ∙ Reproducible on arm64
- ∙ ∙ Reproducible on armhf
- ∙ ∙ Reproducible on i386
- ∙ ∙ Reproducible on ppc64el
- Not considered

news

[rss feed]

[2026-02-10] Accepted rust-wasmtime 36.0.5+dfsg-1 (source) into unstable (Jonas Smedegaard)
[2026-02-06] rust-wasmtime 29.0.1+dfsg-8 MIGRATED to testing (Debian testing watch)
[2026-02-01] Accepted rust-wasmtime 29.0.1+dfsg-8 (source) into unstable (Jonas Smedegaard)
[2026-01-31] Accepted rust-wasmtime 29.0.1+dfsg-7 (source) into unstable (Jonas Smedegaard)
[2026-01-30] Accepted rust-wasmtime 29.0.1+dfsg-6 (source) into unstable (Jonas Smedegaard)
[2026-01-21] rust-wasmtime 29.0.1+dfsg-5 MIGRATED to testing (Debian testing watch)
[2026-01-16] Accepted rust-wasmtime 29.0.1+dfsg-5 (source) into unstable (Jonas Smedegaard)
[2026-01-15] Accepted rust-wasmtime 29.0.1+dfsg-4 (source) into unstable (Jonas Smedegaard)
[2026-01-14] Accepted rust-wasmtime 29.0.1+dfsg-3 (source) into unstable (Jonas Smedegaard)
[2026-01-13] Accepted rust-wasmtime 29.0.1+dfsg-2 (source) into unstable (Jonas Smedegaard)
[2026-01-02] Accepted rust-wasmtime 29.0.1+dfsg-1 (source) into experimental (Jonas Smedegaard)
[2025-12-11] rust-wasmtime 28.0.1+dfsg-3 MIGRATED to testing (Debian testing watch)
[2025-12-04] Accepted rust-wasmtime 28.0.1+dfsg-3 (source) into unstable (Jonas Smedegaard)
[2025-12-02] Accepted rust-wasmtime 28.0.1+dfsg-2 (source) into unstable (Jonas Smedegaard)
[2025-12-02] rust-wasmtime 27.0.0+dfsg-3 MIGRATED to testing (Debian testing watch)
[2025-12-01] Accepted rust-wasmtime 27.0.0+dfsg-4 (source) into unstable (Jonas Smedegaard)
[2025-11-30] Accepted rust-wasmtime 28.0.1+dfsg-1 (source) into experimental (Jonas Smedegaard)
[2025-11-30] Accepted rust-wasmtime 27.0.0+dfsg-3 (source) into unstable (Jonas Smedegaard)
[2025-11-15] Accepted rust-wasmtime 27.0.0+dfsg-2 (source) into unstable (Jonas Smedegaard) (signed by: Blair Noctis)
[2025-10-22] Accepted rust-wasmtime 26.0.1+dfsg-10 (source) into unstable (Jonas Smedegaard)
[2025-10-20] Accepted rust-wasmtime 26.0.1+dfsg-9 (source) into unstable (Jonas Smedegaard)
[2025-10-19] Accepted rust-wasmtime 26.0.1+dfsg-8 (source) into unstable (Jonas Smedegaard)
[2025-10-12] Accepted rust-wasmtime 26.0.1+dfsg-7 (source) into unstable (Jonas Smedegaard)
[2025-10-11] Accepted rust-wasmtime 26.0.1+dfsg-6 (source) into unstable (Jonas Smedegaard)
[2025-10-11] Accepted rust-wasmtime 26.0.1+dfsg-5 (source) into unstable (Jonas Smedegaard)
[2025-10-11] rust-wasmtime 26.0.1+dfsg-4 MIGRATED to testing (Debian testing watch)
[2025-10-09] Accepted rust-wasmtime 26.0.1+dfsg-4 (source) into unstable (Jonas Smedegaard)
[2025-02-23] rust-wasmtime 26.0.1+dfsg-3 MIGRATED to testing (Debian testing watch)
[2025-02-18] Accepted rust-wasmtime 26.0.1+dfsg-3 (source) into unstable (Jonas Smedegaard)
[2025-02-17] rust-wasmtime 26.0.1+dfsg-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 5
RC: 0
I&N: 3
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 5)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 29.0.1+dfsg-5