GHSA-655h-hg88-5qmf: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-655h-hg88-5qmf) affects the Rust XCB library's xcb::Connection::connect_to_fd* functions. These functions allow an arbitrary RawFd to be used as a socket connection, which can lead to I/O safety violations. The issue was discovered in March 2022 and was officially disclosed on August 22, 2025, affecting versions prior to 1.6.0 (RustSec Advisory).

The vulnerability stems from the API design of xcb::Connection constructors that accept a RawFd parameter. When these constructors fail or when the Connection is dropped, they close the associated file descriptor. However, if the program uses an OwnedFd (such as a UnixStream) as the file descriptor, it can lead to a double-close scenario or attempts to use an already-closed file descriptor. This violates I/O safety principles in Rust (GitHub Issue).

The vulnerability can result in I/O safety violations where a program might attempt to use a closed file descriptor or trigger a double-close condition. This can lead to undefined behavior in POSIX systems and potential program crashes, particularly when running in debug mode (GitHub PR).

The issue has been fixed in version 1.6.0 of the xcb crate. The fix introduces new safe alternatives Connection::connect_with_fd and Connection::connect_with_fd_and_extensions while deprecating the problematic functions. Users should upgrade to version 1.6.0 or later to resolve this vulnerability (RustSec Advisory).

The vulnerability sparked discussions in the Rust community about I/O safety and its relationship with FFI boundaries. There were debates about whether I/O safety violations should be considered undefined behavior and how they should be categorized in the security context (RustSec PR).