Skip to content

nixVersions.nix_2_3: add knownVulnerabilities#420974

Merged
alyssais merged 2 commits intoNixOS:masterfrom
alyssais:nix_2_3-vulnerabilities
Jun 30, 2025
Merged

nixVersions.nix_2_3: add knownVulnerabilities#420974
alyssais merged 2 commits intoNixOS:masterfrom
alyssais:nix_2_3-vulnerabilities

Conversation

@alyssais
Copy link
Member

@alyssais alyssais commented Jun 29, 2025
edited
Loading

Hopefully somebody backports the patches, in which case we can revert this, and if not it will give us a good indication that nobody cares about getting Nix 2.3 from Nixpkgs and we can drop it.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • Nixpkgs 25.11 Release Notes (or backporting 24.11 and 25.05 Nixpkgs Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
  • NixOS 25.11 Release Notes (or backporting 24.11 and 25.05 NixOS Release notes)
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other contributing documentation in corresponding paths.

Add a 👍 reaction to pull requests you find important.

@alyssais alyssais requested review from emilazy and flokli June 29, 2025 12:43
@alyssais alyssais force-pushed the nix_2_3-vulnerabilities branch from 48b082c to e216a82 Compare June 29, 2025 12:43
@alyssais alyssais changed the title nix_2_3: add knownVulnerabilities nixVersions.nix_2_3: add knownVulnerabilities Jun 29, 2025
@alyssais alyssais force-pushed the nix_2_3-vulnerabilities branch 3 times, most recently from 52ec7b0 to 3997403 Compare June 29, 2025 12:48
@emilazy emilazy requested a review from a team June 29, 2025 12:50
@nix-owners nix-owners bot requested review from hsjobeki and infinisil June 29, 2025 12:50
@alyssais alyssais force-pushed the nix_2_3-vulnerabilities branch from 3997403 to a60390d Compare June 29, 2025 12:55
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. labels Jun 29, 2025
@mweinelt mweinelt added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jun 29, 2025
@alyssais alyssais force-pushed the nix_2_3-vulnerabilities branch 4 times, most recently from 4aaa1b1 to a0a12bf Compare June 29, 2025 14:10
@nixpkgs-ci nixpkgs-ci bot added the 6.topic: lib The Nixpkgs function library label Jun 29, 2025
@nixpkgs-ci nixpkgs-ci bot added the 6.topic: continuous integration Affects continuous integration (CI) in Nixpkgs, including Ofborg and GitHub Actions label Jun 29, 2025
@alyssais alyssais requested a review from wolfgangwalther June 29, 2025 14:16
wolfgangwalther
wolfgangwalther reviewed Jun 29, 2025
View reviewed changes
alyssais
alyssais commented Jun 29, 2025
View reviewed changes
alois31
alois31 reviewed Jun 29, 2025
View reviewed changes
@alyssais alyssais force-pushed the nix_2_3-vulnerabilities branch from a0a12bf to da1b7d4 Compare June 29, 2025 14:35
wolfgangwalther
wolfgangwalther reviewed Jun 29, 2025
View reviewed changes
@alyssais alyssais force-pushed the nix_2_3-vulnerabilities branch from da1b7d4 to ba03474 Compare June 29, 2025 14:50
wolfgangwalther
wolfgangwalther approved these changes Jun 29, 2025
View reviewed changes
Copy link
Contributor

@wolfgangwalther wolfgangwalther left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading through: LGTM.

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Jun 29, 2025
alyssais added 2 commits June 29, 2025 18:22
@alyssais
release.nix: pass lib-tests to tarball
8722ff7 
It doesn't make sense for release.nix to run these twice; once
directly, and once as part of the tarball job.
@alyssais
nixVersions.nix_2_3: add knownVulnerabilities
1666082
@alyssais alyssais force-pushed the nix_2_3-vulnerabilities branch from ba03474 to 1666082 Compare June 29, 2025 16:22
@alyssais alyssais merged commit a61841a into NixOS:master Jun 30, 2025
26 of 27 checks passed
@alyssais alyssais deleted the nix_2_3-vulnerabilities branch June 30, 2025 08:26
@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Jun 30, 2025

Backport failed for release-24.11, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-24.11
git worktree add -d .worktree/backport-420974-to-release-24.11 origin/release-24.11
cd .worktree/backport-420974-to-release-24.11
git switch --create backport-420974-to-release-24.11
git cherry-pick -x 1063473001bb85bf3af2fe21f3a76011ea8c558b a61841a597730a4ec18be3f87a257a3989e629dd

@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Jun 30, 2025

Successfully created backport PR for release-25.05:

@github-actions github-actions bot added the 8.has: port to stable This PR already has a backport to the stable release. label Jun 30, 2025
@nixpkgs-ci nixpkgs-ci bot mentioned this pull request Jun 30, 2025
Merged
1 task
@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 2 This PR was reviewed and approved by two persons. and removed 8.has: port to stable This PR already has a backport to the stable release. 12.approvals: 1 This PR was reviewed and approved by one person. labels Jun 30, 2025
@tazjin
Copy link
Member

tazjin commented Jun 30, 2025

@alyssais We are backporting the most critical patches here: tvlfyi/nix#5

These are specifically the patches from Lix, not from C++ Nix. For the other CVEs we haven't decided what to do yet, in particular porting something like pasta or the other solutions to that problem doesn't look attractive until there's more real-world experience with them from the early adopters.

@mdaniels5757 mdaniels5757 mentioned this pull request Jul 1, 2025
Merged
@LordGrimmauld LordGrimmauld mentioned this pull request Jul 5, 2025
Open
13 tasks
sternenseemann
sternenseemann reviewed Jul 7, 2025
View reviewed changes
pkgs/tools/package-management/nix/default.nix
"CVE-2024-38531"
"CVE-2024-47174"
"CVE-2025-46415"
"CVE-2025-46416"
Copy link
Member

@sternenseemann sternenseemann Jul 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From my understanding, also later versions of nix are vulnerable to CVE-2025-46416 since abstract unix sockets can be created in the main network namespace. So we should add it to knownVulnerabilities for the other packages in nixVersions for consistency?!

Copy link
Contributor

@tomberek tomberek Jul 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That weakness about abstract domain sockets is still present, but not the vulnerability described in the CVE. Known exploit chains are fixed.

@wolfgangwalther wolfgangwalther added the 8.has: port to stable This PR already has a backport to the stable release. label Jul 12, 2025
This was referenced Jul 22, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sternenseemann sternenseemann sternenseemann left review comments

@flokli flokli flokli approved these changes

@wolfgangwalther wolfgangwalther wolfgangwalther approved these changes

@emilazy emilazy Awaiting requested review from emilazy

@tomberek tomberek Awaiting requested review from tomberek

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314

@xokdvium xokdvium Awaiting requested review from xokdvium

@RaitoBezarius RaitoBezarius Awaiting requested review from RaitoBezarius

@Mic92 Mic92 Awaiting requested review from Mic92

@edolstra edolstra Awaiting requested review from edolstra

@roberth roberth Awaiting requested review from roberth

@hsjobeki hsjobeki Awaiting requested review from hsjobeki

@infinisil infinisil Awaiting requested review from infinisil

+1 more reviewer

@alois31 alois31 alois31 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: continuous integration Affects continuous integration (CI) in Nixpkgs, including Ofborg and GitHub Actions 6.topic: lib The Nixpkgs function library 8.has: port to stable This PR already has a backport to the stable release. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. 12.approvals: 2 This PR was reviewed and approved by two persons.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@alyssais @tazjin @tomberek @flokli @sternenseemann @wolfgangwalther @alois31 @mweinelt