!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

635 Members
Coordination and triage of security issues in nixpkgs | Discussions in #security-discuss:nixos.org | Open PRs: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc+label%3A%221.severity%3A+security%22200 Servers

Load older messages


SenderMessageTime
27 May 2025
@irenes:matrix.org@irenes:matrix.org left the room.09:00:51
@mdaniels5757:matrix.orgmdaniels5757 joined the room.23:45:31
28 May 2025
@numinit:matrix.orgMorgan (@numinit)

https://www.openwall.com/lists/oss-security/2025/05/28/4

https://curl.se/docs/CVE-2025-4947.html

curl (only wolfssl as a backend though)

05:53:27
@vcunat:matrix.orgvcunatThat seems to be only opt-in in nixpkgs. So a patch can be applied conditionally without any rebuild (and users of it will probably be rare here).06:03:22
@vcunat:matrix.orgvcunatMerged, but honestly I don't know what to do about stable nixpkgs.09:57:17
@emilazy:matrix.orgemilyseems backportable? is there anything breaking I'm missing?11:10:30
@zhaofeng:zhaofeng.liZhaofeng Li

Is the concern about the new features?

(not sure if replying in a thread will cause notifications - if so, let's move to #security-discuss:nixos.org )

15:42:37
29 May 2025
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)https://github.com/NixOS/nixpkgs/issues/411881 so uh - do we pick commits into our jq? one of the two doesn't even have a fix commit, and i'd be surprised if the fix for the other actually applies properly...09:26:03
@k900:0upti.meK900What the lol09:26:48
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)jq had no release since 2023, but now the second 7.5+ cve09:27:21
@k900:0upti.meK900Has anyone rewritten it in rust yet09:27:37
@alisonjenkins:matrix.orgAlison Jenkinshttps://github.com/MiSawa/xq09:28:18
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all) https://github.com/yamafaktory/jql
not sure how compatible it is though
also #security-discuss:nixos.org if we'll discuss that
09:28:34
@numinit:matrix.orgMorgan (@numinit)Kea has a few https://www.openwall.com/lists/oss-security/2025/05/28/716:26:42
@numinit:matrix.orgMorgan (@numinit)

Also https://www.openwall.com/lists/oss-security/2025/05/27/2

Heap buffer overflow in GNU Coreutils sort that's been there since version 7.2 (we're on 9.7, and apparently it's still there)

16:28:58
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)seems simple enough to update, but why are we on 2.6.x if there exists 2.7x?16:29:23
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)* seems simple enough to update, but why are we on 2.6.x if there exists 2.7.x?16:29:27
@numinit:matrix.orgMorgan (@numinit)not sure 16:29:52
@arianvp:matrix.orgArianhttps://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598 https://github.com/systemd/systemd/releases/tag/v257.6 17:28:46
@hexa:lossy.networkhexabceause only even minor versions are stable17:33:38
@hexa:lossy.networkhexaand the update is not straightforward17:33:43
@hexa:lossy.networkhexahttps://github.com/NixOS/nixpkgs/pull/41187517:34:06
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)uh oh, didn't realize the module needed changing to allow clean updates.... Indeed, not straight-forward, and thanks for explaining :)17:35:53
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)

https://github.com/NixOS/nixpkgs/pull/412147
I was already poking systemd for udev stuff earlier today, have the bump pr :)

I tested nixos tests, i did not try to repro the vuln to see if it is truly fixed now.

18:41:42
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all) *

https://github.com/NixOS/nixpkgs/pull/412147
I was already poking systemd for udev stuff earlier today, have the bump pr :)

i did not try to repro the vuln to see if it is truly fixed now.

18:44:10
30 May 2025
@stigo:matrix.orgstigohttps://github.com/NixOS/nixpkgs/pull/412233 (considered to be low-medium severity)03:39:03
@leona:leona.isleonawhat about backports? just apply to 25.05 and 24.11?09:06:59
@stigo:matrix.orgstigo
In reply to @leona:leona.is
what about backports? just apply to 25.05 and 24.11?
Yeah should work fine
09:58:12
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)

https://github.com/NixOS/nixpkgs/pull/412367

it has been done
Was an absolute pain to make these patches apply properly, i think i didn't horribly butcher anything - review appreciated.

14:47:23
@bytebandit:tac.lolDerivationDingus set a profile picture.19:53:54

Show newer messages


Back to Room ListRoom Version: 6