[25.05] lixPackageSets.*: fix for CVE-2025-46415 and CVE-2025-46416 (#419583)

2026-01-12 02:40:31 +08:00 · 2025-06-24 18:27:44 +02:00
parent 011e351df9 a608c12bfb
commit 387dfc5487
3 changed files with 2382 additions and 8 deletions
--- a/pkgs/tools/package-management/lix/common-lix.nix
+++ b/pkgs/tools/package-management/lix/common-lix.nix
@@ -9,6 +9,7 @@
  # `lix-doc`.
  docCargoDeps ? null,
  patches ? [ ],
+  knownVulnerabilities ? [ ],
 }@args:

 assert lib.assertMsg (
@@ -139,6 +140,7 @@ stdenv.mkDerivation (finalAttrs: {
        p.pytest
        p.pytest-xdist
        p.python-frontmatter
+        p.toml
      ]))
      pkg-config
      flex
@@ -388,5 +390,6 @@ stdenv.mkDerivation (finalAttrs: {
    platforms = lib.platforms.unix;
    outputsToInstall = [ "out" ] ++ lib.optional enableDocumentation "man";
    mainProgram = "nix";
+    inherit knownVulnerabilities;
  };
 })
--- a/pkgs/tools/package-management/lix/default.nix
+++ b/pkgs/tools/package-management/lix/default.nix
@@ -133,6 +133,10 @@ lib.makeExtensible (self: {
        sourceRoot = "${src.name or src}/lix-doc";
        hash = "sha256-VPcrf78gfLlkTRrcbLkPgLOk0o6lsOJBm6HYLvavpNU=";
      };
+
+      knownVulnerabilities = [
+        "Lix 2.90 is vulnerable to CVE-2025-46415 and CVE-2025-46416 and will not receive updates."
+      ];
    };

    nix-eval-jobs-args = {
@@ -150,13 +154,13 @@ lib.makeExtensible (self: {
    attrName = "lix_2_91";

    lix-args = rec {
-      version = "2.91.1";
+      version = "2.91.2";

      src = fetchFromGitHub {
        owner = "lix-project";
        repo = "lix";
        rev = version;
-        hash = "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=";
+        hash = "sha256-TkRjskDnxMPugdLQE/LqIh59RYQFJLYpIuL8YZva2lM=";
      };

      docCargoDeps = rustPlatform.fetchCargoVendor {
@@ -182,13 +186,13 @@ lib.makeExtensible (self: {
    attrName = "lix_2_92";

    lix-args = rec {
-      version = "2.92.0";
+      version = "2.92.2";

      src = fetchFromGitHub {
        owner = "lix-project";
        repo = "lix";
        rev = version;
-        hash = "sha256-CCKIAE84dzkrnlxJCKFyffAxP3yfsOAbdvydUGqq24g=";
+        hash = "sha256-D7YepvFkGE4K1rOkEYA1P6wGj/eFbQXb03nLdBRjjwA=";
      };

      cargoDeps = rustPlatform.fetchCargoVendor {
@@ -212,14 +216,14 @@ lib.makeExtensible (self: {
    attrName = "lix_2_93";

    lix-args = rec {
-      version = "2.93.0";
+      version = "2.93.1";

      src = fetchFromGitea {
        domain = "git.lix.systems";
        owner = "lix-project";
        repo = "lix";
        rev = version;
-        hash = "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=";
+        hash = "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=";
      };

      cargoDeps = rustPlatform.fetchCargoVendor {
@@ -240,8 +244,8 @@ lib.makeExtensible (self: {
        domain = "git.lix.systems";
        owner = "lix-project";
        repo = "lix";
-        rev = "dcb0a97000d50b2868ed4f8d9fd465c5a5b8eb3a";
-        hash = "sha256-qCRBy8Bbh5XhPalPkhonxNgfsbw3lP0UIXBLSrhxAvI=";
+        rev = "242a228124f77b57c2e3b3aedb259ffb7913cd3c";
+        hash = "sha256-hCbhc9P+UmIlYv81+vs6v3bDqviCUhwPH3XqClZdfSk=";
      };

      cargoDeps = rustPlatform.fetchCargoVendor {
@@ -249,6 +253,10 @@ lib.makeExtensible (self: {
        inherit src;
        hash = "sha256-YMyNOXdlx0I30SkcmdW/6DU0BYc3ZOa2FMJSKMkr7I8=";
      };
+
+      patches = [
+        ./patches/LIX_HEAD_CVE-2025-46415_46416.patch
+      ];
    };
  };

--- a/pkgs/tools/package-management/lix/patches/LIX_HEAD_CVE-2025-46415_46416.patch
+++ b/pkgs/tools/package-management/lix/patches/LIX_HEAD_CVE-2025-46415_46416.patch