Multiple Node.js packages in nixpkgs create file collisions when installed together in home-manager or system profiles. Specifically:
- `gemini-cli` vs `eslint`: collision on `lib/node_modules/eslint/conf/default-cli-options.js`
- `gemini-cli` vs `angular-language-server`: collision on `lib/node_modules/semver/README.md` (with permission differences: 0555 vs 0444)
This occurs because these packages install their bundled dependencies directly to `$out/lib/node_modules/`, causing path conflicts when multiple packages provide the same transitive dependencies.
The issue stems from packages copying their entire `node_modules` directory to a shared location (`$out/lib/node_modules/`) rather than isolating their dependencies in package-specific directories.
Before:
```nix
cp -r node_modules "$out/lib/"
```
After:
```nix
cp -r node_modules "$out/share/gemini-cli/"
```
This is probably counterproductive in some ways (would ideally share deps?) but at least this fix allows these packages to coexist.
(cherry picked from commit 1aff5d6e7e)
Backported fix for https://github.com/dokuwiki/dokuwiki/issues/4512
(Unauthenticated Reflected Cross Site Scripting) since the 2024-02-06
release didn't receive it.
Not-cherry-picked-because: Manually applying upstream patch to avoid
breaking updates where this would not be needed.
This patch only affects ARM, but it's better than setting ARM as knownVulnerabilities.
Arm issues with page refcounting
There are two issues related to the mapping of pages belonging to other
domains: For one, an assertion is wrong there, where the case actually
needs handling. A NULL pointer de-reference could result on a release
build. This is CVE-2025-58144.
And then the P2M lock isn't held until a page reference was actually
obtained (or the attempt to do so has failed). Otherwise the page can
not only change type, but even ownership in between, thus allowing
domain boundaries to be violated. This is CVE-2025-58145.
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit 15968113a2)
Mutiple vulnerabilities in the Viridian interface
There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:
1. A NULL pointer dereference in the updating of the reference TSC area.
This is CVE-2025-27466.
2. A NULL pointer dereference by assuming the SIM page is mapped when
a synthetic timer message has to be delivered. This is
CVE-2025-58142.
3. A race in the mapping of the reference TSC page, where a guest can
get Xen to free a page while still present in the guest physical to
machine (p2m) page tables. This is CVE-2025-58143.
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit 2648215258)
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
