Mutiple vulnerabilities in the Viridian interface
There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:
1. A NULL pointer dereference in the updating of the reference TSC area.
This is CVE-2025-27466.
2. A NULL pointer dereference by assuming the SIM page is mapped when
a synthetic timer message has to be delivered. This is
CVE-2025-58142.
3. A race in the mapping of the reference TSC page, where a guest can
get Xen to free a page while still present in the guest physical to
machine (p2m) page tables. This is CVE-2025-58143.
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit 2648215258)
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
At the scale of Nixpkgs, actively maintaining a package is only possible
with integration into CI. To be able to be pinged for review requests,
the maintainer must have a GitHub handle, which:
- Leads to an invitation to the NixOS org, which comes with additional
privileges.
- Allows to request the maintainer for review as a member of this org.
- Automatically requests the maintainer for review in CI.
Currently, the GitHub handle is not strictly enforced. This leads to
some new maintainers accidentally forgetting to set these. We can avoid
these mistakes and enforce them via CI.
(cherry picked from commit 568b19f656)
Although this maintainer has responded to requests for maintainance and
is active in Nixpkgs, the new data collection requirements introduced in
https://github.com/NixOS/nixpkgs/pull/437085 have been a privacy
concern for this maintainer, who has stated (https://github.com/NixOS/nixpkgs/pull/437082#issuecomment-3243483517)
that they do not wish for their data to be added to the maintainer list.
For this reason, there is no other recourse than to remove this
maintainer's information from newer revisions of Nixpkgs, as their
maintainer entry is now non-compliant with Nixpkgs' latest policies.
Once more, this removal is NOT due to the usual inactivity reasons, but
for specific privacy concerns expressed by the maintainer being removed.
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit 81d1a3a2ae)
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
Not all packages that are reported as changed will actually exist on the
platform that the maintainers are colleted on.
This is the case for some attributes that are only available on Darwin
or explicitly set to `null` on Linux. By filtering out packages without
maintainers, these are ignored - and we should potentially get a small
performance improvement as well.
(cherry picked from commit f2ca5796de)
