Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-5915
created 4 months ago
Libarchive: heap buffer over read in copy_from_lzss_window() at archive_read_support_format_rar.c

A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.

Affected products

rhcos
libarchive
  • <3.8.0

Matching in nixpkgs

pkgs.libarchive

Multi-format archive and compression library

  • nixos-unstable -

pkgs.libarchive-qt

Qt based archiving solution with libarchive backend

  • nixos-unstable -

pkgs.haskellPackages.libarchive

Haskell interface to libarchive

pkgs.kodiPackages.vfs-libarchive

LibArchive Virtual Filesystem add-on for Kodi

  • nixos-unstable -

pkgs.python312Packages.libarchive-c

Python interface to libarchive

  • nixos-unstable -

pkgs.python313Packages.libarchive-c

Python interface to libarchive

  • nixos-unstable -

pkgs.haskellPackages.archive-libarchive

Common interface using libarchive

pkgs.haskellPackages.libarchive-conduit

Read many archive formats with libarchive and conduit

pkgs.python312Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python313Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

Package maintainers: 8

CVE-2025-47711
created 4 months ago
Nbdkit: nbdkit-server: off-by-one error when processing block status may lead to a denial of service

There's a flaw in the nbdkit server when handling responses from its plugins regarding the status of data blocks. If a client makes a specific request for a very large data range, and a plugin responds with an even larger single block, the nbdkit server can encounter a critical internal error, leading to a denial-of-service.

Affected products

nbdkit
  • <1.40.6
  • <1.42.3
  • <1.38.6
virt:av/nbdkit
virt:8.2/nbdkit
virt:rhel/nbdkit

Matching in nixpkgs

pkgs.nbdkit

NBD server with stable plugin ABI and permissive license

  • nixos-unstable -

Package maintainers: 1

CVE-2025-0620
created 4 months ago
Samba: smbd doesn't pick up group membership changes when re-authenticating an expired smb session

A flaw was found in Samba. The smbd service daemon does not pick up group membership changes when re-authenticating an expired SMB session. This issue can expose file shares until clients disconnect and then connect again.

Affected products

rhcos
samba
  • <4.21.6
samba4

Matching in nixpkgs

pkgs.samba4

Standard Windows interoperability suite of programs for Linux and Unix

  • nixos-unstable -

pkgs.sambamba

SAM/BAM processing tool

  • nixos-unstable -

pkgs.sambaFull

Standard Windows interoperability suite of programs for Linux and Unix

  • nixos-unstable -

pkgs.samba4Full

Standard Windows interoperability suite of programs for Linux and Unix

  • nixos-unstable -

Package maintainers: 2

CVE-2025-49241
created 4 months ago
WordPress oik <= 4.15.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in bobbingwide oik allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects oik: from n/a through 4.15.1.

Affected products

oik
  • =<4.15.1

Matching in nixpkgs

pkgs.libvoikko

Finnish language processing library

  • nixos-unstable -

Package maintainers: 1

CVE-2025-49075
created 4 months ago
WordPress Wishlist plugin <= 1.0.43 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Wishlist allows Stored XSS.This issue affects Wishlist: from n/a through 1.0.43.

Affected products

wishlist
  • =<1.0.43

Matching in nixpkgs

pkgs.wishlist

Single entrypoint for multiple SSH endpoints

  • nixos-unstable -

Package maintainers: 2

CVE-2011-10007
created 4 months ago
File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name

File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted filename. A file handle is opened with the 2 argument form of `open()` allowing an attacker controlled filename to provide the MODE parameter to `open()`, turning the filename into a command to be executed. Example: $ mkdir /tmp/poc; echo > "/tmp/poc/|id" $ perl -MFile::Find::Rule \     -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")' uid=1000(user) gid=1000(user) groups=1000(user),100(users)

Affected products

File-Find-Rule
  • =<0.34

Matching in nixpkgs

pkgs.perlPackages.FileFindRule

File::Find::Rule is a friendlier interface to File::Find

  • nixos-unstable -

pkgs.perl538Packages.FileFindRule

File::Find::Rule is a friendlier interface to File::Find

  • nixos-unstable -

pkgs.perl540Packages.FileFindRule

File::Find::Rule is a friendlier interface to File::Find

  • nixos-unstable -

pkgs.perlPackages.FileFindRulePerl

Common rules for searching for Perl things

  • nixos-unstable -

pkgs.perl538Packages.FileFindRulePerl

Common rules for searching for Perl things

  • nixos-unstable -

pkgs.perl540Packages.FileFindRulePerl

Common rules for searching for Perl things

  • nixos-unstable -
CVE-2025-40908
created 4 months ago
YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified

YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified

Affected products

YAML-LibYAML
  • <0.903.0

Matching in nixpkgs

pkgs.perlPackages.YAMLLibYAML

Perl YAML Serialization using XS and libyaml

  • nixos-unstable -

pkgs.perl538Packages.YAMLLibYAML

Perl YAML Serialization using XS and libyaml

  • nixos-unstable -

pkgs.perl540Packages.YAMLLibYAML

Perl YAML Serialization using XS and libyaml

  • nixos-unstable -
CVE-2024-12224
created 4 months ago
idna accepts Punycode labels that do not produce any non-ASCII when decoded

Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

Affected products

idna
  • <1.0.0

Matching in nixpkgs

pkgs.echidna

Ethereum smart contract fuzzer

  • nixos-unstable -

pkgs.unicode-idna

Unicode IDNA compatible processing data

  • nixos-unstable -

pkgs.kodiPackages.idna

Internationalized Domain Names for Python

  • nixos-unstable -

pkgs.sbclPackages.idna

pkgs.python312Packages.idna

Internationalized Domain Names in Applications (IDNA)

  • nixos-unstable -

pkgs.python313Packages.idna

Internationalized Domain Names in Applications (IDNA)

  • nixos-unstable -

pkgs.python312Packages.idna-ssl

Patch ssl.match_hostname for Unicode(idna) domains support

  • nixos-unstable -

pkgs.python313Packages.idna-ssl

Patch ssl.match_hostname for Unicode(idna) domains support

  • nixos-unstable -

Package maintainers: 16

CVE-2025-4598
created 4 months ago
Systemd-coredump: race condition that allows a local attacker to crash a suid program and gain read access to the resulting core dump

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

Affected products

rhcos
systemd
  • *
rpm-ostree
NetworkManager
systemd-coredump
  • <255.19
  • <252.37
  • <257.6
  • <253.32
  • <256.14
  • <254.25
rhceph/rhceph-7-rhel9
  • *
rhceph/rhceph-8-rhel9
  • *
insights-proxy/insights-proxy-container-rhel9
  • *

Matching in nixpkgs

pkgs.udev

System and service manager for Linux

  • nixos-unstable -

pkgs.systemd

System and service manager for Linux

  • nixos-unstable -

pkgs.rpm-ostree

Hybrid image/package system. It uses OSTree as an image format, and uses RPM as a component model

  • nixos-unstable -

pkgs.systemd-lsp

Language server implementation for systemd unit files made in Rust

  • nixos-unstable -

pkgs.systemdLibs

System and service manager for Linux

  • nixos-unstable -

pkgs.rofi-systemd

Control your systemd units using rofi

  • nixos-unstable -

pkgs.systemd-wait

Wait for a systemd unit to enter a specific state

pkgs.systemdUkify

System and service manager for Linux

  • nixos-unstable -

pkgs.systemdgenie

Systemd management utility

  • nixos-unstable -

pkgs.check_systemd

Nagios / Icinga monitoring plugin to check systemd for failed units

  • nixos-unstable -

pkgs.systemdMinimal

System and service manager for Linux

  • nixos-unstable -

pkgs.systemd-netlogd

Forwards messages from the journal to other hosts over the network

  • nixos-unstable -

pkgs.systemd-bootchart

Boot performance graphing tool from systemd

  • nixos-unstable -

pkgs.networkmanager-l2tp

L2TP plugin for NetworkManager

pkgs.networkmanager-sstp

NetworkManager's sstp plugin

  • nixos-unstable -

pkgs.networkmanager-vpnc

NetworkManager's VPNC plugin

  • nixos-unstable -

pkgs.systemd-manager-tui

Program for managing systemd services through a TUI

  • nixos-unstable -

pkgs.systemd-lock-handler

Translates systemd-system lock/sleep signals into systemd-user target activations

  • nixos-unstable -

pkgs.networkmanager-openvpn

NetworkManager's OpenVPN plugin

  • nixos-unstable -

pkgs.haskellPackages.systemd

Systemd facilities (Socket activation, Notify)

  • nixos-unstable -

pkgs.php81Extensions.systemd

PHP extension allowing native interaction with systemd and its journal

pkgs.php82Extensions.systemd

PHP extension allowing native interaction with systemd and its journal

pkgs.php83Extensions.systemd

PHP extension allowing native interaction with systemd and its journal

pkgs.php84Extensions.systemd

PHP extension allowing native interaction with systemd and its journal

pkgs.systemd-language-server

Language Server for Systemd unit files

  • nixos-unstable -

pkgs.update-systemd-resolved

Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus

  • nixos-unstable -

pkgs.networkmanager_strongswan

NetworkManager's strongswan plugin

  • nixos-unstable -

pkgs.python312Packages.systemd

Python module for native access to the systemd facilities

  • nixos-unstable -

pkgs.python313Packages.systemd

Python module for native access to the systemd facilities

  • nixos-unstable -

pkgs.networkmanager-fortisslvpn

NetworkManager’s FortiSSL plugin

  • nixos-unstable -

pkgs.networkmanager-openconnect

NetworkManager’s OpenConnect plugin

  • nixos-unstable -

pkgs.haskellPackages.systemd-api

systemd bindings

pkgs.nagiosPlugins.check_systemd

Nagios / Icinga monitoring plugin to check systemd for failed units

  • nixos-unstable -

pkgs.prometheus-systemd-exporter

Exporter for systemd unit metrics

  • nixos-unstable -

pkgs.haskellPackages.warp-systemd

Socket activation and other systemd integration for the Warp web server (WAI)

pkgs.gnomeExtensions.systemd-status

Show systemd system state

  • nixos-unstable -
    • nixpkgs-unstable 8

pkgs.gnomeExtensions.systemd-manager

GNOME Shell extension to manage systemd services

  • nixos-unstable -
    • nixpkgs-unstable 19

pkgs.haskellPackages.libsystemd-journal

Haskell bindings to libsystemd-journal

pkgs.python312Packages.systemdunitparser

SystemdUnitParser is an extension to Python's configparser.RawConfigParser to properly parse systemd unit files

  • nixos-unstable -

pkgs.python313Packages.systemdunitparser

SystemdUnitParser is an extension to Python's configparser.RawConfigParser to properly parse systemd unit files

  • nixos-unstable -

pkgs.python312Packages.jupyterhub-systemdspawner

JupyterHub Spawner using systemd for resource isolation

  • nixos-unstable -

pkgs.python313Packages.jupyterhub-systemdspawner

JupyterHub Spawner using systemd for resource isolation

  • nixos-unstable -

pkgs.vscode-extensions.coolbear.systemd-unit-file

  • nixos-unstable -

pkgs.gnomeExtensions.systemd-offline-update-indicator

Show an indicator for pending systemd offline updates.

  • nixos-unstable -
    • nixpkgs-unstable 7

pkgs.tests.pkg-config.defaultPkgConfigPackages.libudev

Test whether systemd-257.8 exposes pkg-config modules libudev

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.tests.pkg-config.defaultPkgConfigPackages.libsystemd

Test whether systemd-257.8 exposes pkg-config modules libsystemd

  • nixos-unstable -
    • nixpkgs-unstable
CVE-2025-5054
created 4 months ago
Race Condition in Canonical Apport

Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. `consistency_checks` is now being called before `_check_global_pid_and_forward`. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1).

Affected products

apport
  • <2.28.1-0ubuntu3.6
  • <2.20.9-0ubuntu7.29+esm1
  • <2.30.0-0ubuntu4.3
  • =<2.32.0
  • <2.20.11-0ubuntu27.28
  • <2.20.11-0ubuntu82.7
  • <2.32.0-0ubuntu5.1
  • <2.20.1-0ubuntu2.30+esm5
  • <2.32.0-0ubuntu6
  • <2.33.0-0ubuntu1

Matching in nixpkgs

pkgs.haskellPackages.apportionment

Round a set of numbers while maintaining its sum

Package maintainers: 1