Skip to content

Comments

hydron: mark as vulnerable to CVE-2023-4863#255959

Merged
delroth merged 1 commit intoNixOS:masterfrom
delroth:hydron-known-vulnerable
Sep 19, 2023
Merged

hydron: mark as vulnerable to CVE-2023-4863#255959
delroth merged 1 commit intoNixOS:masterfrom
delroth:hydron-known-vulnerable

Conversation

@delroth
Copy link
Contributor

@delroth delroth commented Sep 18, 2023

Description of changes

https://github.com/bakape/hydron is archived and likely never getting a fix.
Ref #254798

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@delroth delroth added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-23.05 labels Sep 18, 2023
@delroth delroth requested a review from Madouura September 18, 2023 19:59
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. labels Sep 18, 2023
@delroth delroth added the 12.approvals: 1 This PR was reviewed and approved by one person. label Sep 19, 2023
@delroth delroth merged commit 3455e89 into NixOS:master Sep 19, 2023
@github-actions
Copy link
Contributor

Successfully created backport PR for release-23.05:

@emilazy emilazy mentioned this pull request Aug 3, 2024
13 tasks
emilazy added a commit to emilazy/nixpkgs that referenced this pull request Aug 3, 2024
This package was marked as vulnerable in
<NixOS#255959>, almost a year ago and
over a year after the project was archived upstream. The package and
module are unusable without bypassing a security warning in 23.05,
23.11, and 24.05.

Given that the package is intended as an organizer for
potentially‐untrusted media files, the vulnerability is critical and
leads to remote code execution, and there is basically no prospect
of upstream releasing a fix, remove the package and module entirely
for 24.11.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants