Skip to content

cudaPackages_12_9: switch to libxml2_13 that has patches for 5 CVEs#434331

Merged
vcunat merged 1 commit intoNixOS:staging-nextfrom
gepbird:cudapackages-12-9-libxml2
Aug 20, 2025
Merged

cudaPackages_12_9: switch to libxml2_13 that has patches for 5 CVEs#434331
vcunat merged 1 commit intoNixOS:staging-nextfrom
gepbird:cudapackages-12-9-libxml2

Conversation

@gepbird
Copy link
Contributor

@gepbird gepbird commented Aug 16, 2025
edited
Loading

Part of #434341

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. 6.topic: cuda Parallel computing platform and API labels Aug 16, 2025
@gepbird gepbird marked this pull request as ready for review August 16, 2025 23:39
@gepbird gepbird mentioned this pull request Aug 17, 2025
Closed
15 tasks
@ConnorBaker ConnorBaker self-assigned this Aug 17, 2025
@ConnorBaker
Copy link
Contributor

ConnorBaker commented Aug 17, 2025

I’ll try to take a look tomorrow.

Why not target master?

Also, can this be back ported?

@gepbird
Copy link
Contributor Author

gepbird commented Aug 17, 2025
edited
Loading

I’ll try to take a look tomorrow.

Thanks, that would be awesome :)

I edited the PR description for more context

I tried to build it on x86_64-linux, which said I have an unsupported system for a dependency that only builds on aarch64-linux, I didn't dig further into it. I tried to build the wrong attr as I'm not familliar with cuda, I'll leave the testing up to you

Why not target master?

It depends on libxml2_13 which is not on master yet: https://nixpk.gs/pr-tracker.html?pr=421740

Also, can this be back ported?

Hmm that would be a good idea, but I don't have the capacity to do that. We'd need to backport #421740 (which is not as straightforward as putting a label on it)

@ConnorBaker
Copy link
Contributor

ConnorBaker commented Aug 17, 2025

I did not get a chance today and I don’t know I will soon :/

We’ve been trying to remove the CUDA toolkit provided by the giant rifle installer for some time, so the cudatoolkit attribute references a symlinkJoin of smaller packages. You want to build cudatoolkit-legacy-runfile-installer or something similar — check the attribute name in cuda-packages.nix in top-level. You will need to import Nixpkgs with config.allowUnfree and config.cudaSupport set to true.

That’s a bummer about backporting but I understand.

At any rate, thank you for the PR!

@gepbird gepbird added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Aug 17, 2025
@gepbird
Copy link
Contributor Author

gepbird commented Aug 17, 2025

You want to build cudatoolkit-legacy-runfile-installer or something similar — check the attribute name in cuda-packages.nix in top-level

Thanks, cudaPackages_12_9.cudatoolkit-legacy-runfile builds fine

@LordGrimmauld
Copy link
Contributor

LordGrimmauld commented Aug 17, 2025

Also, can this be back ported?

Hmm that would be a good idea, but I don't have the capacity to do that. We'd need to backport #421740 (which is not as straightforward as putting a label on it)

nixpkgs/pkgs/development/libraries/libxml2/default.nix

Lines 54 to 78 in ad7196a

patches = [
# Unmerged ABI-breaking patch required to fix the following security issues:
# - https://gitlab.gnome.org/GNOME/libxslt/-/issues/139
# - https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
# See also https://gitlab.gnome.org/GNOME/libxml2/-/issues/906
# Source: https://github.com/chromium/chromium/blob/4fb4ae8ce3daa399c3d8ca67f2dfb9deffcc7007/third_party/libxml/chromium/xml-attr-extra.patch
./xml-attr-extra.patch
# same as upstream patch but fixed conflict and added required import:
# https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0.diff
./CVE-2025-6021.patch
(fetchpatch2 {
name = "CVE-2025-49794-49796.patch";
url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/f7ebc65f05bffded58d1e1b2138eb124c2e44f21.patch";
hash = "sha256-k+IGq6pbv9EA7o+uDocEAUqIammEjLj27Z+2RF5EMrs=";
})
(fetchpatch2 {
name = "CVE-2025-49795.patch";
url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/c24909ba2601848825b49a60f988222da3019667.patch";
hash = "sha256-r7PYKr5cDDNNMtM3ogNLsucPFTwP/uoC7McijyLl4kU=";
excludes = [ "runtest.c" ]; # tests were rewritten in C and are on schematron for 2.13.x, meaning this does not apply
})
# same as upstream, fixed conflicts
# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c340e419505cf4bf1d9ed7019a87cc00ec200434
./CVE-2025-6170.patch
];

#425246

We have backports of the CVE fixes, which is all we need. 25.05 is globally stuck on a patched 2.13.8 libxml, because updating would be a breaking change. We don't need this override on 25.05 at all, and as such we basically already did all the relevant backports.

@gepbird
Copy link
Contributor Author

gepbird commented Aug 17, 2025

nixpkgs/pkgs/development/libraries/libxml2/default.nix

Lines 54 to 78 in ad7196a

patches = [
# Unmerged ABI-breaking patch required to fix the following security issues:
# - https://gitlab.gnome.org/GNOME/libxslt/-/issues/139
# - https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
# See also https://gitlab.gnome.org/GNOME/libxml2/-/issues/906
# Source: https://github.com/chromium/chromium/blob/4fb4ae8ce3daa399c3d8ca67f2dfb9deffcc7007/third_party/libxml/chromium/xml-attr-extra.patch
./xml-attr-extra.patch
# same as upstream patch but fixed conflict and added required import:
# https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0.diff
./CVE-2025-6021.patch
(fetchpatch2 {
name = "CVE-2025-49794-49796.patch";
url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/f7ebc65f05bffded58d1e1b2138eb124c2e44f21.patch";
hash = "sha256-k+IGq6pbv9EA7o+uDocEAUqIammEjLj27Z+2RF5EMrs=";
})
(fetchpatch2 {
name = "CVE-2025-49795.patch";
url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/c24909ba2601848825b49a60f988222da3019667.patch";
hash = "sha256-r7PYKr5cDDNNMtM3ogNLsucPFTwP/uoC7McijyLl4kU=";
excludes = [ "runtest.c" ]; # tests were rewritten in C and are on schematron for 2.13.x, meaning this does not apply
})
# same as upstream, fixed conflicts
# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c340e419505cf4bf1d9ed7019a87cc00ec200434
./CVE-2025-6170.patch
];

#425246

We have backports of the CVE fixes, which is all we need. 25.05 is globally stuck on a patched 2.13.8 libxml, because updating would be a breaking change. We don't need this override on 25.05 at all, and as such we basically already did all the relevant backports.

I completely forgot about backporting those, thanks for the reminder. Yeah in that case it should be straightforward to backport this PR.

@vcunat vcunat merged commit 7dd29e7 into NixOS:staging-next Aug 20, 2025
35 of 37 checks passed
@github-project-automation github-project-automation bot moved this from New to ✅ Done in CUDA Team Aug 20, 2025
@gepbird gepbird deleted the cudapackages-12-9-libxml2 branch August 20, 2025 09:54
@gepbird
Copy link
Contributor Author

gepbird commented Aug 20, 2025

I don't think a backport is needed, the libxml2 dependency was added in d697bfc which is not on release-25.05

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SomeoneSerge SomeoneSerge Awaiting requested review from SomeoneSerge

@samuela samuela Awaiting requested review from samuela

@ConnorBaker ConnorBaker Awaiting requested review from ConnorBaker

@knedlsepp knedlsepp Awaiting requested review from knedlsepp

Assignees

@ConnorBaker ConnorBaker

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: cuda Parallel computing platform and API 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux.

Projects

CUDA Team
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gepbird @ConnorBaker @LordGrimmauld @vcunat