Skip to content

ciscoPacketTracer{7,8}: mark as vulnerable#456622

Merged
vcunat merged 2 commits intoNixOS:masterfrom
gepbird:feat/ciscoPacketTracer78/mark-as-vulnerable
Nov 14, 2025
Merged

ciscoPacketTracer{7,8}: mark as vulnerable#456622
vcunat merged 2 commits intoNixOS:masterfrom
gepbird:feat/ciscoPacketTracer78/mark-as-vulnerable

Conversation

@gepbird
Copy link
Contributor

@gepbird gepbird commented Oct 29, 2025
edited
Loading

Fixes #452755 (comment).

This library can be seen in the fixup phase, it's coming from the .deb src:

ciscoPacketTracer8-unwrapped> shrinking /nix/store/3fwc2x69d0xgdxjmiqvfi8nvmwaj2ag7-ciscoPacketTracer8-unwrapped/opt/pt/bin/libQt5WebEngineCore.so.5
ciscoPacketTracer8-unwrapped> shrinking /nix/store/3fwc2x69d0xgdxjmiqvfi8nvmwaj2ag7-ciscoPacketTracer8-unwrapped/opt/pt/bin/libQt5WebEngineWidgets.so.5

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. labels Oct 29, 2025
@gepbird gepbird added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Oct 29, 2025
@nixpkgs-ci nixpkgs-ci bot added the 9.needs: reviewer This PR currently has no reviewers requested and needs attention. label Oct 29, 2025
dotlambda
dotlambda reviewed Oct 29, 2025
View reviewed changes
dotlambda
dotlambda reviewed Oct 29, 2025
View reviewed changes
pkgs/by-name/ci/ciscoPacketTracer7/package.nix

${lib.elemAt libsForQt5.qtwebengine.meta.knownVulnerabilities 0}
''
];
Copy link
Member

@dotlambda dotlambda Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually why not

Suggested change
];
]
++ libsForQt5.qtwebengine.meta.knownVulnerabilities;

?

Copy link
Contributor Author

@gepbird gepbird Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because it would list those vulnerabilities as separate entries, when they are just one:

       Known issues:                                                                                                                                                                                              
        - Cisco Packet Tracer 8 ships with qt5 qtwebengine.                                                                                                                                                       
                                                                                                                                                                                                                  
        - qt5 qtwebengine is unmaintained upstream since april 2025.                                                                                                                                              
       It is based on chromium 87.0.4280.144, and supposedly patched up to 135.0.7049.95 which is outdated.                                                                                                       
                                                                                                                                                                                                                  
       Security issues are frequently discovered in chromium.                                                                                                                                                     
       The following list of CVEs was fixed in the life cycle of chromium 138 and likely also affects qtwebengine:                                                                                                
       - CVE-2025-8879                                                                                                                                                                                            
       - CVE-2025-8880
       ...

It seems more logical to put them in one, but if this is preferred I'm happy to change it.

@nixpkgs-ci nixpkgs-ci bot removed the 9.needs: reviewer This PR currently has no reviewers requested and needs attention. label Oct 29, 2025
@gepbird gepbird force-pushed the feat/ciscoPacketTracer78/mark-as-vulnerable branch from 0891662 to 4f2ae8e Compare October 29, 2025 01:52
@gepbird gepbird closed this Oct 29, 2025
@gepbird gepbird reopened this Oct 29, 2025
@gepbird gepbird force-pushed the feat/ciscoPacketTracer78/mark-as-vulnerable branch from 4f2ae8e to ae20dc6 Compare October 30, 2025 19:20
@gepbird gepbird requested a review from dotlambda November 2, 2025 20:59
@vcunat vcunat added this pull request to the merge queue Nov 14, 2025
Merged via the queue into NixOS:master with commit 8049563 Nov 14, 2025
29 of 31 checks passed
@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Nov 14, 2025

Backport failed for release-25.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-25.05
git worktree add -d .worktree/backport-456622-to-release-25.05 origin/release-25.05
cd .worktree/backport-456622-to-release-25.05
git switch --create backport-456622-to-release-25.05
git cherry-pick -x 6cfa812ea117c6dafd2fbf9926c745d8831cdd4f ae20dc63cd7cf23890cb16d3d39deaf1e1a55c4b

@gepbird gepbird deleted the feat/ciscoPacketTracer78/mark-as-vulnerable branch November 14, 2025 09:06
@mdaniels5757 mdaniels5757 mentioned this pull request Nov 26, 2025
Closed
13 tasks
@mdaniels5757 mdaniels5757 added 8.has: port to stable This PR already has a backport to the stable release. and removed backport release-25.05 labels Nov 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dotlambda dotlambda Awaiting requested review from dotlambda

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: port to stable This PR already has a backport to the stable release. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gepbird @dotlambda @LeSuisse @vcunat @mdaniels5757