about summary refs log tree commit diff
path: root/nixpkgs/pkgs/tools/package-management/nix/common.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/pkgs/tools/package-management/nix/common.nix')
-rw-r--r--nixpkgs/pkgs/tools/package-management/nix/common.nix13
1 files changed, 13 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/package-management/nix/common.nix b/nixpkgs/pkgs/tools/package-management/nix/common.nix
index cab48bbaf5b6..d0840d206b67 100644
--- a/nixpkgs/pkgs/tools/package-management/nix/common.nix
+++ b/nixpkgs/pkgs/tools/package-management/nix/common.nix
@@ -15,6 +15,15 @@ let
   atLeast210 = lib.versionAtLeast version "2.10pre";
   atLeast213 = lib.versionAtLeast version "2.13pre";
   atLeast214 = lib.versionAtLeast version "2.14pre";
+  atLeast220 = lib.versionAtLeast version "2.20pre";
+  atLeast221 = lib.versionAtLeast version "2.21pre";
+  # Major.minor versions unaffected by CVE-2024-27297
+  unaffectedByFodSandboxEscape = [
+    "2.3"
+    "2.18"
+    "2.19"
+    "2.20"
+  ];
 in
 { stdenv
 , autoconf-archive
@@ -40,6 +49,7 @@ in
 , lib
 , libarchive
 , libcpuid
+, libgit2
 , libsodium
 , libxml2
 , libxslt
@@ -118,6 +128,8 @@ self = stdenv.mkDerivation {
     gtest
     libarchive
     lowdown
+  ] ++ lib.optionals atLeast220 [
+    libgit2
   ] ++ lib.optionals stdenv.isDarwin [
     Security
   ] ++ lib.optionals (stdenv.isx86_64) [
@@ -249,6 +261,7 @@ self = stdenv.mkDerivation {
     platforms = platforms.unix;
     outputsToInstall = [ "out" ] ++ optional enableDocumentation "man";
     mainProgram = "nix";
+    knownVulnerabilities = lib.optional (!builtins.elem (lib.versions.majorMinor version) unaffectedByFodSandboxEscape && !atLeast221) "CVE-2024-27297";
   };
 };
 in self
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-23 12:56:18 +0000