Skip to content

cudaPackages_12_9: switch to libxml2_13 that has patches for 5 CVEs #434331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vcunat merged 1 commit into from
Aug 20, 2025
Merged

cudaPackages_12_9: switch to libxml2_13 that has patches for 5 CVEs #434331

vcunat merged 1 commit into from
Aug 20, 2025
+2 −9

Conversation

@gepbird
Copy link
Contributor

@gepbird gepbird commented Aug 16, 2025
edited
Loading

Part of #434341

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. 6.topic: cuda Parallel computing platform and API labels Aug 16, 2025
@gepbird gepbird marked this pull request as ready for review August 16, 2025 23:39
@gepbird gepbird mentioned this pull request Aug 17, 2025
Closed
15 tasks
@ConnorBaker ConnorBaker self-assigned this Aug 17, 2025
@ConnorBaker
Copy link
Contributor

ConnorBaker commented Aug 17, 2025

I’ll try to take a look tomorrow.

Why not target master?

Also, can this be back ported?

@gepbird
Copy link
Contributor Author

gepbird commented Aug 17, 2025
edited
Loading

I’ll try to take a look tomorrow.

Thanks, that would be awesome :)

I edited the PR description for more context

I tried to build it on x86_64-linux, which said I have an unsupported system for a dependency that only builds on aarch64-linux, I didn't dig further into it. I tried to build the wrong attr as I'm not familliar with cuda, I'll leave the testing up to you

Why not target master?

It depends on libxml2_13 which is not on master yet: https://nixpk.gs/pr-tracker.html?pr=421740

Also, can this be back ported?

Hmm that would be a good idea, but I don't have the capacity to do that. We'd need to backport #421740 (which is not as straightforward as putting a label on it)

@ConnorBaker
Copy link
Contributor

ConnorBaker commented Aug 17, 2025

I did not get a chance today and I don’t know I will soon :/

We’ve been trying to remove the CUDA toolkit provided by the giant rifle installer for some time, so the cudatoolkit attribute references a symlinkJoin of smaller packages. You want to build cudatoolkit-legacy-runfile-installer or something similar — check the attribute name in cuda-packages.nix in top-level. You will need to import Nixpkgs with config.allowUnfree and config.cudaSupport set to true.

That’s a bummer about backporting but I understand.

At any rate, thank you for the PR!

@gepbird gepbird added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Aug 17, 2025
@gepbird
Copy link
Contributor Author

gepbird commented Aug 17, 2025

You want to build cudatoolkit-legacy-runfile-installer or something similar — check the attribute name in cuda-packages.nix in top-level

Thanks, cudaPackages_12_9.cudatoolkit-legacy-runfile builds fine

@LordGrimmauld
Copy link
Contributor

LordGrimmauld commented Aug 17, 2025

Also, can this be back ported?

Hmm that would be a good idea, but I don't have the capacity to do that. We'd need to backport #421740 (which is not as straightforward as putting a label on it)

nixpkgs/pkgs/development/libraries/libxml2/default.nix

Lines 54 to 78 in ad7196a

patches = [
# Unmerged ABI-breaking patch required to fix the following security issues:
# - https://gitlab.gnome.org/GNOME/libxslt/-/issues/139
# - https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
# See also https://gitlab.gnome.org/GNOME/libxml2/-/issues/906
# Source: https://github.com/chromium/chromium/blob/4fb4ae8ce3daa399c3d8ca67f2dfb9deffcc7007/third_party/libxml/chromium/xml-attr-extra.patch
./xml-attr-extra.patch
# same as upstream patch but fixed conflict and added required import:
# https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0.diff
./CVE-2025-6021.patch
(fetchpatch2 {
name = "CVE-2025-49794-49796.patch";
url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/f7ebc65f05bffded58d1e1b2138eb124c2e44f21.patch";
hash = "sha256-k+IGq6pbv9EA7o+uDocEAUqIammEjLj27Z+2RF5EMrs=";
})
(fetchpatch2 {
name = "CVE-2025-49795.patch";
url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/c24909ba2601848825b49a60f988222da3019667.patch";
hash = "sha256-r7PYKr5cDDNNMtM3ogNLsucPFTwP/uoC7McijyLl4kU=";
excludes = [ "runtest.c" ]; # tests were rewritten in C and are on schematron for 2.13.x, meaning this does not apply
})
# same as upstream, fixed conflicts
# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c340e419505cf4bf1d9ed7019a87cc00ec200434
./CVE-2025-6170.patch
];

#425246

We have backports of the CVE fixes, which is all we need. 25.05 is globally stuck on a patched 2.13.8 libxml, because updating would be a breaking change. We don't need this override on 25.05 at all, and as such we basically already did all the relevant backports.

@gepbird
Copy link
Contributor Author

gepbird commented Aug 17, 2025

nixpkgs/pkgs/development/libraries/libxml2/default.nix

Lines 54 to 78 in ad7196a

patches = [
# Unmerged ABI-breaking patch required to fix the following security issues:
# - https://gitlab.gnome.org/GNOME/libxslt/-/issues/139
# - https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
# See also https://gitlab.gnome.org/GNOME/libxml2/-/issues/906
# Source: https://github.com/chromium/chromium/blob/4fb4ae8ce3daa399c3d8ca67f2dfb9deffcc7007/third_party/libxml/chromium/xml-attr-extra.patch
./xml-attr-extra.patch
# same as upstream patch but fixed conflict and added required import:
# https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0.diff
./CVE-2025-6021.patch
(fetchpatch2 {
name = "CVE-2025-49794-49796.patch";
url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/f7ebc65f05bffded58d1e1b2138eb124c2e44f21.patch";
hash = "sha256-k+IGq6pbv9EA7o+uDocEAUqIammEjLj27Z+2RF5EMrs=";
})
(fetchpatch2 {
name = "CVE-2025-49795.patch";
url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/c24909ba2601848825b49a60f988222da3019667.patch";
hash = "sha256-r7PYKr5cDDNNMtM3ogNLsucPFTwP/uoC7McijyLl4kU=";
excludes = [ "runtest.c" ]; # tests were rewritten in C and are on schematron for 2.13.x, meaning this does not apply
})
# same as upstream, fixed conflicts
# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c340e419505cf4bf1d9ed7019a87cc00ec200434
./CVE-2025-6170.patch
];

#425246

We have backports of the CVE fixes, which is all we need. 25.05 is globally stuck on a patched 2.13.8 libxml, because updating would be a breaking change. We don't need this override on 25.05 at all, and as such we basically already did all the relevant backports.

I completely forgot about backporting those, thanks for the reminder. Yeah in that case it should be straightforward to backport this PR.

@vcunat vcunat merged commit 7dd29e7 into NixOS:staging-next Aug 20, 2025
35 of 37 checks passed
@github-project-automation github-project-automation bot moved this from New to ✅ Done in CUDA Team Aug 20, 2025
@gepbird gepbird deleted the cudapackages-12-9-libxml2 branch August 20, 2025 09:54
@gepbird
Copy link
Contributor Author

gepbird commented Aug 20, 2025

I don't think a backport is needed, the libxml2 dependency was added in d697bfc which is not on release-25.05

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SomeoneSerge SomeoneSerge Awaiting requested review from SomeoneSerge

@samuela samuela Awaiting requested review from samuela

@ConnorBaker ConnorBaker Awaiting requested review from ConnorBaker

@knedlsepp knedlsepp Awaiting requested review from knedlsepp

Assignees

@ConnorBaker ConnorBaker

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: cuda Parallel computing platform and API 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux.

Projects

CUDA Team
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gepbird @ConnorBaker @LordGrimmauld @vcunat