diff --git a/pkgs/tools/package-management/nix/common.nix b/pkgs/tools/package-management/nix/common.nix index 77a6bca3e9fb4..ead04407001f4 100644 --- a/pkgs/tools/package-management/nix/common.nix +++ b/pkgs/tools/package-management/nix/common.nix @@ -15,14 +15,8 @@ let atLeast210 = lib.versionAtLeast version "2.10pre"; atLeast213 = lib.versionAtLeast version "2.13pre"; atLeast214 = lib.versionAtLeast version "2.14pre"; + atLeast220 = lib.versionAtLeast version "2.20pre"; atLeast221 = lib.versionAtLeast version "2.21pre"; - # Major.minor versions unaffected by CVE-2024-27297 - unaffectedByFodSandboxEscape = [ - "2.3" - "2.18" - "2.19" - "2.20" - ]; in { stdenv , autoconf-archive @@ -48,6 +42,7 @@ in , lib , libarchive , libcpuid +, libgit2 , libsodium , libxml2 , libxslt @@ -126,6 +121,8 @@ self = stdenv.mkDerivation { gtest libarchive lowdown + ] ++ lib.optionals atLeast220 [ + libgit2 ] ++ lib.optionals stdenv.isDarwin [ Security ] ++ lib.optionals (stdenv.isx86_64) [ @@ -257,7 +254,6 @@ self = stdenv.mkDerivation { platforms = platforms.unix; outputsToInstall = [ "out" ] ++ optional enableDocumentation "man"; mainProgram = "nix"; - knownVulnerabilities = lib.optional (!builtins.elem (lib.versions.majorMinor version) unaffectedByFodSandboxEscape && !atLeast221) "CVE-2024-27297"; }; }; in self diff --git a/pkgs/tools/package-management/nix/default.nix b/pkgs/tools/package-management/nix/default.nix index b72bc3c1d8aa5..92c988ea5d087 100644 --- a/pkgs/tools/package-management/nix/default.nix +++ b/pkgs/tools/package-management/nix/default.nix @@ -17,8 +17,19 @@ let boehmgc-nix_2_3 = boehmgc.override { enableLargeConfig = true; }; boehmgc-nix = boehmgc-nix_2_3.overrideAttrs (drv: { - # Part of the GC solution in https://github.com/NixOS/nix/pull/4944 - patches = (drv.patches or [ ]) ++ [ ./patches/boehmgc-coroutine-sp-fallback.patch ]; + patches = (drv.patches or [ ]) ++ [ + # Part of the GC solution in https://github.com/NixOS/nix/pull/4944 + ./patches/boehmgc-coroutine-sp-fallback.patch + + # Required since 2.20, and has always been a valid change + # Awaiting 8.2 patch release of https://github.com/ivmai/bdwgc/commit/d1d4194c010bff2dc9237223319792cae834501c + # or master release of https://github.com/ivmai/bdwgc/commit/86b3bf0c95b66f718c3cb3d35fd7387736c2a4d7 + (fetchpatch { + name = "boehmgc-traceable_allocator-public.diff"; + url = "https://github.com/NixOS/nix/raw/2.20.0/dep-patches/boehmgc-traceable_allocator-public.diff"; + hash = "sha256-FLsHY/JS46neiSyyQkVpbHZEFvWSCzWrFQu1CC71sh4="; + }) + ]; }); # old nix fails to build with newer aws-sdk-cpp and the patch doesn't apply @@ -247,6 +258,11 @@ in lib.makeExtensible (self: ({ ]; }; + nix_2_20 = common { + version = "2.20.5"; + hash = "sha256-bfFe38BkoQws7om4gBtBWoNTLkt9piMXdLLoHYl+vBQ="; + }; + # The minimum Nix version supported by Nixpkgs # Note that some functionality *might* have been backported into this Nix version, # making this package an inaccurate representation of what features are available @@ -266,7 +282,7 @@ in lib.makeExtensible (self: ({ stable = addFallbackPathsCheck self.nix_2_18; - unstable = self.nix_2_19; + unstable = self.nix_2_20; } // lib.optionalAttrs config.allowAliases { nix_2_4 = throw "nixVersions.nix_2_4 has been removed";