Nixpkgs security tracker
5.9 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
Microsoft UFO accepts cross-device TASK_END messages by session_id only, allowing peer task-result injection
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by session_id only and does not verify that a TASK_END message came from the device that originally received the task. When the constellation sends a task to a target device, it records a pending Future under a session key. The pending task record stores the expected device ID, but the completion path ignores that binding. If another authenticated peer device sends a forged TASK_END with the same session_id, the constellation accepts the response and completes the victim device's pending Future with attacker-controlled result data. This is an authenticated cross-device task-result injection issue.
References
-
https://github.com/microsoft/UFO/security/advisories/GHSA-wmq2-74rj-7pjc x_refsource_CONFIRM
Affected products
- ==3.0.1-4-ge2626659
Matching in nixpkgs
pkgs.rufo
Ruby formatter
pkgs.tartufo
Tool to search through git repositories for high entropy strings and secrets
pkgs.ufolint
Linter for Unified Font Object (UFO) source code
pkgs.gohufont
A monospace bitmap font well suited for programming and terminal use
pkgs.nerd-fonts.gohufont
Nerd Fonts: Bitmap font, tall capitals and ascenders, small serifs
pkgs.akkuPackages.ufo-try
try-except to handle potential exception
pkgs.akkuPackages.ufo-match
This package is a dependable match macro library for chez scheme.
pkgs.akkuPackages.ufo-timer
This repository is a timer implementation based on Chez Scheme's thread mechanism.
pkgs.akkuPackages.ufo-socket
I did not edit Akku.manifest
pkgs.python312Packages.ufo2ft
Bridge from UFOs to FontTools objects
-
nixos-25.11 ufo2ft-3.6.2
- nixos-25.11-small ufo2ft-3.6.2
- nixpkgs-25.11-darwin ufo2ft-3.6.2
pkgs.python313Packages.ufo2ft
Bridge from UFOs to FontTools objects
-
nixos-unstable ufo2ft-3.7.0
- nixpkgs-unstable ufo2ft-3.7.0
- nixos-unstable-small ufo2ft-3.7.0
-
nixos-25.11 ufo2ft-3.6.2
- nixos-25.11-small ufo2ft-3.6.2
- nixpkgs-25.11-darwin ufo2ft-3.6.2
pkgs.python314Packages.ufo2ft
Bridge from UFOs to FontTools objects
-
nixos-unstable ufo2ft-3.7.0
- nixpkgs-unstable ufo2ft-3.7.0
- nixos-unstable-small ufo2ft-3.7.0
pkgs.python312Packages.ufolib2
Library to deal with UFO font sources
-
nixos-25.11 ufolib2-0.18.1
- nixos-25.11-small ufolib2-0.18.1
- nixpkgs-25.11-darwin ufolib2-0.18.1
pkgs.python312Packages.ufolint
Linter for Unified Font Object (UFO) source code
pkgs.python313Packages.ufolib2
Library to deal with UFO font sources
-
nixos-unstable ufolib2-0.18.1
- nixpkgs-unstable ufolib2-0.18.1
- nixos-unstable-small ufolib2-0.18.1
-
nixos-25.11 ufolib2-0.18.1
- nixos-25.11-small ufolib2-0.18.1
- nixpkgs-25.11-darwin ufolib2-0.18.1
pkgs.python313Packages.ufolint
Linter for Unified Font Object (UFO) source code
pkgs.python314Packages.ufolib2
Library to deal with UFO font sources
-
nixos-unstable ufolib2-0.18.1
- nixpkgs-unstable ufolib2-0.18.1
- nixos-unstable-small ufolib2-0.18.1
pkgs.python312Packages.ufomerge
Command line utility and Python library that merges two UFO source format fonts into a single file
pkgs.python313Packages.ufomerge
Command line utility and Python library that merges two UFO source format fonts into a single file
pkgs.akkuPackages.ufo-coroutines
This package is a dependable coroutine package for chez scheme.
pkgs.akkuPackages.ufo-thread-pool
This package is a dependable thread pool package for chez scheme.
pkgs.python312Packages.ufoprocessor
Read, write and generate UFOs with designspace data
pkgs.python313Packages.ufoprocessor
Read, write and generate UFOs with designspace data
pkgs.python314Packages.ufoprocessor
Read, write and generate UFOs with designspace data
pkgs.python312Packages.ufonormalizer
Script to normalize the XML and other data inside of a UFO
pkgs.python313Packages.ufo-extractor
Tools for extracting data from font binaries into UFO objects
pkgs.python313Packages.ufonormalizer
Script to normalize the XML and other data inside of a UFO
pkgs.python314Packages.ufonormalizer
Script to normalize the XML and other data inside of a UFO
pkgs.akkuPackages.ufo-threaded-function
This package contains threaded-map, threaded-vector-map and such threaded functions for chez scheme.
pkgs.vscode-extensions.ufo5260987423.magic-scheme
Adds support for Scheme(r6rs standard)
-
nixos-unstable ufo5260987423-magic-scheme-0.0.6
- nixpkgs-unstable ufo5260987423-magic-scheme-0.0.6
- nixos-unstable-small ufo5260987423-magic-scheme-0.0.6
-
nixos-25.11 ufo5260987423-magic-scheme-0.0.6
- nixos-25.11-small ufo5260987423-magic-scheme-0.0.6
- nixpkgs-25.11-darwin ufo5260987423-magic-scheme-0.0.6
Package maintainers
-
@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>
-
@rc-zb Xiao Haifan <rc-zb@outlook.com>
-
@doronbehar Doron Behar <me@doronbehar.com>
-
@GNUqb114514 qb114514 <GNUqb114514@outlook.com>
-
@danc86 Dan Callaghan <djc@djc.id.au>
-
@jopejoe1 jopejoe1 <nixpkgs@missing.ninja>
-
@sternenseemann Lukas Epple <sternenseemann@systemli.org>
-
@andersk Anders Kaseorg <andersk@mit.edu>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>