Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2014-8141
created 2 months ago Activity log
  • Created suggestion 2 months ago
Heap-based buffer overflow in the getZip64Data function in Info-ZIP UnZip …

Heap-based buffer overflow in the getZip64Data function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.

References

Affected products

UnZip
  • ==6.0 and earlier

Matching in nixpkgs

pkgs.unzip

Extraction utility for archives compressed in .zip format

  • nixos-unstable 6.0
    • nixpkgs-unstable 6.0
    • nixos-unstable-small 6.0
  • nixos-25.11 6.0
    • nixos-25.11-small 6.0
    • nixpkgs-25.11-darwin 6.0

pkgs.runzip

Tool to convert filename encoding inside a ZIP archive

  • nixos-unstable 1.4
    • nixpkgs-unstable 1.4
    • nixos-unstable-small 1.4
  • nixos-25.11 1.4
    • nixos-25.11-small 1.4
    • nixpkgs-25.11-darwin 1.4

pkgs.unzipNLS

Extraction utility for archives compressed in .zip format

  • nixos-unstable 6.0
    • nixpkgs-unstable 6.0
    • nixos-unstable-small 6.0
  • nixos-25.11 6.0
    • nixos-25.11-small 6.0
    • nixpkgs-25.11-darwin 6.0

Package maintainers

Permalink CVE-2015-6815
created 2 months ago Activity log
  • Created suggestion 2 months ago
The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does …

The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.

Affected products

QEMU
  • ==before 2.4.0.1

Matching in nixpkgs

pkgs.qemu

Generic and open source machine emulator and virtualizer

pkgs.qemu-user

QEMU User space emulator - launch executables compiled for one CPU on another CPU

Package maintainers

Permalink CVE-2013-4245
created 2 months ago Activity log
  • Created suggestion 2 months ago
Orca has arbitrary code execution due to insecure Python module …

Orca has arbitrary code execution due to insecure Python module load

Affected products

Orca
  • ==3.14.0

Matching in nixpkgs

pkgs.orca

Screen reader

  • nixos-unstable 49.5
    • nixpkgs-unstable 49.5
    • nixos-unstable-small 49.5
  • nixos-25.11 49.5
    • nixos-25.11-small 49.5
    • nixpkgs-25.11-darwin 49.5

pkgs.orcania

Potluck with different functions for different purposes that can be shared among C programs

pkgs.orca-slicer

G-code generator for 3D printers (Bambu, Prusa, Voron, VzBot, RatRig, Creality, etc.)

Package maintainers

Permalink CVE-2015-0565
created 2 months ago Activity log
  • Created suggestion 2 months ago
NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks …

NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.

Affected products

NaCL
  • ==2015

Matching in nixpkgs

Package maintainers

Permalink CVE-2015-5239
created 2 months ago Activity log
  • Created suggestion 2 months ago
Integer overflow in the VNC display driver in QEMU before …

Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.

Affected products

QEMU
  • ==before 2.1.0

Matching in nixpkgs

pkgs.qemu

Generic and open source machine emulator and virtualizer

pkgs.qemu-user

QEMU User space emulator - launch executables compiled for one CPU on another CPU

Package maintainers

Permalink CVE-2014-3700
created 2 months ago Activity log
  • Created suggestion 2 months ago
eDeploy through at least 2014-10-14 has remote code execution due …

eDeploy through at least 2014-10-14 has remote code execution due to eval() of untrusted data

Affected products

eDeploy
  • ==through 2014-10-14

Matching in nixpkgs

Package maintainers

Permalink CVE-2013-4166
created 2 months ago Activity log
  • Created suggestion 2 months ago
The gpg_ctx_add_recipient function in camel/camel-gpg-context.c in GNOME Evolution 3.8.4 and …

The gpg_ctx_add_recipient function in camel/camel-gpg-context.c in GNOME Evolution 3.8.4 and earlier and Evolution Data Server 3.9.5 and earlier does not properly select the GPG key to use for email encryption, which might cause the email to be encrypted with the wrong key and allow remote attackers to obtain sensitive information.

Affected products

Evolution
  • ==3.8.4 and earlier
Evolution Data Server
  • ==3.9.5 and earlier

Matching in nixpkgs

pkgs.evolution

Personal information management application that provides integrated mail, calendaring and address book functionality

pkgs.evolutionWithPlugins

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

Package maintainers

Permalink CVE-2013-0202
created 2 months ago Activity log
  • Created suggestion 2 months ago
Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier …

Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php.

Affected products

ownCloud
  • ==4.0.10
  • ==4.5.5
  • ==and earlier

Matching in nixpkgs

pkgs.owncloud-client

Synchronise your ownCloud with your computer using this desktop client

Package maintainers

Permalink CVE-2013-4235
created 2 months ago Activity log
  • Created suggestion 2 months ago
shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing …

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

Affected products

shadow
  • ==1

Matching in nixpkgs

pkgs.su

Suite containing authentication-related tools such as passwd and su

pkgs.shadow

Suite containing authentication-related tools such as passwd and su

pkgs.shadowenv

reversible directory-local environment variable manipulations

pkgs.shadowfox

Universal dark theme for Firefox while adhering to the modern design principles set by Mozilla

Package maintainers

Permalink CVE-2013-4367
created 2 months ago Activity log
  • Created suggestion 2 months ago
ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates …

ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'.

References

Affected products

ovirt-engine
  • ==ovirt-engine 3.2 running on Linux kernel 3.1 and newer

Matching in nixpkgs