Skip to content

cargo-binstall: 1.15.7 -> 1.15.9, fix CVE-2025-62518, add versionCheckHook #455310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 26, 2025
Merged

cargo-binstall: 1.15.7 -> 1.15.9, fix CVE-2025-62518, add versionCheckHook #455310

merged 2 commits into from
Oct 26, 2025

Conversation

@bengsparks
Copy link
Contributor

@bengsparks bengsparks commented Oct 24, 2025
edited by niklaskorz
Loading

Tracking Issue: #455265

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@bengsparks bengsparks added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Oct 24, 2025
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. labels Oct 24, 2025
@bengsparks bengsparks marked this pull request as ready for review October 24, 2025 18:02
@bengsparks bengsparks changed the title WIP: cargo-binstall: 1.15.7 -> 1.15.8, fix CVE cargo-binstall: 1.15.7 -> 1.15.8, fix CVE Oct 24, 2025
@nix-owners nix-owners bot requested a review from figsoda October 24, 2025 18:03
@bengsparks bengsparks changed the title cargo-binstall: 1.15.7 -> 1.15.8, fix CVE cargo-binstall: 1.15.7 -> 1.15.8, fix CVE-2025-62518, add versionCheckHook Oct 24, 2025
@niklaskorz
Copy link
Contributor

niklaskorz commented Oct 24, 2025
edited
Loading

1.15.8 does still use a vulnerable version of tokio-tar it seems

https://github.com/cargo-bins/cargo-binstall/blob/ae3bd540883cc0f031cc0468e20b833703d5445c/Cargo.lock#L4445

Edit: nvm, didn't see the patch

@bengsparks
Copy link
Contributor Author

bengsparks commented Oct 24, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 455310
Commit: cb2868d200a12e75b435495db18f7374c4c39290

aarch64-darwin

✅ 1 package built:
  • cargo-binstall

@niklaskorz
Copy link
Contributor

niklaskorz commented Oct 24, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 455310
Commit: cb2868d200a12e75b435495db18f7374c4c39290

x86_64-linux

✅ 1 package built:
  • cargo-binstall

niklaskorz
niklaskorz reviewed Oct 24, 2025
View reviewed changes
@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Oct 24, 2025
@niklaskorz niklaskorz mentioned this pull request Oct 24, 2025
Closed
15 tasks
@bengsparks bengsparks added the backport release-25.05 Backport PR automatically label Oct 24, 2025
@bengsparks bengsparks changed the title cargo-binstall: 1.15.7 -> 1.15.8, fix CVE-2025-62518, add versionCheckHook cargo-binstall: 1.15.7 -> 1.15.9, fix CVE-2025-62518, add versionCheckHook Oct 26, 2025
@bengsparks bengsparks force-pushed the cargo-binstall-cve branch 2 times, most recently from 161b2d6 to aeb4f0d Compare October 26, 2025 14:11
niklaskorz
niklaskorz requested changes Oct 26, 2025
View reviewed changes
@niklaskorz
Copy link
Contributor

niklaskorz commented Oct 26, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 455310
Commit: b3c050b9c8de02a7e5e791081b4ee7e92450e264

aarch64-darwin

✅ 1 package built:
  • cargo-binstall

@niklaskorz niklaskorz added this pull request to the merge queue Oct 26, 2025
Merged via the queue into NixOS:master with commit 9ec7585 Oct 26, 2025
25 checks passed
@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Oct 26, 2025

Backport failed for release-25.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-25.05
git worktree add -d .worktree/backport-455310-to-release-25.05 origin/release-25.05
cd .worktree/backport-455310-to-release-25.05
git switch --create backport-455310-to-release-25.05
git cherry-pick -x 72a85b5e53dd19778145610cc54c23b51f3e2b67 b3c050b9c8de02a7e5e791081b4ee7e92450e264

@niklaskorz niklaskorz added the 9.needs: port to stable A PR needs a backport to the stable release. label Oct 26, 2025
@niklaskorz niklaskorz mentioned this pull request Oct 26, 2025
Merged
13 tasks
@niklaskorz niklaskorz added 8.has: port to stable This PR already has a backport to the stable release. and removed 9.needs: port to stable A PR needs a backport to the stable release. labels Oct 26, 2025
@bengsparks bengsparks deleted the cargo-binstall-cve branch October 27, 2025 00:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@niklaskorz niklaskorz niklaskorz approved these changes

@figsoda figsoda Awaiting requested review from figsoda

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: port to stable This PR already has a backport to the stable release. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person. backport release-25.05 Backport PR automatically

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bengsparks @niklaskorz