search

nix-community / nixvim

Configure Neovim with Nix! [maintainers=@GaetanLepage, @traxys, @mattsturgeon, @khaneliman]
https://nix-community.github.io/nixvim
MIT License
1.71k stars 263 forks source link

[BUG] CVE-2024-27297 present #1242

Closed zackattackz closed 7 months ago

zackattackz commented 7 months ago
Field Description
Plugin N/A
Nixpkgs unstable
Home Manager unstable

Description

nixvim is depending on an insecure version of nix (version 2.16.2)

Here is the error when running home-manager switch:

error: Package ‘nix-2.16.2’ in /nix/store/nra828scc8qs92b9pxra5csqzffb6hpl-source/pkgs/tools/package-management/nix/default.nix:229 is marked as insecure, refusing to evaluate.

       Known issues:
        - CVE-2024-27297

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.

       b) for `nixos-rebuild` you can add ‘nix-2.16.2’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "nix-2.16.2"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘nix-2.16.2’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "nix-2.16.2"
              ];
            }

Minimal, Reproducible Example (MRE)

Here is my module for nixvim:

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.nixvim;
  colorscheme = "gruvbox";
in
{
  options.nixvim.enable = mkEnableOption "nixvim options";
  config = mkIf cfg.enable {
    programs.nixvim = {
      enable = true;
      colorschemes.${colorscheme}.enable = true;
      viAlias = true;
      vimAlias = true;
      plugins = {
        direnv.enable = true;
        lightline.enable = true;
        lsp = {
          enable = true;
          servers = {
            nixd = {
              enable = true;
            };
            bashls = {
              enable = true;
            };
          };
        };
        telescope = {
          enable = true;
          highlightTheme = colorscheme;
          keymaps = {
            "<leader>fb" = "buffers";
            "<leader>fg" = "live_grep";
            "<leader>ff" = "find_files";
            "<leader>fj" = "jumplist";
            "<c-p>" = "oldfiles";
          };
          extensions = {
            file_browser = {
              enable = true;
            };
            project-nvim.enable = true;
            media_files.enable = true;
          };
        };
        treesitter = {
          enable = true;
          indent = true;
        };
        fugitive.enable = true;
        dashboard = {
          enable = true;
        };
        project-nvim = {
          enable = true;
        };
        coq-nvim = {
          enable = true;
          autoStart = true;
          recommendedKeymaps = true;
        };
        copilot-lua = {
          enable = true;
        };
      };
      options = {
        autoindent = true;
        expandtab = true;
        tabstop = 2;
        shiftwidth = 2;
        number = true;
        relativenumber = true;
      };
      keymaps = [
        {
          mode = "n";
          key = " ";
          action = "<NOP>";
        }
        {
          mode = "n";
          key = "<leader>ft";
          action = ":Telescope file_browser<CR>";
        }
        {
          mode = "n";
          key = "<leader>fp";
          action = ":Telescope projects<CR>";
        }
      ];
      globals = {
        mapleader = " ";
      };
    };
  };
}

Here is my flake.lock:

{
  "nodes": {
    "devshell": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1708939976,
        "narHash": "sha256-O5+nFozxz2Vubpdl1YZtPrilcIXPcRAjqNdNE8oCRoA=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "5ddecd67edbd568ebe0a55905273e56cc82aabe3",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "devshell",
        "type": "github"
      }
    },
    "dream2nix": {
      "inputs": {
        "nixpkgs": "nixpkgs_2",
        "purescript-overlay": "purescript-overlay",
        "pyproject-nix": "pyproject-nix"
      },
      "locked": {
        "lastModified": 1708076672,
        "narHash": "sha256-6lV6eYyk/tg8ONjLXaLrPIC0OyxbaZkMhZwMJr5SQXQ=",
        "owner": "nix-community",
        "repo": "dream2nix",
        "rev": "3065f503444343714c4d63788dcd90dc4c2606a3",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "dream2nix",
        "type": "github"
      }
    },
    "dream2nix_2": {
      "inputs": {
        "nixpkgs": "nixpkgs_3",
        "purescript-overlay": "purescript-overlay_2",
        "pyproject-nix": "pyproject-nix_2"
      },
      "locked": {
        "lastModified": 1707485598,
        "narHash": "sha256-9ta9bNgJHMYCAvuqr3y2BMqy2OFCYS+mZoi9yhYYewY=",
        "owner": "nix-community",
        "repo": "dream2nix",
        "rev": "367e7fcc980bf2fad69229ed8733697ed5c3fef8",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "dream2nix",
        "type": "github"
      }
    },
    "flake-compat": {
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "revCount": 57,
        "type": "tarball",
        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709336216,
        "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1701680307,
        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1701680307,
        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "nixvim",
          "pre-commit-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1703887061,
        "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1710164657,
        "narHash": "sha256-l64+ZjaQAVkHDVaK0VHwtXBdjcBD6nLBD+p7IfyBp/w=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "017b12de5b899ef9b64e2c035ce257bfe95b8ae2",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "master",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709988192,
        "narHash": "sha256-qxwIkl85P0I1/EyTT+NJwzbXdOv86vgZxcv4UKicjK8=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "b0b0c3d94345050a7f86d1ebc6c56eea4389d030",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709771483,
        "narHash": "sha256-Hjzu9nCknHLQvhdaRFfCEprH0o15KcaNu1QDr3J88DI=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "550340062c16d7ef8c2cc20a3d2b97bcd3c6b6f6",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1709961763,
        "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-python-ldap-3_4_0": {
      "locked": {
        "lastModified": 1655496630,
        "narHash": "sha256-GZVgHf8Lx9wPcJOkVN8Cw2WkzVsNsV0L86geKA+E6dA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "f597e7e9fcf37d8ed14a12835ede0a7d362314bd",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "f597e7e9fcf37d8ed14a12835ede0a7d362314bd",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1702272962,
        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1702272962,
        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixvim": {
      "inputs": {
        "devshell": "devshell",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
        "home-manager": "home-manager_2",
        "nix-darwin": "nix-darwin",
        "nixpkgs": [
          "nixpkgs"
        ],
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
        "lastModified": 1710016565,
        "narHash": "sha256-GoNm8bTT2YjZwdS0jcF0u2mTb8TYDDVyl8vgGICaS8I=",
        "owner": "nix-community",
        "repo": "nixvim",
        "rev": "fb897e22e31f4d29766d94cea3df4aaf008c095e",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixvim",
        "type": "github"
      }
    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat_2",
        "flake-utils": "flake-utils_2",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1708018599,
        "narHash": "sha256-M+Ng6+SePmA8g06CmUZWi1AjG2tFBX9WCXElBHEKnyM=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "rev": "5df5a70ad7575f6601d91f0efec95dd9bc619431",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "type": "github"
      }
    },
    "purescript-overlay": {
      "inputs": {
        "nixpkgs": [
          "snowdoo-support",
          "dream2nix",
          "nixpkgs"
        ],
        "slimlock": "slimlock"
      },
      "locked": {
        "lastModified": 1696022621,
        "narHash": "sha256-eMjFmsj2G1E0Q5XiibUNgFjTiSz0GxIeSSzzVdoN730=",
        "owner": "thomashoneyman",
        "repo": "purescript-overlay",
        "rev": "047c7933abd6da8aa239904422e22d190ce55ead",
        "type": "github"
      },
      "original": {
        "owner": "thomashoneyman",
        "repo": "purescript-overlay",
        "type": "github"
      }
    },
    "purescript-overlay_2": {
      "inputs": {
        "nixpkgs": [
          "snowdoo-support",
          "snowdoo",
          "dream2nix",
          "nixpkgs"
        ],
        "slimlock": "slimlock_2"
      },
      "locked": {
        "lastModified": 1696022621,
        "narHash": "sha256-eMjFmsj2G1E0Q5XiibUNgFjTiSz0GxIeSSzzVdoN730=",
        "owner": "thomashoneyman",
        "repo": "purescript-overlay",
        "rev": "047c7933abd6da8aa239904422e22d190ce55ead",
        "type": "github"
      },
      "original": {
        "owner": "thomashoneyman",
        "repo": "purescript-overlay",
        "type": "github"
      }
    },
    "pyproject-nix": {
      "flake": false,
      "locked": {
        "lastModified": 1702448246,
        "narHash": "sha256-hFg5s/hoJFv7tDpiGvEvXP0UfFvFEDgTdyHIjDVHu1I=",
        "owner": "davhau",
        "repo": "pyproject.nix",
        "rev": "5a06a2697b228c04dd2f35659b4b659ca74f7aeb",
        "type": "github"
      },
      "original": {
        "owner": "davhau",
        "ref": "dream2nix",
        "repo": "pyproject.nix",
        "type": "github"
      }
    },
    "pyproject-nix_2": {
      "flake": false,
      "locked": {
        "lastModified": 1702448246,
        "narHash": "sha256-hFg5s/hoJFv7tDpiGvEvXP0UfFvFEDgTdyHIjDVHu1I=",
        "owner": "davhau",
        "repo": "pyproject.nix",
        "rev": "5a06a2697b228c04dd2f35659b4b659ca74f7aeb",
        "type": "github"
      },
      "original": {
        "owner": "davhau",
        "ref": "dream2nix",
        "repo": "pyproject.nix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
        "nixvim": "nixvim",
        "snowdoo-support": "snowdoo-support"
      }
    },
    "slimlock": {
      "inputs": {
        "nixpkgs": [
          "snowdoo-support",
          "dream2nix",
          "purescript-overlay",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1688610262,
        "narHash": "sha256-Wg0ViDotFWGWqKIQzyYCgayeH8s4U1OZcTiWTQYdAp4=",
        "owner": "thomashoneyman",
        "repo": "slimlock",
        "rev": "b5c6cdcaf636ebbebd0a1f32520929394493f1a6",
        "type": "github"
      },
      "original": {
        "owner": "thomashoneyman",
        "repo": "slimlock",
        "type": "github"
      }
    },
    "slimlock_2": {
      "inputs": {
        "nixpkgs": [
          "snowdoo-support",
          "snowdoo",
          "dream2nix",
          "purescript-overlay",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1688610262,
        "narHash": "sha256-Wg0ViDotFWGWqKIQzyYCgayeH8s4U1OZcTiWTQYdAp4=",
        "owner": "thomashoneyman",
        "repo": "slimlock",
        "rev": "b5c6cdcaf636ebbebd0a1f32520929394493f1a6",
        "type": "github"
      },
      "original": {
        "owner": "thomashoneyman",
        "repo": "slimlock",
        "type": "github"
      }
    },
    "snowdoo": {
      "inputs": {
        "dream2nix": "dream2nix_2",
        "nixpkgs": [
          "snowdoo-support",
          "snowdoo",
          "dream2nix",
          "nixpkgs"
        ],
        "nixpkgs-python-ldap-3_4_0": "nixpkgs-python-ldap-3_4_0"
      },
      "locked": {
        "lastModified": 1708292625,
        "narHash": "sha256-EA651rB9OMi9JSL3xspW6oMyXHzS4pgyP9LPs8aTTwc=",
        "owner": "zackattackz",
        "repo": "snowdoo",
        "rev": "b896fddc7437cad7edeee5d341a997e7c38c7481",
        "type": "github"
      },
      "original": {
        "owner": "zackattackz",
        "repo": "snowdoo",
        "type": "github"
      }
    },
    "snowdoo-support": {
      "inputs": {
        "dream2nix": "dream2nix",
        "nixpkgs": [
          "snowdoo-support",
          "dream2nix",
          "nixpkgs"
        ],
        "snowdoo": "snowdoo"
      },
      "locked": {
        "lastModified": 1708390688,
        "narHash": "sha256-xyW/TcYcjxoStQL/lhr4aPAomaha2wITlVJGuJkM9qk=",
        "ref": "refs/heads/main",
        "rev": "a6740eddf397083a88749c110646b01e23b43c95",
        "revCount": 2,
        "type": "git",
        "url": "ssh://git@github.com/zaha-odoo/snowdoo-support"
      },
      "original": {
        "type": "git",
        "url": "ssh://git@github.com/zaha-odoo/snowdoo-support"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
}
traxys commented 7 months ago

This is due to nixd, there is nothing much we can do

GaetanLepage commented 7 months ago

Now that https://github.com/nix-community/nixvim/pull/1239 is merged, you can at least update your system. However, you will need to disable nixd or to explicitly allow for unsecure nix 2.16 to be installed.

zackattackz commented 7 months ago

@traxys @GaetanLepage I forgot that nixd was a language server, and not the "nix daemon". I thought this was something else entirely . Apologies 😅