From a61841a597730a4ec18be3f87a257a3989e629dd Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Sun, 29 Jun 2025 14:41:47 +0200
Subject: [PATCH] nixVersions.nix_2_3: add knownVulnerabilities

---
 ci/default.nix                                   |  4 +++-
 lib/tests/release.nix                            | 13 ++++++++++---
 .../package-management/nix/common-autoconf.nix   |  3 ++-
 pkgs/tools/package-management/nix/default.nix    |  9 +++++++++
 pkgs/top-level/make-tarball.nix                  |  8 +++++++-
 pkgs/top-level/release.nix                       | 16 +++++++++++++++-
 6 files changed, 46 insertions(+), 7 deletions(-)

diff --git a/ci/default.nix b/ci/default.nix
index 32e067133422..42eeadc67def 100644
--- a/ci/default.nix
+++ b/ci/default.nix
@@ -18,7 +18,9 @@ let
 
   pkgs = import nixpkgs' {
     inherit system;
-    config = { };
+    config = {
+      permittedInsecurePackages = [ "nix-2.3.18" ];
+    };
     overlays = [ ];
   };
 
diff --git a/lib/tests/release.nix b/lib/tests/release.nix
index 51260ea0300b..5a1752010745 100644
--- a/lib/tests/release.nix
+++ b/lib/tests/release.nix
@@ -2,9 +2,16 @@
   # The pkgs used for dependencies for the testing itself
   # Don't test properties of pkgs.lib, but rather the lib in the parent directory
   system ? builtins.currentSystem,
-  pkgs ? import ../.. { inherit system; } // {
-    lib = throw "pkgs.lib accessed, but the lib tests should use nixpkgs' lib path directly!";
-  },
+  pkgs ?
+    import ../.. {
+      inherit system;
+      config = {
+        permittedInsecurePackages = [ "nix-2.3.18" ];
+      };
+    }
+    // {
+      lib = throw "pkgs.lib accessed, but the lib tests should use nixpkgs' lib path directly!";
+    },
   # For testing someone may edit impure.nix to return cross pkgs, use `pkgsBuildBuild` directly so everything here works.
   pkgsBB ? pkgs.pkgsBuildBuild,
   nix ? pkgs-nixVersions.stable,
diff --git a/pkgs/tools/package-management/nix/common-autoconf.nix b/pkgs/tools/package-management/nix/common-autoconf.nix
index 1d7ed8cba374..4ad05d61d01b 100644
--- a/pkgs/tools/package-management/nix/common-autoconf.nix
+++ b/pkgs/tools/package-management/nix/common-autoconf.nix
@@ -11,6 +11,7 @@
     inherit hash;
   },
   patches ? [ ],
+  knownVulnerabilities ? [ ],
   maintainers ? [
     lib.maintainers.lovesegfault
     lib.maintainers.artturin
@@ -335,7 +336,7 @@ let
       '';
       homepage = "https://nixos.org/";
       license = licenses.lgpl21Plus;
-      inherit maintainers teams;
+      inherit knownVulnerabilities maintainers teams;
       platforms = platforms.unix;
       outputsToInstall = [ "out" ] ++ optional enableDocumentation "man";
       mainProgram = "nix";
diff --git a/pkgs/tools/package-management/nix/default.nix b/pkgs/tools/package-management/nix/default.nix
index 974532d99be4..10f93abf8f51 100644
--- a/pkgs/tools/package-management/nix/default.nix
+++ b/pkgs/tools/package-management/nix/default.nix
@@ -159,6 +159,15 @@ lib.makeExtensible (
             patch-monitorfdhup
           ];
           self_attribute_name = "nix_2_3";
+          knownVulnerabilities = [
+            "CVE-2024-38531"
+            "CVE-2024-47174"
+            "CVE-2025-46415"
+            "CVE-2025-46416"
+            "CVE-2025-52991"
+            "CVE-2025-52992"
+            "CVE-2025-52993"
+          ];
           maintainers = with lib.maintainers; [ flokli ];
           teams = [ ];
         }).overrideAttrs
diff --git a/pkgs/top-level/make-tarball.nix b/pkgs/top-level/make-tarball.nix
index 1b90e4bfdb66..b1ddef188d93 100644
--- a/pkgs/top-level/make-tarball.nix
+++ b/pkgs/top-level/make-tarball.nix
@@ -3,7 +3,13 @@
   officialRelease,
   pkgs ? import nixpkgs.outPath { },
   nix ? pkgs.nix,
-  lib-tests ? import ../../lib/tests/release.nix { inherit pkgs; },
+  lib-tests ? import ../../lib/tests/release.nix {
+    pkgs = import nixpkgs.outPath {
+      config = {
+        permittedInsecurePackages = [ "nix-2.3.18" ];
+      };
+    };
+  },
 }:
 
 pkgs.releaseTools.sourceTarball {
diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix
index 21555a3e03d0..49ee9782ad53 100644
--- a/pkgs/top-level/release.nix
+++ b/pkgs/top-level/release.nix
@@ -86,6 +86,7 @@ let
     id
     isDerivation
     optionals
+    recursiveUpdate
     ;
 
   inherit (release-lib.lib.attrsets) unionOfDisjoint;
@@ -111,7 +112,20 @@ let
 
     manual = pkgs.nixpkgs-manual.override { inherit nixpkgs; };
     metrics = import ./metrics.nix { inherit pkgs nixpkgs; };
-    lib-tests = import ../../lib/tests/release.nix { inherit pkgs; };
+    lib-tests = import ../../lib/tests/release.nix {
+      pkgs = import nixpkgs (
+        recursiveUpdate
+          (recursiveUpdate {
+            inherit system;
+            config.allowUnsupportedSystem = true;
+          } nixpkgsArgs)
+          {
+            config.permittedInsecurePackages = nixpkgsArgs.config.permittedInsecurePackages or [ ] ++ [
+              "nix-2.3.18"
+            ];
+          }
+      );
+    };
     pkgs-lib-tests = import ../pkgs-lib/tests { inherit pkgs; };
 
     darwin-tested =