cudaPackages.tensorrt: mark insecure

2026-06-05 21:03:40 +00:00 · 2026-05-22 23:26:32 +03:00
parent aad67a085f
commit b0015daf6f
2 changed files with 10 additions and 1 deletions
--- a/pkgs/development/cuda-modules/packages/tensorrt.nix
+++ b/pkgs/development/cuda-modules/packages/tensorrt.nix
@@ -200,8 +200,14 @@ buildRedist (
      # the redistributables do. As such, we need to specify downloadPage manually.
      downloadPage = "https://developer.nvidia.com/downloads/compute/machine-learning/tensorrt";
      changelog = "https://docs.nvidia.com/deeplearning/tensorrt/latest/getting-started/release-notes.html#release-notes";
-
      license = _cuda.lib.licenses.tensorrt;
+
+      knownVulnerabilities =
+        # https://github.com/NixOS/nixpkgs/issues/522570
+        # https://nvidia.custhelp.com/app/answers/detail/a_id/5836
+        lib.optionals (lib.versionOlder finalAttrs.version "10.16.1") [
+          "CVE-2026-24188: OOB write"
+        ];
    };
  }
 )
--- a/pkgs/top-level/release-cuda.nix
+++ b/pkgs/top-level/release-cuda.nix
@@ -25,6 +25,9 @@ in
  nixpkgsArgs ? {
    config = {
      allowUnfreePredicate = cudaLib.allowUnfreeCudaPredicate;
+      # [CVE-2026-24188](https://github.com/NixOS/nixpkgs/issues/522570):
+      # OOB write
+      allowInsecurePredicate = p: lib.getName p == "tensorrt";
      "${variant}Support" = true;
      inHydra = true;