As you might have heard, the xz package has a backdoor that seems to have been installed by the developer https://www.openwall.com/lists/oss-security/2024/03/29/4 . You should check the version you're running and downgrade if possible.
On most systems, it would be pretty hard to figure out which programs on your system run which version of xz. Nix, however, has some cool commands for figuring this out.
The main thing we want is to find all store paths (built programs) which have this package as a dependency, which you can do with
nix-store --query --referrers $(which xz)This prints out the store paths of which xz is a direct dependency. If you want the entire graph of dependencies (i.e. the entire blast radius of a dependency), run
nix-store --query --referrers-closure $(which xz)This is one advantage of having a central place to store builds and their build specs (derivations).
Imagine you're a big company, and an SSH vuln is made public. How do you check which of your running systems is affected? still just those commands above.
voila. practice safe package management anon.
nix-treehttps://github.com/utdemir/nix-treenix-tree /nix/var/nix/profiles/systemsearch for the package name with/and then explore the parents and descendants of that package...