Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.03] openexr,imlbase: 2.3.0 -> 2.4.2 to fix numerous security issues #95102

Merged
merged 3 commits into from Sep 8, 2020
Merged

[20.03] openexr,imlbase: 2.3.0 -> 2.4.2 to fix numerous security issues #95102

merged 3 commits into from Sep 8, 2020

Conversation

risicle
Copy link
Contributor

@risicle risicle commented Aug 10, 2020
edited

Motivation for this change

The openexr 2.3.x series hasn't had backports for at least 9 CVEs (see #88358) - I looked at doing them myself and the patches were just too dependent on other intervening changes for me to be able to have any confidence in them, especially what with openexr not having any tests enabled. They're also quite serious CVEs.

So I think we've got to bite the bullet and bump 20.03 to 2.4.1 2.4.2. Big rebuild, can't check it all myself, but I've checked blender, gscan2pdf, gimp, opencv4, ufraw, openimageio, vips, imagemagick7.

Included fix from #86241 too to fix darwin. Tested macos 10.14.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

lovesegfault and others added 2 commits August 10, 2020 00:16
@lovesegfault @risicle
openexr,imlbase: 2.3.0 -> 2.4.1
a5449e7 
(cherry picked from commit e5e3159)
@glittershark @risicle
openexr,ilmbase: Switch to cmake-based build
3c64d2a 
It appears that the autotools based build isn't supported on Darwin.
Just use the stdenv-builtin cmake build everywhere, as it works just
fine and is simpler.

(cherry picked from commit f509255)
@risicle
Copy link
Contributor Author

risicle commented Aug 10, 2020

@GrahamcOfBorg build openexr blender gimp ufraw opencv4 digikam

@risicle risicle changed the title [r20.03] openexr,imlbase: 2.3.0 -> 2.4.1 to fix numerous security issues [20.03] openexr,imlbase: 2.3.0 -> 2.4.2 to fix numerous security issues Aug 21, 2020
@risicle
Copy link
Contributor Author

risicle commented Aug 21, 2020

I've pushed a bump to 2.4.2 on top of this too now to take care of CVE-2020-15304, CVE-2020-15305 and CVE-2020-15306.

@worldofpeace worldofpeace changed the base branch from release-20.03 to staging-20.03 September 8, 2020 23:36
@worldofpeace worldofpeace merged commit 243666d into NixOS:staging-20.03 Sep 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 101-500 10.rebuild-linux: 501-1000 10.rebuild-linux: 501+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@risicle @worldofpeace @lovesegfault @glittershark