Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[r19.09] libvpx: add patches for CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433 #74751

Merged
merged 1 commit into from Dec 13, 2019
Merged

[r19.09] libvpx: add patches for CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433 #74751

merged 1 commit into from Dec 13, 2019

Conversation

risicle
Copy link
Contributor

@risicle risicle commented Nov 30, 2019
edited

Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2019-9232
https://nvd.nist.gov/vuln/detail/CVE-2019-9325
https://nvd.nist.gov/vuln/detail/CVE-2019-9371
https://nvd.nist.gov/vuln/detail/CVE-2019-9433

Backports sourced from debian package 1.7.0-3+deb10u1, included in-repo as file is not available on sources.debian.org or salsa.debian.org. I'm still running the (long, slow) unit tests, but everything seems ok so far.

For master, see #60826

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

@risicle
libvpx: add patches for CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, C…
9bcc760 
…VE-2019-9433

backports sourced from debian package 1.7.0-3+deb10u1, included in-repo
as file is not available on sources.debian.org or salsa.debian.org
@risicle risicle changed the title libvpx: add patches for CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433 [r19.09] libvpx: add patches for CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433 Nov 30, 2019
@risicle
Copy link
Contributor Author

risicle commented Nov 30, 2019

Incidentally, I'll just add a note on how I'm running the libvpx unit-tests as it's kinda non-standard. Once enabling unitTestsSupport, it's then just a matter of using nix-shell . -A libvpx and stepping through the phases manually. After buildPhase, I just run LIBVPX_TEST_DATA_PATH=some_dir make test, some_dir being any writeable dir that the test runner will first download a number of test files to before running the tests themselves. Now is a good time to go and do your laundry.

@risicle
Copy link
Contributor Author

risicle commented Dec 1, 2019

All tests passed.

@nh2
Copy link
Contributor

nh2 commented Dec 1, 2019

@risicle I have some questions on whether this already fixes all 4 of the CVEs or only the first two, over at #60826 (comment)

@FRidh FRidh added this to Needs review in Staging (stable) Dec 1, 2019
@nh2
Copy link
Contributor

nh2 commented Dec 1, 2019

I have some questions on whether this already fixes all 4 of the CVEs or only the first two, over at #60826 (comment)

OK updated, I have checked that according to Debian all 4 CVEs listed are fixed by those patches.

Remaining is only what's fixed by

webmproject/libvpx@0681cff - vp9: fix OOB read in decoder_peek_si_internal

Is that also one of the CVEs?

@risicle
Copy link
Contributor Author

risicle commented Dec 1, 2019

That is apparently CVE-2019-9325. See the notes in https://security-tracker.debian.org/tracker/CVE-2019-9325

@nh2
Copy link
Contributor

nh2 commented Dec 1, 2019

Backports sourced from debian package 1.7.0-3+deb10u1, included in-repo as file is not available on sources.debian.org or salsa.debian.org.

This seems to come from e.g.

https://release.debian.org/proposed-updates/buster_diffs/libvpx_1.7.0-3+deb10u1.debdiff

which I got linked from https://release.debian.org/proposed-updates/stable.html.

@nh2
Copy link
Contributor

nh2 commented Dec 1, 2019

That is apparently CVE-2019-9325. See the notes in https://security-tracker.debian.org/tracker/CVE-2019-9325

OK, I've updated the table, it is all clear now.

nh2
nh2 approved these changes Dec 1, 2019
View reviewed changes
Copy link
Contributor

@nh2 nh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have double-checked that the changes in here are the same as in Debian and that they are intended to fix the 4 CVEs involved.

I have not double-checked whether Debian's changes are sensible or if they are fully equivalent to the upstream (non-backport) commits listed in #60826 (comment)

Staging (stable) automation moved this from Needs review to Ready Dec 1, 2019
@risicle
Copy link
Contributor Author

risicle commented Dec 1, 2019

Cool thanks ✔️

@andir andir merged commit 36f766f into NixOS:staging-19.09 Dec 13, 2019
Staging (stable) automation moved this from Ready to Done Dec 13, 2019
@nh2 nh2 mentioned this pull request Jan 20, 2020
Closed
12 tasks
@risicle risicle mentioned this pull request Jan 20, 2020
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nh2 nh2 nh2 approved these changes

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 101-500 10.rebuild-linux: 501-1000 10.rebuild-linux: 501+
Projects
Staging (stable)
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@risicle @nh2 @veprbl @andir