Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: e758436f9868
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 02dbdcddcd30
Choose a head ref
  • 13 commits
  • 14 files changed
  • 3 contributors

Commits on Oct 2, 2019

  1. gnupatch: rename patch files to match their CVE ids. 

    This should be a behavior no-op, but it helps vulnix figure out that we
are up to date regarding security patches.

(cherry picked from commit 2242bb8)
    @delroth
    delroth committed Oct 2, 2019
    Copy the full SHA
    41f6a49 View commit details

  2. libtiff: patch for CVE-2019-6128, CVE-2019-14973 

    CVE-2019-14973.patch is a manually backported of the upstream patch to
work around some minor merge conflicts.

(cherry picked from commit a2e1da7)
    @delroth
    delroth committed Oct 2, 2019
    Copy the full SHA
    b7eac27 View commit details

  3. gst-plugins-base,gst_all_1.gst-plugins-base: apply patch for CVE-2019… 

    …-9928

Refactor the patchPhase management for the package along the way to
something more standard.

(Cherry pick from 97e4a11 with an extra
version of the package to patch in 19.03.)
    @delroth
    delroth committed Oct 2, 2019
    Copy the full SHA
    061663a View commit details

  4. glibc: patch CVE-2018-11236, CVE-2018-11237 

    Patches have been imported into nixpkgs and manually edited to avoid
merge conflicts on ChangeLog / NEWS files.

(cherry picked from commit 17be09a)
    @delroth
    delroth committed Oct 2, 2019
    Copy the full SHA
    2aae1c9 View commit details

Commits on Oct 12, 2019

  1. Merge branch 'release-19.03' into staging-19.03

    @vcunat
    vcunat committed Oct 12, 2019
    Copy the full SHA
    1a62ef4 View commit details

  2. curl: apply upstream security patch 

    Partially fixes #70084.  Cherry-picked from 19.09's 22b5bbf.
    @vcunat
    vcunat committed Oct 12, 2019
    Copy the full SHA
    8350d25 View commit details

Commits on Oct 13, 2019

  1. poppler_0_61: add patch for CVE-2019-9959 

    custom adapted patch to accommodate the openjpeg1/openjpeg2 split that
0.61 still has

(cherry picked from commit e6889d4)
    @risicle @vcunat
    risicle authored and vcunat committed Oct 13, 2019
    Copy the full SHA
    7240f2f View commit details

  2. Merge #70278: libtiff: patch for CVE-2019-6128, CVE-2019-14973 

    ...into staging-19.03
    @vcunat
    vcunat committed Oct 13, 2019
    Copy the full SHA
    57bd5f1 View commit details

  3. Merge #70273: gnupatch: rename patch files to match their CVE ids 

    ...into staging-19.03
    @vcunat
    vcunat committed Oct 13, 2019
    Copy the full SHA
    7585be8 View commit details

  4. Merge #70285: *gst-plugins-base: patch CVE-2019-9928 

    ...into staging-19.03
    @vcunat
    vcunat committed Oct 13, 2019
    Copy the full SHA
    139e21b View commit details

  5. poppler: add patch for CVE-2019-9959 (PR #71046) 

    (cherry picked from commit 3fa2864)
    @risicle @vcunat
    risicle authored and vcunat committed Oct 13, 2019
    Copy the full SHA
    3475116 View commit details

  6. Merge branch 'release-19.03' into staging-19.03

    @vcunat
    vcunat committed Oct 13, 2019
    Copy the full SHA
    72d36be View commit details

Commits on Oct 14, 2019

  1. Merge branch 'staging-19.03' into release-19.03 (security) 

    Only x86_64-linux has managed to finish rebuilding so far
https://hydra.nixos.org/eval/1548583
but I think that's a sufficient trade-off, given that regressions
should be very unlikely.
    @vcunat
    vcunat committed Oct 14, 2019
    Copy the full SHA
    02dbdcd View commit details
146 changes: 146 additions & 0 deletions pkgs/development/libraries/glibc/CVE-2018-11236.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001
From: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Tue, 8 May 2018 18:12:41 -0700
Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack
buffer overflow when realpath() input length is close to SSIZE_MAX.

2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>

[BZ #22786]
* stdlib/canonicalize.c (__realpath): Fix overflow in path length
computation.
* stdlib/Makefile (test-bz22786): New test.
* stdlib/test-bz22786.c: New test.
---
ChangeLog | 8 +++++
stdlib/Makefile | 2 +-
stdlib/canonicalize.c | 2 +-
stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 100 insertions(+), 2 deletions(-)
create mode 100644 stdlib/test-bz22786.c

diff --git a/stdlib/Makefile b/stdlib/Makefile
index af1643c..1ddb1f9 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -84,7 +84,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \
tst-cxa_atexit tst-on_exit test-atexit-race \
test-at_quick_exit-race test-cxa_atexit-race \
test-on_exit-race test-dlclose-exit-race \
- tst-makecontext-align
+ tst-makecontext-align test-bz22786

tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
tst-tls-atexit tst-tls-atexit-nodelete
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
index 4135f3f..390fb43 100644
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
extra_buf = __alloca (path_max);

len = strlen (end);
- if ((long int) (n + len) >= path_max)
+ if (path_max - n <= len)
{
__set_errno (ENAMETOOLONG);
goto error;
diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
new file mode 100644
index 0000000..e7837f9
--- /dev/null
+++ b/stdlib/test-bz22786.c
@@ -0,0 +1,90 @@
+/* Bug 22786: test for buffer overflow in realpath.
+ Copyright (C) 2018 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+/* This file must be run from within a directory called "stdlib". */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <support/test-driver.h>
+#include <libc-diag.h>
+
+static int
+do_test (void)
+{
+ const char dir[] = "bz22786";
+ const char lnk[] = "bz22786/symlink";
+
+ rmdir (dir);
+ if (mkdir (dir, 0755) != 0 && errno != EEXIST)
+ {
+ printf ("mkdir %s: %m\n", dir);
+ return EXIT_FAILURE;
+ }
+ if (symlink (".", lnk) != 0 && errno != EEXIST)
+ {
+ printf ("symlink (%s, %s): %m\n", dir, lnk);
+ return EXIT_FAILURE;
+ }
+
+ const size_t path_len = (size_t) INT_MAX + 1;
+
+ DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+ /* GCC 7 warns about too-large allocations; here we need such
+ allocation to succeed for the test to work. */
+ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+#endif
+ char *path = malloc (path_len);
+ DIAG_POP_NEEDS_COMMENT;
+
+ if (path == NULL)
+ {
+ printf ("malloc (%zu): %m\n", path_len);
+ return EXIT_UNSUPPORTED;
+ }
+
+ /* Construct very long path = "bz22786/symlink/aaaa....." */
+ char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
+ *(p++) = '/';
+ memset (p, 'a', path_len - (path - p) - 2);
+ p[path_len - (path - p) - 1] = '\0';
+
+ /* This call crashes before the fix for bz22786 on 32-bit platforms. */
+ p = realpath (path, NULL);
+
+ if (p != NULL || errno != ENAMETOOLONG)
+ {
+ printf ("realpath: %s (%m)", p);
+ return EXIT_FAILURE;
+ }
+
+ /* Cleanup. */
+ unlink (lnk);
+ rmdir (dir);
+
+ return 0;
+}
+
+#define TEST_FUNCTION do_test
+#include <support/test-driver.c>
--
2.9.3

55 changes: 55 additions & 0 deletions pkgs/development/libraries/glibc/CVE-2018-11237.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
From f51c8367685dc888a02f7304c729ed5277904aff Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Thu, 24 May 2018 14:39:18 +0200
Subject: [PATCH] Don't write beyond destination in
__mempcpy_avx512_no_vzeroupper (bug 23196)

When compiled as mempcpy, the return value is the end of the destination
buffer, thus it cannot be used to refer to the start of it.

(cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e)
---
ChangeLog | 9 +++++++++
NEWS | 7 +++++++
string/test-mempcpy.c | 1 +
sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
index c08fba8..d98ecdd 100644
--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
@@ -18,6 +18,7 @@
<http://www.gnu.org/licenses/>. */

#define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
#define TEST_MAIN
#define TEST_NAME "mempcpy"
#include "test-string.h"
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
index 23c0f7a..effc3ac 100644
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@@ -336,6 +336,7 @@ L(preloop_large):
vmovups (%rsi), %zmm4
vmovups 0x40(%rsi), %zmm5

+ mov %rdi, %r11
/* Align destination for access with non-temporal stores in the loop. */
mov %rdi, %r8
and $-0x80, %rdi
@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
cmp $256, %rdx
ja L(gobble_256bytes_nt_loop)
sfence
- vmovups %zmm4, (%rax)
- vmovups %zmm5, 0x40(%rax)
+ vmovups %zmm4, (%r11)
+ vmovups %zmm5, 0x40(%r11)
jmp L(check)

L(preloop_large_bkw):
--
2.9.3

5 changes: 5 additions & 0 deletions pkgs/development/libraries/glibc/common.nix
View file
Original file line number Diff line number Diff line change
@@ -92,6 +92,11 @@ stdenv.mkDerivation ({
url = "https://salsa.debian.org/glibc-team/glibc/raw/49767c9f7de4828220b691b29de0baf60d8a54ec/debian/patches/localedata/locale-C.diff";
sha256 = "0irj60hs2i91ilwg5w7sqrxb695c93xg0ik7yhhq9irprd7fidn4";
})

# https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5460617d1567657621107d895ee2dd83bc1f88f2
./CVE-2018-11236.patch
# https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f51c8367685dc888a02f7304c729ed5277904aff
./CVE-2018-11237.patch
]
++ lib.optional stdenv.isx86_64 ./fix-x64-abi.patch
++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch
5 changes: 5 additions & 0 deletions pkgs/development/libraries/gstreamer/base/default.nix
View file
Original file line number Diff line number Diff line change
@@ -66,5 +66,10 @@ stdenv.mkDerivation rec {
sha256 = "07x43xis0sr0hfchf36ap0cibx0lkfpqyszb3r3w9dzz301fk04z";
})
./fix_pkgconfig_includedir.patch
(fetchurl {
url = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/commit/f672277509705c4034bc92a141eefee4524d15aa.patch";
name = "CVE-2019-9928.patch";
sha256 = "0hz3lsq3ppmaf329sbyi05y1qniqfj9vlp2f3z918383pvrcms4i";
})
];
}
13 changes: 10 additions & 3 deletions pkgs/development/libraries/gstreamer/legacy/gst-plugins-base/default.nix
View file
Original file line number Diff line number Diff line change
@@ -18,11 +18,18 @@ stdenv.mkDerivation rec {
sha256 = "0jp6hjlra98cnkal4n6bdmr577q8mcyp3c08s3a02c4hjhw5rr0z";
};

patchPhase = ''
patches = [
./gcc-4.9.patch
(fetchurl {
url = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/commit/f672277509705c4034bc92a141eefee4524d15aa.patch";
name = "CVE-2019-9928.patch";
sha256 = "0hz3lsq3ppmaf329sbyi05y1qniqfj9vlp2f3z918383pvrcms4i";
})
];

postPatch = ''
sed -i 's@/bin/echo@echo@g' configure
sed -i -e 's/^ /\t/' docs/{libs,plugins}/Makefile.in
patch -p1 < ${./gcc-4.9.patch}
'';

outputs = [ "out" "dev" ];
Loading