New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unzip: CVE-2019-13232 #71401
unzip: CVE-2019-13232 #71401
Conversation
Of course you could've just built unzip, nvm :) |
I did not claim to have built all dependent packages. |
please rebase the changes ontop of staging, force push, and change the base branch to staging. I would like to avoid a situation where people building against master have to build 100s of packages to continue developing. |
6b663e1
to
4d33b41
Compare
Done! Thanks for the suggestion. |
@GrahamcOfBorg eval |
I think we can give it a try again. I would prefer to keep this not for the upcoming staging-next iteration but the one after given the size already of the upcoming staging-next iteration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I (also) tested the problematic packages. I don't expect significant regressions now.
Motivation for this change
another try at fixing this cve after #64909 was reverted in #65393
fixes #64663 #70129
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)i manually tested extraction of lua packages and firefox esr 60's
browser/omi.ja
file which previously yielded "zip bomb" false positives.I never did a pr to such an essential package so all your help is welcome :)