Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libtiff: 4.0.10 -> 4.1.0 #72092

Merged
merged 2 commits into from
Nov 9, 2019
Merged

libtiff: 4.0.10 -> 4.1.0 #72092

merged 2 commits into from
Nov 9, 2019
+2 −396

Conversation

JohnAZoidberg
Copy link
Member

@JohnAZoidberg JohnAZoidberg commented Oct 27, 2019
edited
Loading

Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2019-7663

vulnerable in unstable, 19.03 and 19.09

Fixes #57158

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

No maintainer :(

Sorry, something went wrong.

@JohnAZoidberg JohnAZoidberg mentioned this pull request Oct 27, 2019
Closed
2 tasks
@mmahut mmahut added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Oct 27, 2019
mmahut
mmahut reviewed Oct 27, 2019
View reviewed changes
pkgs/development/libraries/libtiff/default.nix Outdated
@@ -23,6 +23,11 @@ stdenv.mkDerivation rec {
name = "CVE-2019-6128.patch";
sha256 = "03yvsfq6dxjd3v8ypfwz6cpz2iymqwcbawqqlmkh40dayi7fgizr";
})
(fetchurl {
url = "https://gitlab.com/libtiff/libtiff/commit/802d3cbf3043be5dce5317e140ccb1c17a6a2d39.patch";
name = "CVE-2019-7663";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name = "CVE-2019-7663";
name = "CVE-2019-7663.patch";

@mmahut
Copy link
Member

mmahut commented Oct 27, 2019

This should probably go into staging for mass rebuild.

@FRidh FRidh changed the base branch from master to staging November 3, 2019 09:26
@FRidh
Copy link
Member

FRidh commented Nov 3, 2019

@JohnAZoidberg you may want to enable "Allow edits from maintainers" as that makes it easier for others to pick up your changes, modify them when needed, and submit them. Of course you do not have to if you do not want to!
https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/allowing-changes-to-a-pull-request-branch-created-from-a-fork

@dtzWill
Copy link
Member

dtzWill commented Nov 5, 2019

Perhaps update to 4.1.0 as well (instead?)? Didn't check if contains fix but seems likely :).

@JohnAZoidberg
Copy link
Member Author

"Allow edits from maintainers" is enabled, like always by default. Did you try pushing something to my branch and it didn't work?
Sorry not coming back to this PR.

Yes, 4.1.0 includes all patches. Should we backport the new version?
Skimming through the changelog I don't see any immediately obvious incompatibilities but I'm not sure about some changes.
So I'd suggest to backport just the patching commit.

@vcunat vcunat self-assigned this Nov 9, 2019
vcunat pushed a commit that referenced this pull request Nov 9, 2019
@JohnAZoidberg @vcunat
libtiff: Patch CVE-2019-7663 (PR #72092)
01b70ef 
(cherry picked from commit 5270c3a)
vcunat pushed a commit that referenced this pull request Nov 9, 2019
@JohnAZoidberg @vcunat
libtiff: Patch CVE-2019-7663 (PR #72092)
38539ba 
(cherry picked from commit 5270c3a)
/cc #57158.
vcunat added a commit that referenced this pull request Nov 9, 2019
@vcunat
Merge #72092: libtiff: 4.0.10 -> 4.1.0 (security)
f364708 
into staging.  This fixes CVE-2019-7663 and incorporates other patches.
@vcunat vcunat merged commit 2223e61 into NixOS:staging Nov 9, 2019
@JohnAZoidberg JohnAZoidberg deleted the libtiff-CVE-2019-7663 branch November 9, 2019 09:35
hax404 pushed a commit to hax404/nixpkgs that referenced this pull request Nov 13, 2019
@JohnAZoidberg @hax404
libtiff: Patch CVE-2019-7663 (PR NixOS#72092)
92ffb5e 
(cherry picked from commit 5270c3a)
@vcunat vcunat changed the title libtiff: Patch CVE-2019-7663 libtiff: 4.0.10 -> 4.1.0 Dec 29, 2019
@vcunat vcunat mentioned this pull request Dec 29, 2019
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmahut mmahut

@vcunat vcunat

Assignees

@vcunat vcunat

Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 501+ 10.rebuild-darwin: 1001-2500 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
Staging
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@JohnAZoidberg @mmahut @FRidh @dtzWill @vcunat