Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libtiff: 4.0.10 -> 4.1.0 #72092

Merged
merged 2 commits into from Nov 9, 2019
Merged

libtiff: 4.0.10 -> 4.1.0 #72092

merged 2 commits into from Nov 9, 2019

Conversation

JohnAZoidberg
Copy link
Member

@JohnAZoidberg JohnAZoidberg commented Oct 27, 2019
edited

Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2019-7663

vulnerable in unstable, 19.03 and 19.09

Fixes #57158

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

No maintainer :(

@JohnAZoidberg JohnAZoidberg mentioned this pull request Oct 27, 2019
Closed
2 tasks
mmahut
mmahut reviewed Oct 27, 2019
View reviewed changes
pkgs/development/libraries/libtiff/default.nix Outdated
@@ -23,6 +23,11 @@ stdenv.mkDerivation rec {
name = "CVE-2019-6128.patch";
sha256 = "03yvsfq6dxjd3v8ypfwz6cpz2iymqwcbawqqlmkh40dayi7fgizr";
})
(fetchurl {
url = "https://gitlab.com/libtiff/libtiff/commit/802d3cbf3043be5dce5317e140ccb1c17a6a2d39.patch";
name = "CVE-2019-7663";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name = "CVE-2019-7663";
name = "CVE-2019-7663.patch";

@mmahut
Copy link
Member

mmahut commented Oct 27, 2019

This should probably go into staging for mass rebuild.

@FRidh FRidh added this to Ready in Staging Nov 2, 2019
@FRidh FRidh changed the base branch from master to staging November 3, 2019 09:26
@FRidh FRidh moved this from Ready to WIP in Staging Nov 3, 2019
@FRidh
Copy link
Member

FRidh commented Nov 3, 2019

@JohnAZoidberg you may want to enable "Allow edits from maintainers" as that makes it easier for others to pick up your changes, modify them when needed, and submit them. Of course you do not have to if you do not want to!
https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/allowing-changes-to-a-pull-request-branch-created-from-a-fork

@dtzWill
Copy link
Member

dtzWill commented Nov 5, 2019

Perhaps update to 4.1.0 as well (instead?)? Didn't check if contains fix but seems likely :).

@JohnAZoidberg
Copy link
Member Author

"Allow edits from maintainers" is enabled, like always by default. Did you try pushing something to my branch and it didn't work?
Sorry not coming back to this PR.

Yes, 4.1.0 includes all patches. Should we backport the new version?
Skimming through the changelog I don't see any immediately obvious incompatibilities but I'm not sure about some changes.
So I'd suggest to backport just the patching commit.

@vcunat vcunat self-assigned this Nov 9, 2019
vcunat pushed a commit that referenced this pull request Nov 9, 2019
@JohnAZoidberg @vcunat
libtiff: Patch CVE-2019-7663 (PR #72092)
01b70ef 
(cherry picked from commit 5270c3a)
vcunat pushed a commit that referenced this pull request Nov 9, 2019
@JohnAZoidberg @vcunat
libtiff: Patch CVE-2019-7663 (PR #72092)
38539ba 
(cherry picked from commit 5270c3a)
/cc #57158.
Staging automation moved this from WIP to Ready Nov 9, 2019
vcunat added a commit that referenced this pull request Nov 9, 2019
@vcunat
Merge #72092: libtiff: 4.0.10 -> 4.1.0 (security)
f364708 
into staging.  This fixes CVE-2019-7663 and incorporates other patches.
@vcunat vcunat merged commit 2223e61 into NixOS:staging Nov 9, 2019
Staging automation moved this from Ready to Done Nov 9, 2019
@JohnAZoidberg JohnAZoidberg deleted the libtiff-CVE-2019-7663 branch November 9, 2019 09:35
hax404 pushed a commit to hax404/nixpkgs that referenced this pull request Nov 13, 2019
@JohnAZoidberg @hax404
libtiff: Patch CVE-2019-7663 (PR NixOS#72092)
92ffb5e 
(cherry picked from commit 5270c3a)
@vcunat vcunat changed the title libtiff: Patch CVE-2019-7663 libtiff: 4.0.10 -> 4.1.0 Dec 29, 2019
@vcunat vcunat mentioned this pull request Dec 29, 2019
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmahut mmahut mmahut left review comments

@vcunat vcunat vcunat approved these changes

Assignees

@vcunat vcunat

Labels
1.severity: security 10.rebuild-darwin: 501+ 10.rebuild-darwin: 1001-2500 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
Staging
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@JohnAZoidberg @mmahut @FRidh @dtzWill @vcunat