Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[r19.09] musl: 1.1.2x -> 1.1.24 (security) #73758

Merged
merged 1 commit into from Dec 7, 2019
Merged

[r19.09] musl: 1.1.2x -> 1.1.24 (security) #73758

merged 1 commit into from Dec 7, 2019

Conversation

d-goldin
Copy link
Contributor

@d-goldin d-goldin commented Nov 19, 2019
edited

Motivation for this change

I think it's worth considering to backport this fix for 19.09 too, as it's rated as critical.
Addresses: #73668

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @dtzWill

@ofborg ofborg bot requested a review from thoughtpolice November 19, 2019 14:07
@d-goldin d-goldin changed the title musl: 1.1.2x -> 1.1.24 [r19.09] musl: 1.1.2x -> 1.1.24 (security) Nov 19, 2019
@fpletz fpletz added this to the 19.09 milestone Nov 21, 2019
nh2
nh2 approved these changes Nov 21, 2019
View reviewed changes
Copy link
Contributor

@nh2 nh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nix-review is happy with this:

[58 built, 1735 copied (9701.9 MiB), 1176.3 MiB DL]
https://github.com/NixOS/nixpkgs/pull/73758
1 package are marked as broken and were skipped:
nix-exec

50 package were build:
bundix busybox-sandbox-shell cabal2nix cachix common-updater-scripts crystal2nix dep2nix discover disnix disnixos fusionInventory gnome3.gnome-packagekit gnome3.gnome-software simple-scan go2nix haskellPackages.cachix haskellPackages.nix-paths hydra lispPackages.quicklisp-to-nix lispPackages.quicklisp-to-nix-system-info lorri musl nix nix-bundle nix-du nix-index nix-pin nix-plugins nix-prefetch nix-prefetch-bzr nix-prefetch-cvs nix-prefetch-docker nix-prefetch-git nix-prefetch-hg nix-prefetch-scripts nix-prefetch-svn nix-review nix-serve nix-update-source nixFlakes nixUnstable nixos-generators nixui packagekit packagekit-qt pypi2nix python37Packages.nixpkgs python37Packages.pythonix vgo2nix vulnix

@fpletz fpletz self-assigned this Nov 21, 2019
@dtzWill @fpletz
musl: 1.1.2x -> 1.1.24
30843ef 
https://www.openwall.com/lists/musl/2019/10/13/5

Apparently 1.1.23 never made it to nixpkgs proper (?!), see:
https://git.musl-libc.org/cgit/musl/commit/?id=b07d45eb01e900f0176894fdedab62285f5cb8be

(sorry I apparently dropped the ball here)

(cherry picked from commit 1263a71)
@fpletz
Copy link
Member

fpletz commented Nov 21, 2019

Cherry-picked with -x (see section in the nixpkgs manual) onto recent release-19.09 and force pushed.

@fpletz fpletz requested a review from dtzWill November 21, 2019 01:27
@fpletz
Copy link
Member

fpletz commented Nov 21, 2019

Currently checking if some of the pkgsStatic package set still works. @dtzWill should have the final say if we can safely backport this.

dtzWill
dtzWill approved these changes Dec 3, 2019
View reviewed changes
Copy link
Member

@dtzWill dtzWill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for backporting!

I'm unaware of anything other than fixes and improvements in this set of upgrades, I think it's safe. And well motivated by the security fix.

@d-goldin
Copy link
Contributor Author

d-goldin commented Dec 3, 2019

@dtzWill: Well, there was pretty much zero effort of "backporting", just noticed that this could be useful for 19.09 too, that's all. Thanks for taking a look!

@fpletz fpletz merged commit 7823b4a into NixOS:release-19.09 Dec 7, 2019
@d-goldin d-goldin deleted the backport_musl_bump branch December 7, 2019 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thoughtpolice thoughtpolice thoughtpolice approved these changes

@nh2 nh2 nh2 approved these changes

@dtzWill dtzWill dtzWill approved these changes

Assignees

@fpletz fpletz

Labels
10.rebuild-darwin: 0 10.rebuild-linux: 11-100
Projects
None yet
Milestone
19.09
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@d-goldin @fpletz @thoughtpolice @nh2 @dtzWill