Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pythonPackages.koji: 1.13.0 -> 1.14.3, addressing CVE-2019-17109 #72202

Merged
merged 1 commit into from Nov 4, 2019

Conversation

risicle
Copy link
Contributor

@risicle risicle commented Oct 28, 2019

Motivation for this change

https://docs.pagure.org/koji/CVE-2019-17109/

Also added missing description, homepage & license - this package hasn't been touched in a long time and I have little clue about it other than what I looked up to fill out the metadata. Why didn't I bump to a newer release like 1.18.1? I assumed it would be more likely to cause breakage and I want to have as little to do to this package as possible.

The only in-tree user of this package is pythonPackages.rpkg, which itself doesn't build at the moment because GitPython-3.0.4 not supported for interpreter python2.7. Though I expect it is just as out of date as this is and could be fixed by someone with more of a clue.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

@@ -2,12 +2,12 @@

buildPythonPackage rec {
pname = "koji";
version = "1.13.0";
version = "1.14.3";
format = "other";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still python2 only

Suggested change
format = "other";
format = "other";
disabled = !isPy27;
[nix-shell:~/.cache/nix-review/pr-72202]$ nix-shell --pure -p "with import ./nixpkgs {}; python3Packages.koji"

[nix-shell:~/.cache/nix-review/pr-72202]$ kojira --help
  File "/nix/store/5h0gb4z3614ndgskmyc2j888dd5dkw1d-python3.7-koji-1.14.3/bin/.kojira-wrapped", line 150
    except OSError, e:
                  ^
SyntaxError: invalid syntax

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agh.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly the committer in e1182f0 was made overly optimistic from the koji executable appearing to work in py3k. Fixed.

Addressing CVE-2019-17109

Also added missing description, homepage & license. Re-disabled for py3k
as the kojira executable doesn't seem to be happy with it.
@Ekleog
Copy link
Member

Ekleog commented Nov 3, 2019

@ofborg build python27Packages.koji python36Packages.koji

@Ekleog
Copy link
Member

Ekleog commented Nov 4, 2019

LGTM, let's merge! :)

@risicle Could you open backport PRs to 19.03 and 19.09 with git cherry-pick -x, and ping me on them so I could merge? It's a 1.13 -> 1.14 version bump, which is pretty bad, but the CVE looks actually really serious, so unless you feel able to backport just the CVE fix I think it deserves the version bump -- especially as it looks like there is no user of the package in nixpkgs.

@Ekleog Ekleog merged commit 3376fd9 into NixOS:master Nov 4, 2019
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request Nov 4, 2019
pythonPackages.koji: 1.13.0 -> 1.14.3, addressing CVE-2019-17109

(cherry picked from commit 3376fd9)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants