Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pythonPackages.koji: 1.13.0 -> 1.14.3, addressing CVE-2019-17109 #72202

Merged
merged 1 commit into from
Nov 4, 2019
Merged

pythonPackages.koji: 1.13.0 -> 1.14.3, addressing CVE-2019-17109 #72202

merged 1 commit into from
Nov 4, 2019
+7 −5

Conversation

risicle
Copy link
Contributor

@risicle risicle commented Oct 28, 2019

Motivation for this change

https://docs.pagure.org/koji/CVE-2019-17109/

Also added missing description, homepage & license - this package hasn't been touched in a long time and I have little clue about it other than what I looked up to fill out the metadata. Why didn't I bump to a newer release like 1.18.1? I assumed it would be more likely to cause breakage and I want to have as little to do to this package as possible.

The only in-tree user of this package is pythonPackages.rpkg, which itself doesn't build at the moment because GitPython-3.0.4 not supported for interpreter python2.7. Though I expect it is just as out of date as this is and could be fixed by someone with more of a clue.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

Sorry, something went wrong.

jonringer
jonringer reviewed Oct 29, 2019
View reviewed changes
pkgs/development/python-modules/koji/default.nix
@@ -2,12 +2,12 @@

buildPythonPackage rec {
pname = "koji";
version = "1.13.0";
version = "1.14.3";
format = "other";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still python2 only

Suggested change
format = "other";
format = "other";
disabled = !isPy27; 
[nix-shell:~/.cache/nix-review/pr-72202]$ nix-shell --pure -p "with import ./nixpkgs {}; python3Packages.koji"

[nix-shell:~/.cache/nix-review/pr-72202]$ kojira --help
  File "/nix/store/5h0gb4z3614ndgskmyc2j888dd5dkw1d-python3.7-koji-1.14.3/bin/.kojira-wrapped", line 150
    except OSError, e:
                  ^
SyntaxError: invalid syntax

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agh.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly the committer in e1182f0 was made overly optimistic from the koji executable appearing to work in py3k. Fixed.

@veprbl veprbl added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Oct 29, 2019
@risicle
pythonPackages.koji: 1.13.0 -> 1.14.3 (security)
605a7b3 
Addressing CVE-2019-17109

Also added missing description, homepage & license. Re-disabled for py3k
as the kojira executable doesn't seem to be happy with it.
@Ekleog
Copy link
Member

Ekleog commented Nov 3, 2019

@ofborg build python27Packages.koji python36Packages.koji

@Ekleog
Copy link
Member

Ekleog commented Nov 4, 2019

LGTM, let's merge! :)

@risicle Could you open backport PRs to 19.03 and 19.09 with git cherry-pick -x, and ping me on them so I could merge? It's a 1.13 -> 1.14 version bump, which is pretty bad, but the CVE looks actually really serious, so unless you feel able to backport just the CVE fix I think it deserves the version bump -- especially as it looks like there is no user of the package in nixpkgs.

@Ekleog Ekleog merged commit 3376fd9 into NixOS:master Nov 4, 2019
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request Nov 4, 2019
@Ekleog @dtzWill
Merge pull request NixOS#72202 from risicle/ris-koji-1.14.3

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
9d1c0fd 
pythonPackages.koji: 1.13.0 -> 1.14.3, addressing CVE-2019-17109

(cherry picked from commit 3376fd9)
This was referenced Nov 4, 2019
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonringer jonringer

@FRidh FRidh

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: python 8.has: clean-up 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@risicle @Ekleog @jonringer @veprbl