Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.03] qemu: patch CVE-2020-1711 #91093

Merged
merged 1 commit into from Jun 29, 2020
Merged

[20.03] qemu: patch CVE-2020-1711 #91093

merged 1 commit into from Jun 29, 2020

Conversation

ckauhaus
Copy link
Contributor

Motivation for this change

This is a high profile risk identified in #88387 and a patch is readily available. So we should fix this one first.

No action required on nixos-unstable.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions Ubuntu
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests) qemu used in any test; ran tests/login.nix to verify
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ckauhaus ckauhaus requested review from risicle and ajs124 June 19, 2020 09:58
@ofborg ofborg bot requested a review from edolstra June 19, 2020 10:06
@ajs124
Copy link
Member

ajs124 commented Jun 19, 2020

Wrong branch? Shouldn't this go to release-20.03?

@risicle
Copy link
Contributor

risicle commented Jun 19, 2020

nix-review seems happy for me on macos 10.14, patch looks a-ok too

@ckauhaus
Copy link
Contributor Author

@ajs124 oops... rebasing

@ckauhaus ckauhaus force-pushed the 88387-fix-qemu-CVE-2020-1711 branch from 693bcd5 to f9fd435 Compare June 23, 2020 09:15
@ckauhaus ckauhaus changed the base branch from nixos-20.03 to release-20.03 June 23, 2020 09:16
@ckauhaus
Copy link
Contributor Author

another try :)

jonringer
jonringer reviewed Jun 28, 2020
View reviewed changes
pkgs/applications/virtualization/qemu/default.nix
@@ -84,6 +84,11 @@ stdenv.mkDerivation rec {
stripLen = 1;
extraPrefix = "slirp/";
})
(fetchpatch {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you mind adding a reason, and timeline for removing the patch?

Suggested change
(fetchpatch {
# fixes x,y,z . Can be removed next minor/patch.
(fetchpatch {

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i guess the patch name mentions the CVE

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, overlooked your comment. Patch will be obsolete in 4.2.1, just FTR.

@srhb srhb merged commit 17e83aa into NixOS:release-20.03 Jun 29, 2020
@ckauhaus ckauhaus deleted the 88387-fix-qemu-CVE-2020-1711 branch July 3, 2020 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ajs124 ajs124 ajs124 approved these changes

@dasJ dasJ dasJ approved these changes

@jonringer jonringer jonringer approved these changes

@risicle risicle Awaiting requested review from risicle

@edolstra edolstra Awaiting requested review from edolstra

@FRidh FRidh Awaiting requested review from FRidh

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@ckauhaus @ajs124 @risicle @dasJ @jonringer @mmilata @srhb