New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[20.03] systemd: apply patch for CVE-2020-13776 #91048
[20.03] systemd: apply patch for CVE-2020-13776 #91048
Conversation
@GrahamcOfBorg test systemd |
Let's add the passthru tests: diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix
index 3235fb3b95c..3cf62261bd9 100644
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@@ -7,6 +7,7 @@
, gettext, docbook_xsl, docbook_xml_dtd_42, docbook_xml_dtd_45
, ninja, meson, python3Packages, glibcLocales
, patchelf
+, nixosTests
, substituteAll
, getent
, buildPackages
@@ -295,7 +296,12 @@ in stdenv.mkDerivation {
# in a backwards-incompatible way. If the interface version of two
# systemd builds is the same, then we can switch between them at
# runtime; otherwise we can't and we need to reboot.
- passthru.interfaceVersion = 2;
+ passthru = {
+ interfaceVersion = 2;
+ tests = {
+ main = nixosTests.systemd;
+ };
+ };
meta = with stdenv.lib; {
homepage = "https://www.freedesktop.org/wiki/Software/systemd/"; [Edit]: my bad, this is on 20.03 >< |
Let's do this for master, but if systemd breaks to build in stable, we should notice :-) |
LGTM |
Don't we want to include systemd/systemd#16033 as well? (see this thread for context) |
While I agree this is probably desirable, it's 9 patches, and some don't apply cleanly on our 243.7 (which is unfortunately what we have in stable, and they don't see to be backported to systemd-stable/v243-stable branch, as it's too old). Would you be up to creating such a patchset? I'd need to further dig if the patch inside this PR is enough to fix CVE-2020-13776, or if we need to backport more fixes. On the other hand, I'm wondering how other stable distros with older systemd versions handle this. Do they just always bump to the most recent major version, or do they maintain a patchset? |
I digged into this patchset. CVE-2020-13776 is fixed by The systemd second PR I linked in my previous post is refactoring the various integer parsers. While it's not mitigating any CVE, it's mitigating some potential bugs with +-prefixed uids (which are not supposed to be valid as per the posix specification).
That's a good question, I have no idea, let's have a look. Debian, Fedora and Archlinux are targeting github/systemd/systemd-stable. Debian: Arch:
Fedora:
This repo is supposed to contain the necessary backports for 245.x. This particular CVE hasn't been backported to systemd-stable though. Debian, Fedora and Arch are still subject to CVE-2020-13776. That being said, Overall, I think we should start following systemd-stable in place of systemd, at least for NixOS stable. Let's merge this PR first though. |
Thanks for the digging! I'll poke upstream to do a new point release. Edit: done at systemd/systemd-stable#70 |
Agreed, let's merge this into |
@NixOS/nixos-release-managers, @vcunat, can you take care of piping this through the staging process? |
Fixes #90982.
Motivation for this change
https://nvd.nist.gov/vuln/detail/CVE-2020-13776
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)