Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cryptopp: 8.2.0 -> 8.4.0 #110555

Merged
merged 2 commits into from Jan 25, 2021
Merged

cryptopp: 8.2.0 -> 8.4.0 #110555

merged 2 commits into from Jan 25, 2021

Conversation

LeSuisse
Copy link
Contributor

Motivation for this change

Fixes CVE-2019-14318.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@LeSuisse
Copy link
Contributor Author

The build of dependent package scylladb seems to fail, it does not look like this is caused by this upgrade.

Result of nixpkgs-review run on x86_64-linux 1

2 packages marked as broken and skipped:
  • libsForQt512.plasma-vault
  • ring-daemon
1 package failed to build:
  • scylladb
10 packages built:
  • amule
  • amuleDaemon
  • amuleGui
  • cryfs
  • cryptopp
  • plasma-vault (libsForQt5.plasma-vault)
  • libsForQt514.plasma-vault
  • megacmd
  • megasync
  • rockbox_utility
builder for '/nix/store/j5fwyrn4nahjw7wgqwhdqdpybjncsgmf-scylladb-3.0.5.drv' failed with exit code 1; last 10 log lines:
  [67/69] CXX build/release/core/reactor.o
  [68/69] AR build/release/libseastar.a
  [69/69] LINK build/release/apps/iotune/iotune
  FAILED: build/release/apps/iotune/iotune 
  g++  -O2 -O3 --param inline-unit-growth=300 -I/build/scylla-403f66e/seastar/build/release/gen -I/build/scylla-403f66e/seastar/build/release/c-ares -Lbuild/release -Lbuild/release/fmt/fmt -g -Wl,--no-as-needed   -fvisibility=hidden  -pthread  -o build/release/apps/iotune/iotune build/release/apps/iotune/iotune.o build/release/core/reactor.o build/release/core/alien.o build/release/core/execution_stage.o build/release/core/systemwide_memory_barrier.o build/release/core/fstream.o build/release/core/posix.o build/release/core/memory.o build/release/core/resource.o build/release/core/scollectd.o build/release/core/metrics.o build/release/core/app-template.o build/release/core/thread.o build/release/core/dpdk_rte.o build/release/core/fsqual.o build/release/core/linux-aio.o build/release/util/conversions.o build/release/util/program-options.o build/release/util/log.o build/release/util/backtrace.o build/release/util/alloc_failure_injector.o build/release/net/packet.o build/release/net/posix-stack.o build/release/net/net.o build/release/net/stack.o build/release/net/inet_address.o build/release/rpc/rpc.o build/release/rpc/lz4_compressor.o build/release/core/exception_hacks.o build/release/core/future-util.o -lboost_program_options -lboost_system -lboost_filesystem -lstdc++ -lm -lstdc++fs -lboost_thread -lcryptopp -lrt -lgnutls -lgnutlsxx -llz4 -lprotobuf -ldl -lgcc_s -latomic  -lyaml-cpp -lcares-seastar -lfmt  
  /nix/store/wcz8lsibkw2nikdb0bjl22p75lfwahzr-binutils-2.35.1/bin/ld: /nix/store/i5fb1l0nal2y3wqs1y8shinsizwk38x2-libyaml-cpp-0.6.3/lib/libyaml-cpp.so: undefined reference to `std::__cxx11::basic_stringstream<char, std::char_traits<char>, std::allocator<char> >::basic_stringstream()@GLIBCXX_3.4.26'
  /nix/store/wcz8lsibkw2nikdb0bjl22p75lfwahzr-binutils-2.35.1/bin/ld: /nix/store/gyfj5zxp1iymjmvmcxaf49hl6srplv0p-boost-1.69.0/lib/libboost_thread.so: undefined reference to `std::__cxx11::basic_ostringstream<char, std::char_traits<char>, std::allocator<char> >::basic_ostringstream()@GLIBCXX_3.4.26'
  collect2: error: ld returned 1 exit status
  ninja: build stopped: subcommand failed.
  ninja: build stopped: subcommand failed.

It looks like the issue is caused by a change in Boost which is unrelated to this change as far as I can see. Should we mark the scylladb package as broken?

@ofborg ofborg bot requested a review from c0bw3b January 23, 2021 00:24
@SuperSandro2000
Copy link
Member

It looks like the issue is caused by a change in Boost which is unrelated to this change as far as I can see. Should we mark the scylladb package as broken?

Broke on master since a longer time, too. Feel free to mark it broken.

@SuperSandro2000
Copy link
Member

This is a semi-automatic executed nixpkgs-review which is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch).
If you have any questions or problems please reach out to SuperSandro2000 on IRC.

Result of nixpkgs-review pr 110555 run on x86_64-darwin 1

3 packages marked as broken and skipped:
  • amule
  • amuleDaemon
  • amuleGui
1 package built:
  • cryptopp

@SuperSandro2000
Copy link
Member

This is a semi-automatic executed nixpkgs-review which is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch).
If you have any questions or problems please reach out to SuperSandro2000 on IRC.

Result of nixpkgs-review pr 110555 run on x86_64-linux 1

2 packages marked as broken and skipped:
  • libsForQt512.plasma-vault
  • ring-daemon
10 packages built:
  • amule
  • amuleDaemon
  • amuleGui
  • cryfs
  • cryptopp
  • libsForQt5.plasma-vault (libsForQt515.plasma-vault ,plasma5Packages.plasma-vault)
  • libsForQt514.plasma-vault
  • megacmd
  • megasync
  • rockbox_utility

The following issues got detected with the above build packages.
Please fix at least the ones listed with your changed packages:

megasync:

Please consider this feature to be alpha.

A substituteInPlace with an unmatched pattern got detected:

substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/contrib/build_pdfium/build.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/contrib/build_ffmpeg/ffmpeg/build_minimum.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/contrib/clang-analyzer.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/clean.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/autogen.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/bindings/ios/3rdparty/build-webrtc.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/bindings/ios/3rdparty/build-openssl.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/bindings/ios/3rdparty/build-mediainfolib.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/bindings/ios/3rdparty/build-libwebsockets.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/bindings/ios/3rdparty/build-libuv.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/bindings/ios/3rdparty/build-libsodium.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/bindings/ios/3rdparty/build-curl.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/bindings/ios/3rdparty/build-cryptopp.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/bindings/ios/3rdparty/build-cares.sh'
substituteStream(): WARNING: pattern '/bin/bash' doesn't match anything in file 'src/MEGASync/mega/bindings/ios/3rdparty/build-all.sh'

Please check the offending substituteInPlace for typos or changes in source.

@dotlambda dotlambda added the 9.needs: port to stable A PR needs a backport to the stable release. label Jan 25, 2021
dotlambda
dotlambda requested changes Jan 25, 2021
View reviewed changes
Copy link
Member

@dotlambda dotlambda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please put the scylladb change in a separate commit.

@LeSuisse
Copy link
Contributor Author

Done, thanks for the review @dotlambda.

@dotlambda
Copy link
Member

The docker-compose commit shouldn't be here.

@LeSuisse
scylladb: mark as broken
88033a4 
The package does not build due to changes in Boost.
@LeSuisse
cryptopp: 8.2.0 -> 8.4.0
eefdd09 
Fixes CVE-2019-14318.
@LeSuisse
Copy link
Contributor Author

Sorry about that :/

@dotlambda dotlambda merged commit 67fabbc into NixOS:master Jan 25, 2021
@dotlambda
Copy link
Member

@LeSuisse Will you do the PR for 20.09?

@LeSuisse
Copy link
Contributor Author

Yes I'm going to open it.

@LeSuisse LeSuisse deleted the cryptopp-8.4.0 branch January 25, 2021 16:39
@erictapen erictapen mentioned this pull request Jan 27, 2021
Merged
10 tasks
@erictapen
Copy link
Member

@LeSuisse Are you sure that this fixes CVE-2019-14318? The release notes and this comment read like the vuln was actually reintroduced in 8.4.0, which might be still better as before, according to the commiter.

I guess its still good to have the newest version on unstable, I'll just vouch to revert the backport then, as it also broke a few packages.

Also pinging the maintainer here: @c0bw3b

@erictapen erictapen mentioned this pull request Jan 27, 2021
Merged
10 tasks
@LeSuisse
Copy link
Contributor Author

It looks like you are right. I got confused by the release notes (and it's not very common to re-introduce voluntarily a vulnerability).

@TredwellGit TredwellGit removed the 9.needs: port to stable A PR needs a backport to the stable release. label Aug 20, 2021
@TredwellGit TredwellGit added the 8.has: port to stable A PR already has a backport to the stable release. label Aug 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dotlambda dotlambda dotlambda requested changes

@SuperSandro2000 SuperSandro2000 SuperSandro2000 requested changes

@c0bw3b c0bw3b Awaiting requested review from c0bw3b

Assignees
No one assigned
Labels
1.severity: security 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@LeSuisse @SuperSandro2000 @dotlambda @erictapen @fud @TredwellGit