New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[20.09] mutt: fix for CVE-2021-3181 #110692
Conversation
@@ -40,6 +40,8 @@ stdenv.mkDerivation rec { | |||
url = "https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a.patch"; | |||
sha256 = "117mm757yj4k4cb9f1cmc9p0dqmi2mf92qsxvi8a794b9kdj5m2z"; | |||
}) | |||
# CVE-2021-3181 | |||
./CVE-2021-3181.patch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you use fetchpatch
instead of pulling the file into nixpkgs? See the line just above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. It is 3 commits though, all 3 referenced by the CVE.
Thank you for opening a PR, however I think we should wait to for the CVE evaluation before backporting this: I'm not even sure this is the only commit that needs to be backported. I could try asking the maintainers in the meantime. |
b20d244
to
72a720d
Compare
I thought so. I didn't expect this to get merged, I just wanted to have a go at it and thought might as well also upload it. I'll set this to draft but I can close it if there's no reason to keep it. |
@tu-maurice: I asked in the #mutt IRC channel and they told me only the first patch is needed to fix the CVE. The second should probably not be backported and the third is unrelated. |
72a720d
to
83a11ea
Compare
Alright, first patch only. Here you go. 😄 |
There is a hash mismatch for the patch... look at the log. |
@rnhmjoj No idea what was downloaded in this log, but even repeatedly downloading and checking the patch provides me with the hash I specified in the commit. Maybe ofborg received something else? like an error page? |
No, I'm getting the same hash as of ofBorg's. Can you share the result of fetchpatch, for comparison? |
83a11ea
to
ed5e212
Compare
The difference was that fetchpatch removes unnecessary lines from the patch while nix-prefetch-url, which I used to get the hash initially, does not. I was able to build mutt successfully on my machine because fetchpatch did not download and alter the patch again because there already was an entry in my nix store with that hash provided by nix-prefetch-url. That obviously did not work for ofborg or you. |
Oh yeah, that's a common pitfall with Looks good to go. |
Thank you! |
Motivation for this change
In #110449 the CVE-2021-3181 was addressed for unstable, however the consensus seems to be that we cannot update mutt from 1.14.7 to 2.0.5 on release-20.09 due to breaking changes in version 2, and thus have to backport the patches.
I realized the patches referenced in the CVE apply rather cleanly to the 1.14.7 sources as well. It builds without errors and the resulting binary starts. However I am not a mutt user, just a guy with a little spare time. So I would require the maintainer @rnhmjoj and other users of mutt to try this out before merging.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)