Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libvorbis: document that patch for CVE-2017-14160 also fixes CVE-2018-10393. #82552

Merged
merged 1 commit into from Mar 18, 2020
Merged

libvorbis: document that patch for CVE-2017-14160 also fixes CVE-2018-10393. #82552

merged 1 commit into from Mar 18, 2020

Conversation

danderson
Copy link
Contributor

@danderson danderson commented Mar 14, 2020
edited

Fixes #57159

Motivation for this change

Helping tools figure out that CVE-2018-10393 is patched.

cc @andir as requested

adisbladis
adisbladis requested changes Mar 15, 2020
View reviewed changes
pkgs/development/libraries/libvorbis/default.nix Outdated
@@ -12,6 +12,7 @@ stdenv.mkDerivation rec {

patches = [
(fetchpatch {
# Also fixes CVE-2018-10393.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's better to all CVEs in the patch name so it's detected by tools like vulnix and https://broken.sh.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At the very least Vulnix only check the instantiated derivation, not the expression.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, switched to the canonical "CVE...+CVE..." filename format.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After this we need to switch the PR to staging though because the name change is a mass rebuild.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After this we need to switch the PR to staging though because the name change is a mass rebuild.

I've done this now.

@danderson
libvorbis: document that patch for CVE-2017-14160 also fixes CVE-2018…
b5f9015 
…-10393.

Fixes NixOS#57159.

Signed-off-by: David Anderson <dave@natulte.net>
@ofborg ofborg bot requested a review from ehmry March 17, 2020 08:24
@nh2 nh2 changed the base branch from master to staging March 18, 2020 01:48
@nh2 nh2 merged commit 16516ce into NixOS:staging Mar 18, 2020
@danderson danderson deleted the bug-57159-libvorbis branch November 4, 2020 03:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adisbladis adisbladis adisbladis requested changes

@nh2 nh2 nh2 approved these changes

@ehmry ehmry Awaiting requested review from ehmry

Assignees
No one assigned
Labels
10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability roundup 63: libvorbis-1.3.6: 1 advisory
3 participants
@danderson @adisbladis @nh2