Skip to content

[19.09] file: fix download url for CVE-2019-18218 #78479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 26, 2020
Merged

[19.09] file: fix download url for CVE-2019-18218 #78479

merged 1 commit into from
Jan 26, 2020
+5 −1

Conversation

veprbl
Copy link
Member

@veprbl veprbl commented Jan 25, 2020

Motivation for this change

This unbreaks the build of file for users who don't rely on cache.nixos.org.

Things done
# cat test.nix
with import <nixpkgs> {};

{
  a = (fetchpatch {
    name = "CVE-2019-18218.patch";
    urls = [
      "https://release.debian.org/proposed-updates/stretch_diffs/file_5.30-1+deb9u3.debdiff"
    ];
    sha256 = "1i22y91yndc3n2p2ngczp1lwil8l05sp8ciicil74xrc5f91y6mj";
  });

  b = (fetchpatch {
    name = "CVE-2019-18218.patch";
    urls = [
      "https://git.in-ulm.de/cbiedl/file/raw/054940e842528dca434a92820f9abb89adce0574/debian/patches/cherry-pick.FILE5_37-67-g46a8443f.limit-the-number-of-elements-in-a-vector-found-by-oss-fuzz.patch"
    ];
    sha256 = "1i22y91yndc3n2p2ngczp1lwil8l05sp8ciicil74xrc5f91y6mj";
  });

  c = (fetchpatch {
    name = "CVE-2019-18218.patch";
    urls = [
      "https://sources.debian.org/data/main/f/file/1:5.35-4+deb10u1/debian/patches/cherry-pick.FILE5_37-67-g46a8443f.limit-the-number-of-elements-in-a-vector-found-by-oss-fuzz.patch"
    ];
    sha256 = "1i22y91yndc3n2p2ngczp1lwil8l05sp8ciicil74xrc5f91y6mj";
  });
}
# nix-build test.nix -A a --check
checking outputs of '/nix/store/f4y4akrw8dggkg092ryhddyhq2a0vd3k-CVE-2019-18218.patch.drv'...

trying https://release.debian.org/proposed-updates/stretch_diffs/file_5.30-1+deb9u3.debdiff
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3598  100  3598    0     0  21289      0 --:--:-- --:--:-- --:--:-- 21289
warning: rewriting hashes in '/nix/store/j681fm0gcmpvnfc5syjv23jsqhj3lfcn-CVE-2019-18218.patch'; cross fingers
/nix/store/j681fm0gcmpvnfc5syjv23jsqhj3lfcn-CVE-2019-18218.patch
# nix-build test.nix -A b --check
checking outputs of '/nix/store/6j23k0qzziz3pwrh1fhlba9vh1vs4lk5-CVE-2019-18218.patch.drv'...

trying https://git.in-ulm.de/cbiedl/file/raw/054940e842528dca434a92820f9abb89adce0574/debian/patches/cherry-pick.FILE5_37-67-g46a8443f.limit-the-number-of-elements-in-a-vector-found-by-oss-fuzz.patch
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1056  100  1056    0     0   1889      0 --:--:-- --:--:-- --:--:--  1889
warning: rewriting hashes in '/nix/store/j681fm0gcmpvnfc5syjv23jsqhj3lfcn-CVE-2019-18218.patch'; cross fingers
/nix/store/j681fm0gcmpvnfc5syjv23jsqhj3lfcn-CVE-2019-18218.patch
# nix-build test.nix -A c --check
checking outputs of '/nix/store/aawwb6x40bpfhff529s9lnf2x621k79b-CVE-2019-18218.patch.drv'...

trying https://sources.debian.org/data/main/f/file/1:5.35-4+deb10u1/debian/patches/cherry-pick.FILE5_37-67-g46a8443f.limit-the-number-of-elements-in-a-vector-found-by-oss-fuzz.patch
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1056  100  1056    0     0   2687      0 --:--:-- --:--:-- --:--:--  2693
warning: rewriting hashes in '/nix/store/j681fm0gcmpvnfc5syjv23jsqhj3lfcn-CVE-2019-18218.patch'; cross fingers
/nix/store/j681fm0gcmpvnfc5syjv23jsqhj3lfcn-CVE-2019-18218.patch

@veprbl veprbl mentioned this pull request Jan 25, 2020
Merged
10 tasks
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Jan 25, 2020
nh2
nh2 reviewed Jan 26, 2020
View reviewed changes
Copy link
Contributor

@nh2 nh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Beyond the one comment about 1 of the 3 URLs being likely accidentally wrong, this change looks good to merge to me.

@veprbl
file: fix download url for CVE-2019-18218

Verified

This commit was signed with the committer’s verified signature.
veprbl Dmitry Kalinkin
GPG key ID: 5157B3EC8B2CA333
Verified
Learn about vigilant mode
5c39e8c
@veprbl veprbl force-pushed the pr/CVE-2019-18218_url_fix branch from 92c9bd4 to 5c39e8c Compare January 26, 2020 16:21
@nh2 nh2 merged commit 5e97c6f into NixOS:release-19.09 Jan 26, 2020
veprbl added a commit that referenced this pull request Jan 26, 2020
@veprbl
file: fix download url for CVE-2019-18218

Verified

This commit was signed with the committer’s verified signature.
veprbl Dmitry Kalinkin
GPG key ID: 5157B3EC8B2CA333
Verified
Learn about vigilant mode
c7f0659 
(cherry picked from commit 5c39e8c)

cc #78479
@veprbl veprbl deleted the pr/CVE-2019-18218_url_fix branch January 26, 2020 22:18
@veprbl veprbl restored the pr/CVE-2019-18218_url_fix branch December 1, 2020 16:53
@veprbl veprbl deleted the pr/CVE-2019-18218_url_fix branch December 1, 2020 17:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nh2 nh2

@risicle risicle

Assignees
No one assigned
Labels
10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@veprbl @nh2 @risicle