Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

graphviz: fix CVE-2018-10196 #47229

Merged
merged 1 commit into from Jan 21, 2019
Merged

graphviz: fix CVE-2018-10196 #47229

merged 1 commit into from Jan 21, 2019

Conversation

symphorien
Copy link
Member

Motivation for this change

#47122
please backport to staging-18.09

Also I replaced an occurrence of overrideDerivation as advised by https://nixos.org/nixpkgs/manual/#sec-pkg-overrideDerivation

cc @bjornfor @7c6f434c as maintainers.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/) -> only dot and vimdot
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@7c6f434c
Copy link
Member

@GrahamcOfBorg build graphviz

@vcunat
Copy link
Member

vcunat commented Sep 23, 2018

It's weird that there's been basically no reaction to the patch upstream for months.

@GrahamcOfBorg
Copy link

Timed out, unknown build status on x86_64-darwin (full log)

Attempted: graphviz

Partial log (click to expand)

cannot build derivation '/nix/store/8ddrllvw09590zxwak6x43wcksn32p3r-cairo-1.15.12.drv': 20 dependencies couldn't be built
cannot build derivation '/nix/store/mbars76jn4h976a81bwlryyhzjqq6mr2-absolute_gir_path.patch.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/n5z8nigvh2g2chnnyl93s2ka4vhr98k1-harfbuzz-1.8.8.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/g8fidggr77w7kh23z2nsb2ybi9dnj8dr-mesa-noglu-18.1.8.drv': 32 dependencies couldn't be built
cannot build derivation '/nix/store/w39ccryqc4fpkij5l43iyhsck6d7zd1a-gobject-introspection-1.56.0.drv': 12 dependencies couldn't be built
cannot build derivation '/nix/store/2babdbf7glsdn1z65hji1z502mv8rfc7-libGL-1.0.0.drv': 5 dependencies couldn't be built
cannot build derivation '/nix/store/jr9yi34javdmvpfkyl4r8v6l5p6s97q6-libdevil-1.7.8.drv': 12 dependencies couldn't be built
cannot build derivation '/nix/store/mhbnmf9ai6kcjnjyqw73dq7jd2ykk9ip-pango-1.42.4.drv': 16 dependencies couldn't be built
cannot build derivation '/nix/store/q1yb0c1pzjg6l3addfwcrqzb9gni2m0g-graphviz-2.40.1.drv': 22 dependencies couldn't be built
error: build of '/nix/store/q1yb0c1pzjg6l3addfwcrqzb9gni2m0g-graphviz-2.40.1.drv' failed

@GrahamcOfBorg
Copy link

Timed out, unknown build status on x86_64-linux (full log)

Attempted: graphviz

Partial log (click to expand)

building of '/nix/store/5z9al7m2dpbhhx8gai5hs5hwcqjdv2b3-mesa-noglu-18.1.8.drv' timed out after 3600 seconds
cannot build derivation '/nix/store/90q0dfhlwm0d7zinhmbgmg5r2wa93632-libGL-1.0.0.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/7a8a8xnvbfzbvzbsiaisnargiqgbxmyf-cairo-1.15.12.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/x6kpfbpcc7kabimrdwg8bqg7is7dj0z2-libdevil-1.7.8.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/0gybd7zp2dizp412hymzy2fwvffpm6md-absolute_gir_path.patch.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/nv3z4mmspq3h511kbs4svcb1718dbvc5-harfbuzz-1.8.8.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/rh09mzmc1sj7092kz2hfxmc36ixja0qz-gobject-introspection-1.56.0.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/5bl22sj0b01jnr859940a6w21vp83cjw-pango-1.42.4.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/98n4d5w2hgk64jhc64jhb3naqn5vym5g-graphviz-2.40.1.drv': 2 dependencies couldn't be built
error: build of '/nix/store/98n4d5w2hgk64jhc64jhb3naqn5vym5g-graphviz-2.40.1.drv' failed

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: graphviz

Partial log (click to expand)

gzipping man pages under /nix/store/mm58zwigx3crn0rlllnm5yzclm7k3pyz-graphviz-2.40.1/share/man/
strip is /nix/store/842p712rvbhidp5bzvd5q9dkjpxrnhid-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/mm58zwigx3crn0rlllnm5yzclm7k3pyz-graphviz-2.40.1/lib  /nix/store/mm58zwigx3crn0rlllnm5yzclm7k3pyz-graphviz-2.40.1/bin
patching script interpreter paths in /nix/store/mm58zwigx3crn0rlllnm5yzclm7k3pyz-graphviz-2.40.1
/nix/store/mm58zwigx3crn0rlllnm5yzclm7k3pyz-graphviz-2.40.1/bin/gvmap.sh: interpreter directive changed from "/bin/sh" to "/nix/store/1lgzhz3pk4g6219lrbjhh9bsrkz5cp83-bash-4.4-p23/bin/sh"
/nix/store/mm58zwigx3crn0rlllnm5yzclm7k3pyz-graphviz-2.40.1/bin/dotty: interpreter directive changed from "/bin/sh" to "/nix/store/1lgzhz3pk4g6219lrbjhh9bsrkz5cp83-bash-4.4-p23/bin/sh"
/nix/store/mm58zwigx3crn0rlllnm5yzclm7k3pyz-graphviz-2.40.1/bin/lneato: interpreter directive changed from "/bin/sh" to "/nix/store/1lgzhz3pk4g6219lrbjhh9bsrkz5cp83-bash-4.4-p23/bin/sh"
/nix/store/mm58zwigx3crn0rlllnm5yzclm7k3pyz-graphviz-2.40.1/bin/vimdot: interpreter directive changed from "/bin/sh" to "/nix/store/1lgzhz3pk4g6219lrbjhh9bsrkz5cp83-bash-4.4-p23/bin/sh"
checking for references to /build in /nix/store/mm58zwigx3crn0rlllnm5yzclm7k3pyz-graphviz-2.40.1...
/nix/store/mm58zwigx3crn0rlllnm5yzclm7k3pyz-graphviz-2.40.1

@7c6f434c
Copy link
Member

PRs seem to get processed in the project, though. Not sure what is the most reasonable way to handle this… Asking the original submitter if it is OK to submit a PR with them as commit author?

@7c6f434c
Copy link
Member

@GrahamcOfBorg build graphviz

@7c6f434c 7c6f434c merged commit 0e0dd94 into NixOS:staging Jan 21, 2019
@7c6f434c
Copy link
Member

Large dependencies create a problem on ofBorg, but it succeeded in the past…

@symphorien symphorien deleted the CVE-2018-10196 branch May 18, 2019 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 101-500 10.rebuild-linux: 501+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@symphorien @7c6f434c @vcunat @GrahamcOfBorg @c0bw3b