Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[18.03] gnome3.gdm: fix CVE-2018-14424 #45208

Merged
merged 1 commit into from Aug 17, 2018
Merged

[18.03] gnome3.gdm: fix CVE-2018-14424 #45208

merged 1 commit into from Aug 17, 2018

Conversation

andir
Copy link
Member

@andir andir commented Aug 17, 2018

Motivation for this change

This backports the changes done in the 2.28 branch of gdm to address the
issue.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@andir
gnome3.gdm: fix CVE-2018-14424
082265f 
This backports the changes done in the 2.28 branch of gdm to address the
issue.
@andir andir requested a review from jtojnar August 17, 2018 07:34
@GrahamcOfBorg GrahamcOfBorg added 6.topic: GNOME GNOME desktop environment and its underlying platform 10.rebuild-darwin: 0 10.rebuild-linux: 11-100 labels Aug 17, 2018
@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: gnome3.gdm

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: gnome3.gdm

Partial log (click to expand)

shrinking /nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1/sbin/gdm
strip is /nix/store/k8b9hqv58dd1z0j4ikak24ykndcm91s6-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1/lib  /nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1/libexec  /nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1/bin  /nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1/sbin
patching script interpreter paths in /nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1
/nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1/etc/gdm/PreSession/Default: interpreter directive changed from "/bin/sh" to "/nix/store/lw7xaqhakk0i1c631m3cvac3x4lc5gr5-bash-4.4-p12/bin/sh"
/nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1/etc/gdm/PostLogin/Default.sample: interpreter directive changed from "/bin/sh" to "/nix/store/lw7xaqhakk0i1c631m3cvac3x4lc5gr5-bash-4.4-p12/bin/sh"
/nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1/etc/gdm/PostSession/Default: interpreter directive changed from "/bin/sh" to "/nix/store/lw7xaqhakk0i1c631m3cvac3x4lc5gr5-bash-4.4-p12/bin/sh"
/nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1/etc/gdm/Init/Default: interpreter directive changed from "/bin/sh" to "/nix/store/lw7xaqhakk0i1c631m3cvac3x4lc5gr5-bash-4.4-p12/bin/sh"
checking for references to /build in /nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1...
moving /nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1/sbin/* to /nix/store/arqbzf0vlcpvqnjzp5bcb28c5iv2jf9q-gdm-3.26.2.1/bin

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: gnome3.gdm

Partial log (click to expand)

strip is /nix/store/hy39vplmzpwckvzxgyhr54dwz0mnfv2p-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1/lib  /nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1/libexec  /nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1/bin  /nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1/sbin
patching script interpreter paths in /nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1
/nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1/etc/gdm/PostSession/Default: interpreter directive changed from "/bin/sh" to "/nix/store/i7pgaclm3qrcm9gpqxb5mbw9wsn7prd0-bash-4.4-p12/bin/sh"
/nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1/etc/gdm/PreSession/Default: interpreter directive changed from "/bin/sh" to "/nix/store/i7pgaclm3qrcm9gpqxb5mbw9wsn7prd0-bash-4.4-p12/bin/sh"
/nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1/etc/gdm/PostLogin/Default.sample: interpreter directive changed from "/bin/sh" to "/nix/store/i7pgaclm3qrcm9gpqxb5mbw9wsn7prd0-bash-4.4-p12/bin/sh"
/nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1/etc/gdm/Init/Default: interpreter directive changed from "/bin/sh" to "/nix/store/i7pgaclm3qrcm9gpqxb5mbw9wsn7prd0-bash-4.4-p12/bin/sh"
checking for references to /build in /nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1...
moving /nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1/sbin/* to /nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1/bin
/nix/store/77q764p2qsgbkklrywxfly3xrd56s695-gdm-3.26.2.1

@jtojnar
Copy link
Contributor

jtojnar commented Aug 17, 2018

@GrahamcOfBorg test gnome3-gdm

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: tests.gnome3-gdm

Partial log (click to expand)

machine: exit status 1
syncing
machine: running command: sync
machine: exit status 0
test script finished in 38.38s
cleaning up
killing machine (pid 596)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
/nix/store/jkhkpzyz8zxn4rrysgx1g3lmnkaxq80v-vm-test-run-gnome3-gdm

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: tests.gnome3-gdm

Partial log (click to expand)

machine: exit status 1
syncing
machine: running command: sync
machine: exit status 0
test script finished in 72.06s
cleaning up
killing machine (pid 627)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
/nix/store/gjiyn280j6mxvf2nmhb3a1mq49v715r2-vm-test-run-gnome3-gdm

@andir andir merged commit 4af590e into NixOS:release-18.03 Aug 17, 2018
@andir andir deleted the 18.03/gdm branch August 17, 2018 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtojnar jtojnar jtojnar approved these changes

Assignees
No one assigned
Labels
1.severity: security 6.topic: GNOME GNOME desktop environment and its underlying platform 10.rebuild-darwin: 0 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@andir @GrahamcOfBorg @jtojnar