Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nghttp2: backport fix for CVE-2018-1000168 [18.03] #42888

Merged
merged 1 commit into from Jul 10, 2018
Merged

nghttp2: backport fix for CVE-2018-1000168 [18.03] #42888

merged 1 commit into from Jul 10, 2018

Conversation

symphorien
Copy link
Member

backports commit nghttp2/nghttp2@b1bd603

This fixes CVE-2018-1000168 according to
https://security-tracker.debian.org/tracker/CVE-2018-1000168
cc #42883

I dropped the test part of the patch because the expression has doCheck = false.

The patch is copied into nixpkgs because fetchpatch depends on nghttp2 via curl which creates a circular dependency.

I only tested compilation of nghttp2 and curl.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@Mic92
Copy link
Member

Mic92 commented Jul 3, 2018

@GrahamcOfBorg eval

@xeji
Copy link
Contributor

xeji commented Jul 5, 2018

@GrahamcOfBorg eval

@xeji
Copy link
Contributor

xeji commented Jul 9, 2018

@GrahamcOfBorg build nghttp2

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: nghttp2

Partial log (click to expand)

stripping (with command strip and flags -S) in /nix/store/06ykli3dm798jxxsw9fqaj4yg2752656-nghttp2-1.24.0-dev/lib
patching script interpreter paths in /nix/store/06ykli3dm798jxxsw9fqaj4yg2752656-nghttp2-1.24.0-dev
checking for references to /build in /nix/store/06ykli3dm798jxxsw9fqaj4yg2752656-nghttp2-1.24.0-dev...
shrinking RPATHs of ELF executables and libraries in /nix/store/66vm9qzpynmlysi410rnz1l544pf9mxy-nghttp2-1.24.0-lib
shrinking /nix/store/66vm9qzpynmlysi410rnz1l544pf9mxy-nghttp2-1.24.0-lib/lib/libnghttp2.so.14.13.3
strip is /nix/store/ppn001bfygzlqx4h50n9zgxc3kqv2d6k-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/66vm9qzpynmlysi410rnz1l544pf9mxy-nghttp2-1.24.0-lib/lib
patching script interpreter paths in /nix/store/66vm9qzpynmlysi410rnz1l544pf9mxy-nghttp2-1.24.0-lib
checking for references to /build in /nix/store/66vm9qzpynmlysi410rnz1l544pf9mxy-nghttp2-1.24.0-lib...
/nix/store/3216cki4wjl7gmgapvxyw943ax9nx39c-nghttp2-1.24.0-bin

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: nghttp2

Partial log (click to expand)

strip is /nix/store/b0zlxla7dmy1iwc3g459rjznx59797xy-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/0k7g6vg48ik9sqkib4v9kpb3vmgnxmiz-nghttp2-1.24.0-dev/lib
patching script interpreter paths in /nix/store/0k7g6vg48ik9sqkib4v9kpb3vmgnxmiz-nghttp2-1.24.0-dev
checking for references to /build in /nix/store/0k7g6vg48ik9sqkib4v9kpb3vmgnxmiz-nghttp2-1.24.0-dev...
shrinking RPATHs of ELF executables and libraries in /nix/store/6c7am8wxs81aafvxqdsrv3wlw70m08kg-nghttp2-1.24.0-lib
shrinking /nix/store/6c7am8wxs81aafvxqdsrv3wlw70m08kg-nghttp2-1.24.0-lib/lib/libnghttp2.so.14.13.3
strip is /nix/store/b0zlxla7dmy1iwc3g459rjznx59797xy-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/6c7am8wxs81aafvxqdsrv3wlw70m08kg-nghttp2-1.24.0-lib/lib
patching script interpreter paths in /nix/store/6c7am8wxs81aafvxqdsrv3wlw70m08kg-nghttp2-1.24.0-lib
checking for references to /build in /nix/store/6c7am8wxs81aafvxqdsrv3wlw70m08kg-nghttp2-1.24.0-lib...

@xeji
Copy link
Contributor

xeji commented Jul 9, 2018

At 24k rebuilds this fix should probably go to staging-18.03 first if we want to do it.
ping @vcunat

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: nghttp2

Partial log (click to expand)

patching script interpreter paths in /nix/store/ycnwhw7pfqzpcnp91l0nw8zyyma5hf7k-nghttp2-1.24.0-bin
strip is /nix/store/bvxfljaqw2qnkd7n1ab88bd67x4giwld-cctools-binutils-darwin/bin/strip
patching script interpreter paths in /nix/store/wc5fnqi58pvmzsy2gsaf5i5bz5s8glyf-nghttp2-1.24.0
strip is /nix/store/bvxfljaqw2qnkd7n1ab88bd67x4giwld-cctools-binutils-darwin/bin/strip
stripping (with command strip and flags -S) in /nix/store/6pwj7w79qx13bk9f77aznb6s1xaqd843-nghttp2-1.24.0-dev/lib
patching script interpreter paths in /nix/store/6pwj7w79qx13bk9f77aznb6s1xaqd843-nghttp2-1.24.0-dev
strip is /nix/store/bvxfljaqw2qnkd7n1ab88bd67x4giwld-cctools-binutils-darwin/bin/strip
stripping (with command strip and flags -S) in /nix/store/q27kkqwxlj0qy0hkv0g1j1g5mr7vcz22-nghttp2-1.24.0-lib/lib
patching script interpreter paths in /nix/store/q27kkqwxlj0qy0hkv0g1j1g5mr7vcz22-nghttp2-1.24.0-lib
/nix/store/ycnwhw7pfqzpcnp91l0nw8zyyma5hf7k-nghttp2-1.24.0-bin

@vcunat vcunat added 1.severity: security 8.has: port to stable A PR already has a backport to the stable release. labels Jul 10, 2018
@vcunat vcunat self-assigned this Jul 10, 2018
@vcunat vcunat changed the base branch from release-18.03 to staging-18.03 July 10, 2018 08:10
vcunat
vcunat approved these changes Jul 10, 2018
View reviewed changes
Copy link
Member

@vcunat vcunat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@vcunat vcunat merged commit c8d83a1 into NixOS:staging-18.03 Jul 10, 2018
vcunat added a commit that referenced this pull request Jul 10, 2018
@vcunat
Merge #42888: nghttp2: backport fix for CVE-2018-1000168
41088a6
@symphorien symphorien deleted the CVE-2018-1000168 branch March 21, 2020 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vcunat vcunat vcunat approved these changes

Assignees

@vcunat vcunat

Labels
1.severity: security 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 501+ 10.rebuild-linux: 501+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@symphorien @Mic92 @xeji @GrahamcOfBorg @vcunat