Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: f70e66cccd5a
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 41c8f218b8bb
Choose a head ref
  • 6 commits
  • 5 files changed
  • 5 contributors

Commits on May 24, 2019

  1. libheif: add patch for CVE-2019-11471

    @risicle
    risicle committed May 24, 2019

    Verified

    This commit was signed with the committer’s verified signature.
    Mic92 Jörg Thalheim
    GPG key ID: 003F2096411B5F92
    Verified
    Learn about vigilant mode
    Copy the full SHA
    75f6109 View commit details

Commits on May 25, 2019

  1. Merge pull request #62024 from risicle/ris-libheif-CVE-2019-11471-r19.03 

    [r19.03] libheif: add patch for CVE-2019-11471
    @gebner
    gebner authored May 25, 2019
    Copy the full SHA
    c826890 View commit details

  2. wireguard: restart on failure 

    As a oneshot service, if the startup failed it would never be attempted again.
This is problematic when peer's addresses require DNS. DNS may not be reliably available at
the time wireguard starts. Converting this to a simple service with Restart
and RestartAfter directives allows the service to be reattempted, but at
the cost of losing the oneshot semantics.

Signed-off-by: Maximilian Bosch <maximilian@mbosch.me>
(cherry picked from commit 1bff53c)
    @Ma27
    sjau authored and Ma27 committed May 25, 2019
    Copy the full SHA
    ced7cfc View commit details

  3. Merge #62063: evince: patch CVE-2019-11459 

    (cherry picked from commit bb2a49d)
backend/tiff/ hasn't seen any relevant changes in-between,
so I believe the backport should still be fairly safe.
    @vcunat
    vcunat committed May 25, 2019
    Copy the full SHA
    b081cbc View commit details

  4. services.tahoe: Use networking.hostName. 

    Previously we used nothing, leading to #25273.

Big thanks to @t184256 for developing and testing this fix.

Fixes #25273.

(cherry picked from commit fa6ad02)
    @MostAwesomeDude @infinisil
    MostAwesomeDude authored and infinisil committed May 25, 2019
    Copy the full SHA
    2d44a7a View commit details

  5. services.tahoe: Use 1.13-compatible invocations. 

    (cherry picked from commit 00d6b4c)
    @MostAwesomeDude @infinisil
    MostAwesomeDude authored and infinisil committed May 25, 2019
    Copy the full SHA
    41c8f21 View commit details
13 changes: 8 additions & 5 deletions nixos/modules/services/network-filesystems/tahoe.nix
View file
Original file line number Diff line number Diff line change
@@ -234,16 +234,19 @@ in
Type = "simple";
PIDFile = pidfile;
# Believe it or not, Tahoe is very brittle about the order of
# arguments to $(tahoe start). The node directory must come first,
# arguments to $(tahoe run). The node directory must come first,
# and arguments which alter Twisted's behavior come afterwards.
ExecStart = ''
${settings.package}/bin/tahoe start ${lib.escapeShellArg nodedir} -n -l- --pidfile=${lib.escapeShellArg pidfile}
${settings.package}/bin/tahoe run ${lib.escapeShellArg nodedir} --pidfile=${lib.escapeShellArg pidfile}
'';
};
preStart = ''
if [ ! -d ${lib.escapeShellArg nodedir} ]; then
mkdir -p /var/db/tahoe-lafs
tahoe create-introducer ${lib.escapeShellArg nodedir}
# See https://github.com/NixOS/nixpkgs/issues/25273
tahoe create-introducer \
--hostname="${config.networking.hostName}" \
${lib.escapeShellArg nodedir}
fi
# Tahoe has created a predefined tahoe.cfg which we must now
@@ -334,10 +337,10 @@ in
Type = "simple";
PIDFile = pidfile;
# Believe it or not, Tahoe is very brittle about the order of
# arguments to $(tahoe start). The node directory must come first,
# arguments to $(tahoe run). The node directory must come first,
# and arguments which alter Twisted's behavior come afterwards.
ExecStart = ''
${settings.package}/bin/tahoe start ${lib.escapeShellArg nodedir} -n -l- --pidfile=${lib.escapeShellArg pidfile}
${settings.package}/bin/tahoe run ${lib.escapeShellArg nodedir} --pidfile=${lib.escapeShellArg pidfile}
'';
};
preStart = ''
4 changes: 3 additions & 1 deletion nixos/modules/services/networking/wireguard.nix
View file
Original file line number Diff line number Diff line change
@@ -197,7 +197,9 @@ let
path = with pkgs; [ kmod iproute wireguard-tools ];

serviceConfig = {
Type = "oneshot";
Type = "simple";
Restart = "on-failure";
RestartSec = "5s";
RemainAfterExit = true;
};

11 changes: 10 additions & 1 deletion pkgs/desktops/gnome-3/core/evince/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{ fetchurl, stdenv, pkgconfig, intltool, libxml2
{ fetchurl, fetchpatch, stdenv, pkgconfig, intltool, libxml2
, glib, gtk3, pango, atk, gdk_pixbuf, shared-mime-info, itstool, gnome3
, poppler, ghostscriptX, djvulibre, libspectre, libarchive, libsecret, wrapGAppsHook
, librsvg, gobject-introspection, yelp-tools, gspell, adwaita-icon-theme, gsettings-desktop-schemas
@@ -17,6 +17,15 @@ stdenv.mkDerivation rec {
sha256 = "0k7jln6dpg4bpv61niicjzkzyq6fhb3yfld7pc8ck71c8pmvsnx9";
};


patches = [
(fetchpatch {
name = "CVE-2019-11459.patch";
url = "https://gitlab.gnome.org/GNOME/evince/commit/3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7.patch";
sha256 = "1ds6iwr2r9i86nwrly8cx7p1kbvf1gljjplcffa67znxqmwx4n74";
})
];

passthru = {
updateScript = gnome3.updateScript { packageName = "evince"; };
};
15 changes: 15 additions & 0 deletions pkgs/development/libraries/libheif/1.3.2-CVE-2019-11471.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
Adapted from upstream commit 995a4283d8ed2d0d2c1ceb1a577b993df2f0e014
--- a/libheif/heif_context.cc
+++ b/libheif/heif_context.cc
@@ -566,6 +566,11 @@
image->set_is_alpha_channel_of(refs[0]);

auto master_iter = m_all_images.find(refs[0]);
+ if (master_iter == m_all_images.end()) {
+ return Error(heif_error_Invalid_input,
+ heif_suberror_Nonexisting_item_referenced,
+ "Non-existing alpha image referenced");
+ }
master_iter->second->set_alpha_channel(image);
}

2 changes: 2 additions & 0 deletions pkgs/development/libraries/libheif/default.nix
View file
Original file line number Diff line number Diff line change
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
sha256 = "0hk8mzig2kp5f94j4jwqxzjrm7ffk16ffvxl92rf0afsh6vgnz7w";
};

patches = [ ./1.3.2-CVE-2019-11471.patch ];

nativeBuildInputs = [ autoreconfHook pkgconfig ];
buildInputs = [ libde265 x265 libpng libjpeg ];