Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

curl: CVE-2019-5435 #63203

Merged
merged 1 commit into from Jun 16, 2019
Merged

curl: CVE-2019-5435 #63203

merged 1 commit into from Jun 16, 2019

Conversation

mmahut
Copy link
Member

@mmahut mmahut commented Jun 16, 2019

Motivation for this change

Fixes #63063.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@andir andir self-assigned this Jun 16, 2019
andir
andir requested changes Jun 16, 2019
View reviewed changes
Copy link
Member

@andir andir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for looking into this 👍!

We are trying to not add that many patches into nixpkgs unless really required. Patches should rather be fetched using a suitable fetcher (pkgs.fetchpatch, pkgs.fetchurl, …).

Other then that it looks good. I still have to test-build a few packages regardless of the above comment.

@ofborg ofborg bot requested a review from lovek323 June 16, 2019 11:55
@mmahut
Copy link
Member Author

mmahut commented Jun 16, 2019
edited

@andir yes, indeed. However fetchpatch and fetchurl depends on curl, so using these will create a circular dependency. That's the reason I did add it manually in this case.

infinite recursion encountered, at undefined position

@andir
Copy link
Member

andir commented Jun 16, 2019

@andir yes, indeed. However fetchpatch and fetchurl depends on curl, so using these will create a circular dependency. That's the reason I did add it manually in this case.

infinite recursion encountered, at undefined position

fetchurl uses a "special" version of curl that transparently uses stdenv.fetchurlBoot as fetchurl so it should be fine.

See: https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/all-packages.nix#L264-L296

@mmahut
Copy link
Member Author

mmahut commented Jun 16, 2019

fetchurl uses a "special" version of curl that transparently uses stdenv.fetchurlBoot as fetchurl so it should be fine.

Ah, ok. I might be doing something wrong, see: https://gist.github.com/mmahut/5390f0e6ab1528274404b24a0337438c

@andir
Copy link
Member

andir commented Jun 16, 2019

I see. That might just be because something int he dependency chain of fetchpatch requires something that isn't handled in that override. fetchurl should be fine for the patch, no?

@mmahut
Copy link
Member Author

mmahut commented Jun 16, 2019
edited

@andir you are right, fetchurl does the trick :)

@vcunat
Copy link
Member

vcunat commented Jun 16, 2019

Well, hopefully it will last long enough. The point of using fetchpatch is that from time to time the patches generated dynamically change in insignificant details. (When they upgrade git or something.)

@vcunat vcunat merged commit 9eb5831 into NixOS:release-19.03 Jun 16, 2019
vcunat added a commit that referenced this pull request Jun 16, 2019
@vcunat
Merge #63203: curl: patch CVE-2019-5435
2f5a68c 
..into release-19.03
@mmahut mmahut deleted the curlCVE branch June 16, 2019 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andir andir andir requested changes

@vcunat vcunat vcunat approved these changes

@lovek323 lovek323 Awaiting requested review from lovek323

Assignees

@andir andir

Labels
1.severity: security 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-darwin-stdenv 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mmahut @andir @vcunat