Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd: fix CVE-2019-15718 #68032

Merged
merged 1 commit into from Sep 6, 2019
Merged

systemd: fix CVE-2019-15718 #68032

merged 1 commit into from Sep 6, 2019

Conversation

andir
Copy link
Member

@andir andir commented Sep 3, 2019

Motivation for this change

More details at: https://www.openwall.com/lists/oss-security/2019/09/03/1

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @NixOS/security-notifications

@ofborg ofborg bot requested a review from edolstra September 3, 2019 23:24
NeQuissimus
NeQuissimus approved these changes Sep 3, 2019
View reviewed changes
Copy link
Member

@NeQuissimus NeQuissimus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. This should probably be followed up by a full systemd upgrade against staging (?)

@andir
Copy link
Member Author

andir commented Sep 3, 2019

LGTM. This should probably be followed up by a full systemd upgrade against staging (?)

I am already working on systemd v243 at https://github.com/andir/nixpkgs/tree/systemd-v243 & https://github.com/andir/systemd/tree/nixos-v243. It currently fails with some install error. Must have missed a case in the new version bump. This has to be done with care and patience so we do not cause more harm then good. I'll work on that during the next days.

@vcunat
Copy link
Member

vcunat commented Sep 4, 2019

22k rebuilds. What about squashing it into the current staging-next iteration? (We have e.g. Firefox and Python CVEs in there.)

vcunat added a commit that referenced this pull request Sep 4, 2019
@vcunat
Merge #68032: systemd: fix CVE-2019-15718 (staging-next)
b479a21
vcunat
vcunat approved these changes Sep 4, 2019
View reviewed changes
Copy link
Member

@vcunat vcunat left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I don't think anyone will be for this going later than the current staging-next iteration, so I merged it there in any case (so hopefully Hydra can save some work).

@NeQuissimus
Copy link
Member

@vcunat I don't mean to hijack this but is there a doc outlining what should go towards staging, staging-next, master? Are there explicit rules or do you do it by gut-feeling? :)

@vcunat
Copy link
Member

vcunat commented Sep 4, 2019

@NeQuissimus: that's not hijacking, it's perfectly on topic. The RFC says:

staging-next is branched from staging and only fixes to stabilize and security fixes shall be delivered to this branch. This branch shall be merged into master when deemed of sufficiently high quality.

@FRidh FRidh merged commit cde7715 into NixOS:master Sep 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NeQuissimus NeQuissimus NeQuissimus approved these changes

@vcunat vcunat vcunat approved these changes

@edolstra edolstra Awaiting requested review from edolstra

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 101-500 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@andir @vcunat @NeQuissimus @FRidh