Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libvirt: 5.3.0 -> 5.4.0 + patches for CVE-2019-10161, CVE-2019-10166, CVE-2019-10167 and CVE-2019-10168 #63921

Merged
merged 1 commit into from Jun 29, 2019
Merged

libvirt: 5.3.0 -> 5.4.0 + patches for CVE-2019-10161, CVE-2019-10166, CVE-2019-10167 and CVE-2019-10168 #63921

merged 1 commit into from Jun 29, 2019

Conversation

risicle
Copy link
Contributor

@risicle risicle commented Jun 29, 2019

Motivation for this change

See also #63909

Multiple recent CVEs for libvirt (CVE-2019-10161, CVE-2019-10166, CVE-2019-10167 and CVE-2019-10168). Commits fixing these have been made to the repo, but no point release seems to be in sight yet, so adding them as patches after a bump to the most recent version.

As in #63909, the fix for CVE-2019-10161 unfortunately breaks the darwin build for me (tested on macos 10.13), so I've conditionally disabled it and will raise it as an issue with upstream.

This includes parallel bumps of pythonPackages.libvirt and perlPackages.SysVirt as requested in the main libvirt package.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@risicle
libvirt: 5.3.0 -> 5.4.0
8ac0f57 
including parallel bumps of pythonPackages.libvirt and perlPackages.SysVirt

also include patches for CVE-2019-10161, CVE-2019-10166, CVE-2019-10167
and CVE-2019-10168
@risicle risicle requested a review from FRidh as a code owner June 29, 2019 11:05
@ofborg ofborg bot requested a review from fpletz June 29, 2019 11:19
@grahamc
Copy link
Member

grahamc commented Jun 29, 2019

@GrahamcOfBorg build libvirt

@grahamc grahamc merged commit a939166 into NixOS:master Jun 29, 2019
@risicle
Copy link
Contributor Author

risicle commented Jun 29, 2019
edited

https://bugzilla.redhat.com/show_bug.cgi?id=1725317 darwin error report

@risicle
Copy link
Contributor Author

risicle commented Jul 3, 2019
edited

Here seems to be as good a place as any to document why one of the patches doesn't work on darwin. After some investigation it turns out it's for the same reason we build from the tarball on darwin, and that's because darwin's rpcgen is a bit weird and troublesome. One result of this is not being able to handle libvirt's protocol .x files. It seems we use the tarball on darwin because it comes with pre-generated protocols, so we don't have to worry about rpcgen troubles.

The patch in question however touches one of the source's .x files and therefore prompts a rebuild of it, which fails.

Now, it is possible for a macos rpcgen to build libvirt's .x files - homebrew seem to have managed to get it working, which is what is used by libvirt's travis: https://libvirt.org/git/?p=libvirt.git;a=blob;f=.travis.yml;h=b510c810835f2f8447e

Related thread: https://www.redhat.com/archives/libvir-list/2017-January/msg00937.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FRidh FRidh Awaiting requested review from FRidh

@fpletz fpletz Awaiting requested review from fpletz

Assignees
No one assigned
Labels
6.topic: python 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@risicle @grahamc