Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gnupatch: apply patches for CVE-2019-1363 and CVE-2019-13638 #65498

Merged
merged 1 commit into from Jul 28, 2019
Merged

gnupatch: apply patches for CVE-2019-1363 and CVE-2019-13638 #65498

merged 1 commit into from Jul 28, 2019

Conversation

andir
Copy link
Member

@andir andir commented Jul 28, 2019

Motivation for this change

This is mostly a follow-up to the patches we added last year to deal with code execution from within patch files.

It probably isn't as important to our build scripts as it is to people using patch on the cli within their workflow. Passing it through the "slower" staging-next cycle should be fine. If people disagree we can still move it into master directly.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@andir
Copy link
Member Author

andir commented Jul 28, 2019

@GrahamcOfBorg eval

@FRidh
Copy link
Member

FRidh commented Jul 28, 2019

@GrahamcOfBorg eval

just fixed eval on staging-next

@vcunat
Copy link
Member

vcunat commented Jul 28, 2019
edited

Nitpick: fetchurl from cgit probably won't keep its hash for long.

cgit v1.0-41-gc330

A this is involved in stdenv bootstrapping, the best approach I see ATM is to just copy the patches into nixpkgs (they're quite short).

@andir
Copy link
Member Author

andir commented Jul 28, 2019

Nitpick: fetchurl from cgit probably won't keep its hash for long.

cgit v1.0-41-gc330

A this is involved in stdenv bootstrapping, the best approach I see ATM is to just put the patches into nixpkgs (they're quite short).

Thanks, Will work on that now.

@vcunat vcunat merged commit 49c4c4a into NixOS:staging-next Jul 28, 2019
vcunat pushed a commit that referenced this pull request Jul 28, 2019
@andir @vcunat
gnupatch: apply patches for CVE-2019-1363 and CVE-2019-13638
b39c8b2 
(cherry picked from commit 49c4c4a)
PR #65498
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vcunat vcunat vcunat approved these changes

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-darwin-stdenv 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ 10.rebuild-linux-stdenv
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@andir @FRidh @vcunat