Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl: security updates #50846

Merged
merged 2 commits into from Nov 22, 2018
Merged

openssl: security updates #50846

merged 2 commits into from Nov 22, 2018

Conversation

alyssais
Copy link
Member

@alyssais alyssais commented Nov 20, 2018
edited

Motivation for this change

Was unsure if this PR should have been to master or staging given the security impact.

CVE-2018-0734: https://www.openssl.org/news/vulnerabilities.html#2018-0734
CVE-2018-0735: https://www.openssl.org/news/vulnerabilities.html#2018-0735
CVE-2018-5407: https://www.openssl.org/news/vulnerabilities.html#2018-5407

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@avnik
Copy link
Contributor

avnik commented Nov 20, 2018

They are low-severity, and probably staging should be ok.

@alyssais alyssais changed the base branch from master to staging November 20, 2018 16:12
@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Attempted: openssl, openssl_1_1

Partial log (click to expand)

unpacking source archive /nix/store/z9rigqjgr0662z4cx0jnimgpb69x1058-openssl-1.1.1a.tar.gz
source root is openssl-1.1.1a
setting SOURCE_DATE_EPOCH to timestamp 1542720942 of file openssl-1.1.1a/util/unlocal_shlib.com.in
patching sources
applying patch /nix/store/ax9gk8hdvwm1nl19fd9j6g9gd1wj0vgk-nix-ssl-cert-file.patch
patching file crypto/x509/by_file.c
Hunk #1 FAILED at 97.
1 out of 1 hunk FAILED -- saving rejects to file crypto/x509/by_file.c.rej
builder for '/nix/store/91cdlkpc51yqsf2mkrrdj0jw22lwbb8v-openssl-1.1.1a.drv' failed with exit code 1
error: build of '/nix/store/91cdlkpc51yqsf2mkrrdj0jw22lwbb8v-openssl-1.1.1a.drv' failed

@GrahamcOfBorg
Copy link

Failure on aarch64-linux (full log)

Attempted: openssl, openssl_1_1

Partial log (click to expand)

patching script interpreter paths in /nix/store/3rbadq03nnpzjalqxlwyrfmn5qgp273y-openssl-1.0.2q
checking for references to /build in /nix/store/3rbadq03nnpzjalqxlwyrfmn5qgp273y-openssl-1.0.2q...
shrinking RPATHs of ELF executables and libraries in /nix/store/3d0rdzzbnrz9xcpv6jhqmr8mjfzl3ng0-openssl-1.0.2q-man
gzipping man pages under /nix/store/3d0rdzzbnrz9xcpv6jhqmr8mjfzl3ng0-openssl-1.0.2q-man/share/man/
patching script interpreter paths in /nix/store/3d0rdzzbnrz9xcpv6jhqmr8mjfzl3ng0-openssl-1.0.2q-man
checking for references to /build in /nix/store/3d0rdzzbnrz9xcpv6jhqmr8mjfzl3ng0-openssl-1.0.2q-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/smr4bv4l0c0k8md4wfj58wva3csg2a37-openssl-1.0.2q-debug
patching script interpreter paths in /nix/store/smr4bv4l0c0k8md4wfj58wva3csg2a37-openssl-1.0.2q-debug
checking for references to /build in /nix/store/smr4bv4l0c0k8md4wfj58wva3csg2a37-openssl-1.0.2q-debug...
error: build of '/nix/store/ncjpwx1fs9z5n58bqq581xqb87124pdp-openssl-1.1.1a.drv' failed

@GrahamcOfBorg
Copy link

Failure on aarch64-linux (full log)

Attempted: openssl, openssl_1_1

Partial log (click to expand)

patching script interpreter paths in /nix/store/560mpmbnmfpxyy58hzcz0zrlg05vdrz5-openssl-1.0.2q
checking for references to /build/ in /nix/store/560mpmbnmfpxyy58hzcz0zrlg05vdrz5-openssl-1.0.2q...
shrinking RPATHs of ELF executables and libraries in /nix/store/syiv25dvm3q6badm2mm9csjw6jdp6x01-openssl-1.0.2q-man
gzipping man pages under /nix/store/syiv25dvm3q6badm2mm9csjw6jdp6x01-openssl-1.0.2q-man/share/man/
patching script interpreter paths in /nix/store/syiv25dvm3q6badm2mm9csjw6jdp6x01-openssl-1.0.2q-man
checking for references to /build/ in /nix/store/syiv25dvm3q6badm2mm9csjw6jdp6x01-openssl-1.0.2q-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/fbdr7fixps5ihc6alb615sqgi0jb26y6-openssl-1.0.2q-debug
patching script interpreter paths in /nix/store/fbdr7fixps5ihc6alb615sqgi0jb26y6-openssl-1.0.2q-debug
checking for references to /build/ in /nix/store/fbdr7fixps5ihc6alb615sqgi0jb26y6-openssl-1.0.2q-debug...
error: build of '/nix/store/3yp37ajvb82s8w1spk7nh3vilhkb72i3-openssl-1.1.1a.drv' failed

fpletz
fpletz approved these changes Nov 20, 2018
View reviewed changes
Copy link
Member

@fpletz fpletz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. The moderate severity issues are either not applicable (no PA-RISC support) or theoretical. The low severity issues are IMHO not even worth backporting.

Debian is also not backporting and waiting for the next release: https://security-tracker.debian.org/tracker/source-package/openssl

@fpletz
Copy link
Member

fpletz commented Nov 20, 2018

@alyssais The build is failing. Could you take another look at the patch?

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Attempted: openssl, openssl_1_1

Partial log (click to expand)

patching script interpreter paths in /nix/store/zx1zn4z7jrp8243ymf8l25bkb47iw9pr-openssl-1.0.2q
checking for references to /build/ in /nix/store/zx1zn4z7jrp8243ymf8l25bkb47iw9pr-openssl-1.0.2q...
shrinking RPATHs of ELF executables and libraries in /nix/store/9ka90vlg0nbljgq5nyyh78qln5352pw6-openssl-1.0.2q-man
gzipping man pages under /nix/store/9ka90vlg0nbljgq5nyyh78qln5352pw6-openssl-1.0.2q-man/share/man/
patching script interpreter paths in /nix/store/9ka90vlg0nbljgq5nyyh78qln5352pw6-openssl-1.0.2q-man
checking for references to /build/ in /nix/store/9ka90vlg0nbljgq5nyyh78qln5352pw6-openssl-1.0.2q-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/6gnpz2b8wyskzv9xrff1al9kwz7k1bfj-openssl-1.0.2q-debug
patching script interpreter paths in /nix/store/6gnpz2b8wyskzv9xrff1al9kwz7k1bfj-openssl-1.0.2q-debug
checking for references to /build/ in /nix/store/6gnpz2b8wyskzv9xrff1al9kwz7k1bfj-openssl-1.0.2q-debug...
error: build of '/nix/store/9vqx1c5nxrgkr2zsvgkqjh5gm4nbv1l2-openssl-1.1.1a.drv' failed

@alyssais
Copy link
Member Author

Looks like they've changed the formatting in 1.1.1 so we can't use the same patch for both anymore…

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: openssl, openssl_1_1

Partial log (click to expand)

checking for references to /build/ in /nix/store/g0zag49vk1yrd5fxy93fjbsgx159bhl7-openssl-1.1.1a...
shrinking RPATHs of ELF executables and libraries in /nix/store/qbfvnlg8hxpdjbx3pm7npnzpkxrb07d9-openssl-1.1.1a-man
gzipping man pages under /nix/store/qbfvnlg8hxpdjbx3pm7npnzpkxrb07d9-openssl-1.1.1a-man/share/man/
patching script interpreter paths in /nix/store/qbfvnlg8hxpdjbx3pm7npnzpkxrb07d9-openssl-1.1.1a-man
checking for references to /build/ in /nix/store/qbfvnlg8hxpdjbx3pm7npnzpkxrb07d9-openssl-1.1.1a-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/vgm30mxa6mdxxmy447kdlhbdiq9h8rhh-openssl-1.1.1a-debug
patching script interpreter paths in /nix/store/vgm30mxa6mdxxmy447kdlhbdiq9h8rhh-openssl-1.1.1a-debug
checking for references to /build/ in /nix/store/vgm30mxa6mdxxmy447kdlhbdiq9h8rhh-openssl-1.1.1a-debug...
/nix/store/0r9ivn88ksi56llj1qrrw36qknvf6wrr-openssl-1.0.2q-bin
/nix/store/ind0yfsspbf6a780451yq0dcd4gylcjp-openssl-1.1.1a-bin

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: openssl, openssl_1_1

Partial log (click to expand)

checking for references to /build/ in /nix/store/fc9x7s870ybs68nfrwn8dg94q4qvm2l6-openssl-1.1.1a...
shrinking RPATHs of ELF executables and libraries in /nix/store/5aa5mgg6rmq0r002r5b720rvp4zbbpv2-openssl-1.1.1a-man
gzipping man pages under /nix/store/5aa5mgg6rmq0r002r5b720rvp4zbbpv2-openssl-1.1.1a-man/share/man/
patching script interpreter paths in /nix/store/5aa5mgg6rmq0r002r5b720rvp4zbbpv2-openssl-1.1.1a-man
checking for references to /build/ in /nix/store/5aa5mgg6rmq0r002r5b720rvp4zbbpv2-openssl-1.1.1a-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/m02kyj0pd37542f2kc7649rcvszyi70v-openssl-1.1.1a-debug
patching script interpreter paths in /nix/store/m02kyj0pd37542f2kc7649rcvszyi70v-openssl-1.1.1a-debug
checking for references to /build/ in /nix/store/m02kyj0pd37542f2kc7649rcvszyi70v-openssl-1.1.1a-debug...
/nix/store/zjbwffk9jhsfdjrdwqv866g9pqqixfka-openssl-1.0.2q-bin
/nix/store/55y2v5x3qdljz5cw17s82akhpxr51f6z-openssl-1.1.1a-bin

@c0bw3b c0bw3b mentioned this pull request Nov 20, 2018
Closed
9 tasks
dtzWill added a commit to dtzWill/nixpkgs that referenced this pull request Nov 20, 2018
@dtzWill
Merge branch 'openssl' into nixos-dtz
521611b 
Use upstream NixOS#50846 for openssl updates, instead. Thanks! :)
@fpletz fpletz merged commit 8e00451 into NixOS:staging Nov 22, 2018
@alyssais alyssais deleted the openssl branch November 22, 2018 11:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fpletz fpletz fpletz approved these changes

Assignees
No one assigned
Labels
1.severity: security 8.has: package (update) 10.rebuild-darwin: 501+ 10.rebuild-darwin-stdenv 10.rebuild-linux: 501+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@alyssais @avnik @GrahamcOfBorg @fpletz