Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

php: Fix CVE-2018-17082 (release-18.03) #50377

Closed
wants to merge 1 commit into from
Closed

php: Fix CVE-2018-17082 (release-18.03) #50377

wants to merge 1 commit into from
+6 −5

Conversation

Ekleog
Copy link
Member

@Ekleog Ekleog commented Nov 15, 2018
edited
Loading

php: 5.6.32 -> 5.6.38, 7.0.28 -> 7.0.32, 7.1.21 -> 7.1.24, 7.2.8 -> 7.2.12

Also make Darwin align itself to Linux versions, due to CVE-2018-17082
forcing our hand on this. This means Darwin must compile without intl.

Fixes #50368

Things done

Tested with ./result/bin/php passing <?php echo "a\nb\n"; and checked it did output correctly a and b.

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@Ekleog Ekleog mentioned this pull request Nov 15, 2018
Closed
1 task
@Ekleog Ekleog force-pushed the php-cve-2018-17082 branch from 53f2196 to 483bb1c Compare November 15, 2018 01:08
@Ekleog
Copy link
Member Author

Ekleog commented Nov 15, 2018

@GrahamcOfBorg build php56 php70 php71 php72
@GrahamcOfBorg test owncloud elk

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Partial log (click to expand)

Merge failed

@GrahamcOfBorg
Copy link

Failure on aarch64-linux (full log)

Partial log (click to expand)

Merge failed

@GrahamcOfBorg
Copy link

Failure on aarch64-linux (full log)

Partial log (click to expand)

Merge failed

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Partial log (click to expand)

Merge failed

@GrahamcOfBorg GrahamcOfBorg added the 2.status: merge conflict This PR has merge conflicts with the target branch label Nov 15, 2018
@Ekleog Ekleog force-pushed the php-cve-2018-17082 branch from 483bb1c to 0c29810 Compare November 15, 2018 01:11
@Ekleog
Copy link
Member Author

Ekleog commented Nov 15, 2018

When I remember to update my release-18.03 branch first, it should be better for merge conflicts…

@GrahamcOfBorg build php56 php70 php71 php72
@GrahamcOfBorg test owncloud elk

@GrahamcOfBorg GrahamcOfBorg added 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100 and removed 2.status: merge conflict This PR has merge conflicts with the target branch labels Nov 15, 2018
@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: php56, php70, php71, php72

Partial log (click to expand)

checking for references to /build in /nix/store/g1h1q4axnqlgr0k8yvha4vjrcgi7v32z-php-7.2.12...
moving /nix/store/g1h1q4axnqlgr0k8yvha4vjrcgi7v32z-php-7.2.12/sbin/* to /nix/store/g1h1q4axnqlgr0k8yvha4vjrcgi7v32z-php-7.2.12/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/6gdr6x0flrxiqrpkpc1sy9x1l2rak09a-php-7.2.12-dev
strip is /nix/store/hy39vplmzpwckvzxgyhr54dwz0mnfv2p-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/6gdr6x0flrxiqrpkpc1sy9x1l2rak09a-php-7.2.12-dev
checking for references to /build in /nix/store/6gdr6x0flrxiqrpkpc1sy9x1l2rak09a-php-7.2.12-dev...
/nix/store/s08ijnjanssqy4acxvxhx3ygrs1r61mp-php-5.6.38
/nix/store/g0wblwr0gw7l5h84w8mkyb1kn372zfa3-php-7.0.32
/nix/store/9qbijcg589zwplj3ccgg4d5k7zf3gc2j-php-7.1.24
/nix/store/g1h1q4axnqlgr0k8yvha4vjrcgi7v32z-php-7.2.12

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: php

Partial log (click to expand)

/nix/store/g1h1q4axnqlgr0k8yvha4vjrcgi7v32z-php-7.2.12

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: php56, php70, php71, php72

Partial log (click to expand)

checking for references to /build in /nix/store/v8dwd1251arsdya12a9r5sx36vgrifhz-php-7.1.24...
moving /nix/store/v8dwd1251arsdya12a9r5sx36vgrifhz-php-7.1.24/sbin/* to /nix/store/v8dwd1251arsdya12a9r5sx36vgrifhz-php-7.1.24/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/9kbdgja0dv4r4p4cknylmcy08h8j9g3b-php-7.1.24-dev
strip is /nix/store/k8b9hqv58dd1z0j4ikak24ykndcm91s6-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/9kbdgja0dv4r4p4cknylmcy08h8j9g3b-php-7.1.24-dev
checking for references to /build in /nix/store/9kbdgja0dv4r4p4cknylmcy08h8j9g3b-php-7.1.24-dev...
/nix/store/g0dn6g2zjra5ahr6qczmvgh0dijki21m-php-5.6.38
/nix/store/lgqy241p4ga9zj719dfsiisgkfk9qrca-php-7.0.32
/nix/store/v8dwd1251arsdya12a9r5sx36vgrifhz-php-7.1.24
/nix/store/n4znj3y9c08y0fhzpfj0vv84kp5c6wmm-php-7.2.12

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: php

Partial log (click to expand)

/nix/store/n4znj3y9c08y0fhzpfj0vv84kp5c6wmm-php-7.2.12

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: tests.owncloud, tests.elk

Partial log (click to expand)

web: exit status 1
syncing
web: running command: sync
web: exit status 0
test script finished in 40.03s
cleaning up
killing web (pid 627)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
/nix/store/l0f50qsh4b20nizvwakjsw8z6wrfrs50-vm-test-run-owncloud

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Attempted: tests.owncloud, tests.elk

Partial log (click to expand)

web: running command: systemctl --no-pager show "postgresql"
web: exit status 0
error: unit ‘postgresql’ reached state ‘failed’
unit ‘postgresql’ reached state ‘failed’
cleaning up
killing web (pid 596)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
builder for '/nix/store/r0vchgfii0mc30x81rn740iknfvhqpy5-vm-test-run-owncloud.drv' failed with exit code 255
error: build of '/nix/store/r0vchgfii0mc30x81rn740iknfvhqpy5-vm-test-run-owncloud.drv' failed

@Ekleog
Copy link
Member Author

Ekleog commented Nov 15, 2018

Looks like the error is due to postgresql failing to start, so most likely unrelated to this PR.

@Mic92
Copy link
Member

Mic92 commented Nov 15, 2018

Do we have those on master already?

@Mic92
Copy link
Member

Mic92 commented Nov 15, 2018

we are also missing 7.1.21 - 7.1.24, 7.2.8 -> 7.2.12 on master.

@Ekleog
Copy link
Member Author

Ekleog commented Nov 16, 2018

Oh it wasn't reported in the tracking issue so I assumed we already had those. Will send a PR for master (and check release-18.09) ASAP, likely this week-end :)

@c0bw3b c0bw3b added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Nov 16, 2018
@Ekleog Ekleog changed the title php: Fix CVE-2018-17082 php: Fix CVE-2018-17082 (release-18.03) Nov 17, 2018
@Ekleog
php: 5.6.32 -> 5.6.38, 7.0.28 -> 7.0.32, 7.1.21 -> 7.1.24, 7.2.8 -> 7…
bd85022 
….2.12

Also make Darwin align itself to Linux versions, due to CVE-2018-17082
forcing our hand on this. This means Darwin must compile without intl.

Fixes NixOS#50368
@Ekleog Ekleog force-pushed the php-cve-2018-17082 branch from 0c29810 to bd85022 Compare November 17, 2018 15:49
@Ekleog
Copy link
Member Author

Ekleog commented Nov 17, 2018

This is now almost-a-backport of #50511 (but not really, because 18.03 supported more versions of PHP than 18.09 or unstable).

@Ekleog Ekleog mentioned this pull request Nov 17, 2018
Closed
9 tasks
@infinisil
Copy link
Member

We aren't doing backports to 18.03 anymore though, support has officially ended

@Ekleog
Copy link
Member Author

Ekleog commented Nov 17, 2018

Vulnix isn't aware about this yet, or so it seems #50368 :) (and we're quite lucky in this case, as it detected vulnerabilities on darwin that wouldn't have been detected otherwise because vulnix, I guess, runs on linux)

@Ekleog
Copy link
Member Author

Ekleog commented Nov 17, 2018

Reading my comment again it sounds like I'm contesting the fact. Please let me reformulate: I agree that 18.03 is EOL, and didn't think about it when doing this PR. I'll likely not do future backports to 18.03.

But now it's done… well, as you want, feel free to close :)

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: php

Partial log (click to expand)

/nix/store/g1h1q4axnqlgr0k8yvha4vjrcgi7v32z-php-7.2.12/bin/pear: interpreter directive changed from "/bin/sh" to "/nix/store/i7pgaclm3qrcm9gpqxb5mbw9wsn7prd0-bash-4.4-p12/bin/sh"
/nix/store/g1h1q4axnqlgr0k8yvha4vjrcgi7v32z-php-7.2.12/bin/php-config: interpreter directive changed from " /bin/sh" to "/nix/store/i7pgaclm3qrcm9gpqxb5mbw9wsn7prd0-bash-4.4-p12/bin/sh"
/nix/store/g1h1q4axnqlgr0k8yvha4vjrcgi7v32z-php-7.2.12/bin/phpize: interpreter directive changed from "/bin/sh" to "/nix/store/i7pgaclm3qrcm9gpqxb5mbw9wsn7prd0-bash-4.4-p12/bin/sh"
checking for references to /build in /nix/store/g1h1q4axnqlgr0k8yvha4vjrcgi7v32z-php-7.2.12...
moving /nix/store/g1h1q4axnqlgr0k8yvha4vjrcgi7v32z-php-7.2.12/sbin/* to /nix/store/g1h1q4axnqlgr0k8yvha4vjrcgi7v32z-php-7.2.12/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/6gdr6x0flrxiqrpkpc1sy9x1l2rak09a-php-7.2.12-dev
strip is /nix/store/hy39vplmzpwckvzxgyhr54dwz0mnfv2p-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/6gdr6x0flrxiqrpkpc1sy9x1l2rak09a-php-7.2.12-dev
checking for references to /build in /nix/store/6gdr6x0flrxiqrpkpc1sy9x1l2rak09a-php-7.2.12-dev...
/nix/store/g1h1q4axnqlgr0k8yvha4vjrcgi7v32z-php-7.2.12

@infinisil
Copy link
Member

I'd rather have this closed, otherwise people might think they're expected to still backport to 18.03 and use this as an example. We don't even have enough people to do security updates to a single branch, it's probably best people invest time into master and 18.09 instead.

@infinisil infinisil closed this Nov 17, 2018
@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: php

Partial log (click to expand)

/nix/store/n4znj3y9c08y0fhzpfj0vv84kp5c6wmm-php-7.2.12/bin/pear: interpreter directive changed from "/bin/sh" to "/nix/store/lw7xaqhakk0i1c631m3cvac3x4lc5gr5-bash-4.4-p12/bin/sh"
/nix/store/n4znj3y9c08y0fhzpfj0vv84kp5c6wmm-php-7.2.12/bin/phpize: interpreter directive changed from "/bin/sh" to "/nix/store/lw7xaqhakk0i1c631m3cvac3x4lc5gr5-bash-4.4-p12/bin/sh"
/nix/store/n4znj3y9c08y0fhzpfj0vv84kp5c6wmm-php-7.2.12/bin/php-config: interpreter directive changed from " /bin/sh" to "/nix/store/lw7xaqhakk0i1c631m3cvac3x4lc5gr5-bash-4.4-p12/bin/sh"
checking for references to /build in /nix/store/n4znj3y9c08y0fhzpfj0vv84kp5c6wmm-php-7.2.12...
moving /nix/store/n4znj3y9c08y0fhzpfj0vv84kp5c6wmm-php-7.2.12/sbin/* to /nix/store/n4znj3y9c08y0fhzpfj0vv84kp5c6wmm-php-7.2.12/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/8nvvf5nr5q0zld075z6vmy96ryw0hww4-php-7.2.12-dev
strip is /nix/store/k8b9hqv58dd1z0j4ikak24ykndcm91s6-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/8nvvf5nr5q0zld075z6vmy96ryw0hww4-php-7.2.12-dev
checking for references to /build in /nix/store/8nvvf5nr5q0zld075z6vmy96ryw0hww4-php-7.2.12-dev...
/nix/store/n4znj3y9c08y0fhzpfj0vv84kp5c6wmm-php-7.2.12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Ekleog @GrahamcOfBorg @Mic92 @infinisil @c0bw3b