rack: 1.6.* -> 1.6.11, 2.0.* -> 2.0.6 (CVE-2018-16470, CVE-2018-16471) #49817
+188
−55
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alyssais
changed the title
GrahamcOfBorg
added
8.has: documentation
c0bw3b
added
the
1.severity: security
|
Only metasploit seems to fail. |
|
Looks like metasploit has some special instructions for upgrading in a comment. I’ll see if following those fixes the problem. |
|
I wrote these instructions. They are useful to upgrade metasploit, but I don't think they would resolve the build error on their own because the HOME variable would be still not set during the build. |
|
They are useful to upgrade metasploit, but I don't think they would resolve the build error on there own because the HOME variable would be still not set during the build.
Ah okay.
|
|
@GrahamcOfBorg build metasploit |
|
Failure on x86_64-linux (full log) Attempted: metasploit Partial log (click to expand)
|
|
Failure on aarch64-linux (full log) Attempted: metasploit Partial log (click to expand)
|
Mic92
reviewed
Nov 9, 2018
| @@ -26,6 +26,10 @@ in stdenv.mkDerivation rec { | |||
| sha256 = "1vilyy0dqzp8kbbpvs2zrv2ac7s39w2vv7mrbzgcjgh2bj7c6bg1"; | |||
| }; | |||
|
|
|||
| preBuild = '' | |||
| export HOME=$TEMPDIR | |||
| ''; | |||
There was a problem hiding this comment.
It actually needs to be applied in gem-config since it is affecting not metasploit but the rb-readline gem.
diff --git a/pkgs/development/ruby-modules/gem-config/default.nix b/pkgs/development/ruby-modules/gem-config/default.nix
index b5aa0933c2e..5d6cc04c44c 100644
--- a/pkgs/development/ruby-modules/gem-config/default.nix
+++ b/pkgs/development/ruby-modules/gem-config/default.nix
@@ -371,6 +371,9 @@ in
postPatch = ''
substituteInPlace lib/rbreadline.rb \
--replace 'infocmp' '${ncurses.dev}/bin/infocmp'
+
+ # wants that at build time
+ export HOME=$TEMPDIR
'';
};
```diffThere was a problem hiding this comment.
With change I was able to build metasploit.
There was a problem hiding this comment.
If it's getting to /nix/store/qhinmjkf4zhyqpq4ffc2s2rqpbfn5wk9-ruby2.5.3-metasploit-framework-4.16.1.drv, shouldn't that mean it's already built rb-readline?
There was a problem hiding this comment.
I would say yes. I am not sure how this behaves on non-linux machines.
All I can say is that with the change above I can build it but not without.
There was a problem hiding this comment.
On Darwin your fix doesn't seem to solve the problem, but also neither does mine… I'll try pushing your fix, but then if you could get OfBorg to do a Darwin rebuild (I assume you have perms), that'd be great.
|
@GrahamcOfBorg build metasploit |
|
Failure on x86_64-linux (full log) Attempted: metasploit Partial log (click to expand)
|
|
Failure on x86_64-darwin (full log) Attempted: metasploit Partial log (click to expand)
|
|
Failure on aarch64-linux (full log) Attempted: metasploit Partial log (click to expand)
|
Mic92
reviewed
Nov 9, 2018
| @@ -371,6 +371,8 @@ in | |||
| postPatch = '' | |||
| substituteInPlace lib/rbreadline.rb \ | |||
| --replace 'infocmp' '${ncurses.dev}/bin/infocmp' | |||
|
|
|||
| export HOME=$TEMPDIR | |||
There was a problem hiding this comment.
Mhm, no idea what I tested actually, maybe your patch even work before?
Nevertheless, the following does now work. It is a bit more general
since it will also work if something else is using metasploit-framework in its dependency closure.
diff --git a/pkgs/development/ruby-modules/gem-config/default.nix b/pkgs/development/ruby-modules/gem-config/default.nix
index dc8643adec8..e7d1156acff 100644
--- a/pkgs/development/ruby-modules/gem-config/default.nix
+++ b/pkgs/development/ruby-modules/gem-config/default.nix
@@ -226,6 +226,12 @@ in
'';
};
+ metasploit-framework = attrs: {
+ preInstall = ''
+ export HOME=$TMPDIR
+ '';
+ };
+
msgpack = attrs: {
buildInputs = [ msgpack ];
};
@@ -371,8 +377,6 @@ in
postPatch = ''
substituteInPlace lib/rbreadline.rb \
--replace 'infocmp' '${ncurses.dev}/bin/infocmp'
-
- export HOME=$TEMPDIR
'';
};proof:
$ msfconsole
/nix/store/faki24ajn5xawxxlpb7yz79cz3aflwy0-ruby2.5.3-rbnacl-4.0.2/lib/ruby/gems/2.5.0/gems/rbnacl-4.0.2/lib/rbnacl.rb:3: warning: already initialized constant RBNACL_LIBSODIUM_GEM_LIB_PATH
/nix/store/k0am0cicdcb4bg25ird59xjvkhf8s3is-ruby2.5.3-rbnacl-libsodium-1.0.13/lib/ruby/gems/2.5.0/gems/rbnacl-libsodium-1.0.13/lib/rbnacl/libsodium.rb:13: warning: previous definition of RBNACL_LIBSODIUM_GEM_LIB_PATH was here
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v4.16.1-dev ]
+ -- --=[ 1678 exploits - 961 auxiliary - 296 post ]
+ -- --=[ 495 payloads - 40 encoders - 9 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
> /nix/store/r2vsi140pys7jnzyk0qz1fj9aji6sq40-ruby2.5.3-rb-readline-0.5.5/lib/ruby/gems/2.5.0/gems/rb-readline-0.5.5/lib/rbreadline.rb:1097:in `<module:RbReadline>': HOME environment variable (or HOMEDRIVE and HOMEPATH) must be set and point to a directory (RuntimeError)
|
@GrahamcOfBorg build metasploit |
|
Success on x86_64-linux (full log) Attempted: metasploit Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: metasploit Partial log (click to expand)
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for changes
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)