New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Various security issues #49150
Various security issues #49150
Conversation
When using cgrulesengd it would create a logfile at /var/log/cgred with the permission wide open (0666).
This fixes issues CVE-2018-12034 & CVE-2018-12035. They are OOB read & write issues of the internal VM. Details can be retrieved at [1] & [2]. [1] VirusTotal/yara#891 [2] https://bnbdr.github.io/posts/swisscheese/
The package hasn't been updated in a long time. There have been several issues with the package. There is no dependant package in the repository so marking it as insecure until someone maintains it sounds reasonable.
Bumps to the latest stable version while fixing CVE-2018-14345 [1]. Changelog [2]: - Support theme supplied avatars - Compile against Qt 5.11 - Fix platform detection for HighDPI - On close, switch VT to a running session if applicable - Better ConsoleKit support - Fix authentication when non-default hidden option ReuseSession=true is used (CVE-2018-14345) - Hide sessions with NoDisplay=true - Honor PAM's ambient supplemental groups - Cleanup socket destruction - Don't quit on SIGHUP - Updated translations [1] https://nvd.nist.gov/vuln/detail/CVE-2018-14345 [2] https://github.com/sddm/sddm/releases/tag/v0.18.0
There is at least one recorded issue against our kiwix version. Upstream does no longer support this version of the project. They have moved to a different repository & software architecture.
Success on x86_64-darwin (full log) Attempted: taglib, yara The following builds were skipped because they don't evaluate on x86_64-darwin: batik, kiwix, sddm Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: sddm, taglib, yara The following builds were skipped because they don't evaluate on x86_64-linux: batik, kiwix Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: sddm, taglib, yara The following builds were skipped because they don't evaluate on aarch64-linux: batik, kiwix Partial log (click to expand)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested sddm, but not any other packages.
Hey, I had a pull request for sddm 0.18 since july: #43978 |
@bkchr oh, I must have missed those. I did those commits a few weeks ago and asked mic92 to test it once more to not be blind for my own issues... @GrahamcOfBorg test plasma5 |
Timed out, unknown build status on x86_64-linux (full log) Attempted: tests.plasma5 Partial log (click to expand)
|
Timed out, unknown build status on aarch64-linux (full log) Attempted: tests.plasma5 Partial log (click to expand)
|
Motivation for this change
I ran into a couple of issues while I was working on some related tooling.. Here is a collection of a few of those that I could motivate myself into addressing in some way..
The most important/interesting is probably the SDDM change.
I did run NixOS tests for those packages that have them.
We have to figure out how and what we want to backport to 18.03 & 18.09.
cc @Mic92 since we talked about the changes already
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)