Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Various security issues #49150

Merged
merged 7 commits into from Oct 26, 2018
Merged

Various security issues #49150

merged 7 commits into from Oct 26, 2018

Conversation

andir
Copy link
Member

@andir andir commented Oct 26, 2018

Motivation for this change

I ran into a couple of issues while I was working on some related tooling.. Here is a collection of a few of those that I could motivate myself into addressing in some way..

The most important/interesting is probably the SDDM change.

I did run NixOS tests for those packages that have them.

We have to figure out how and what we want to backport to 18.03 & 18.09.

cc @Mic92 since we talked about the changes already

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@andir
ligcgroup: fix CVE-2018-14348
9843fdc 
When using cgrulesengd it would create a logfile at /var/log/cgred with
the permission wide open (0666).
@andir
taglib: fix CVE-2018-11439
c994f40
@andir
yara: 3.7.1 -> 3.8.1
5f75f72 
This fixes issues CVE-2018-12034 & CVE-2018-12035. They are OOB read &
write issues of the internal VM. Details can be retrieved at [1] & [2].

[1] VirusTotal/yara#891
[2] https://bnbdr.github.io/posts/swisscheese/
@andir
libgxps: fix CVE-2018-10733
6ad3088
@andir
batik: mark as insecure
1103b3f 
The package hasn't been updated in a long time. There have been several
issues with the package. There is no dependant  package in the
repository so marking it as insecure until someone maintains it sounds
reasonable.
@andir
sddm: 0.17.0 -> 0.18.0
385e5ac 
Bumps to the latest stable version while fixing CVE-2018-14345 [1].

Changelog [2]:
 - Support theme supplied avatars
 - Compile against Qt 5.11
 - Fix platform detection for HighDPI
 - On close, switch VT to a running session if applicable
 - Better ConsoleKit support
 - Fix authentication when non-default hidden option ReuseSession=true is used (CVE-2018-14345)
 - Hide sessions with NoDisplay=true
 - Honor PAM's ambient supplemental groups
 - Cleanup socket destruction
 - Don't quit on SIGHUP
 - Updated translations

[1] https://nvd.nist.gov/vuln/detail/CVE-2018-14345
[2] https://github.com/sddm/sddm/releases/tag/v0.18.0
@andir
kiwix: mark as insecure
2898972 
There is at least one recorded issue against our kiwix version. Upstream
does no longer support this version of the project. They have moved to a
different repository & software architecture.
@andir andir added 1.severity: security 9.needs: port to stable A PR needs a backport to the stable release. labels Oct 26, 2018
@andir andir requested a review from Mic92 October 26, 2018 13:13
@GrahamcOfBorg GrahamcOfBorg added 6.topic: GNOME GNOME desktop environment and its underlying platform 10.rebuild-darwin: 11-100 10.rebuild-linux: 101-500 labels Oct 26, 2018
@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: taglib, yara

The following builds were skipped because they don't evaluate on x86_64-darwin: batik, kiwix, sddm

Partial log (click to expand)

-- Installing: /nix/store/cqk88hjbjx2xg8vp7bkmc7ldxh5ah1ds-taglib-1.11.1/lib/libtag_c.0.0.0.dylib
-- Installing: /nix/store/cqk88hjbjx2xg8vp7bkmc7ldxh5ah1ds-taglib-1.11.1/lib/libtag_c.0.dylib
-- Installing: /nix/store/cqk88hjbjx2xg8vp7bkmc7ldxh5ah1ds-taglib-1.11.1/lib/libtag_c.dylib
-- Installing: /nix/store/cqk88hjbjx2xg8vp7bkmc7ldxh5ah1ds-taglib-1.11.1/include/taglib/tag_c.h
-- Installing: /nix/store/cqk88hjbjx2xg8vp7bkmc7ldxh5ah1ds-taglib-1.11.1/lib/pkgconfig/taglib_c.pc
post-installation fixup
strip is /nix/store/g5r4apl0za012ffs6ladinwa5w0m1l3k-cctools-binutils-darwin/bin/strip
stripping (with command strip and flags -S) in /nix/store/cqk88hjbjx2xg8vp7bkmc7ldxh5ah1ds-taglib-1.11.1/lib  /nix/store/cqk88hjbjx2xg8vp7bkmc7ldxh5ah1ds-taglib-1.11.1/bin
patching script interpreter paths in /nix/store/cqk88hjbjx2xg8vp7bkmc7ldxh5ah1ds-taglib-1.11.1
/nix/store/cqk88hjbjx2xg8vp7bkmc7ldxh5ah1ds-taglib-1.11.1/bin/taglib-config: interpreter directive changed from "/bin/sh" to "/nix/store/n9hba031gjky8hpjgx9fnlaxhidyzxbz-bash-4.4-p23/bin/sh"

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: sddm, taglib, yara

The following builds were skipped because they don't evaluate on x86_64-linux: batik, kiwix

Partial log (click to expand)

shrinking /nix/store/5hf502dvxv04z8lnlzbqr616vy4p5hm6-yara-3.8.1/bin/yara
shrinking /nix/store/5hf502dvxv04z8lnlzbqr616vy4p5hm6-yara-3.8.1/lib/libyara.so.3.8.1
gzipping man pages under /nix/store/5hf502dvxv04z8lnlzbqr616vy4p5hm6-yara-3.8.1/share/man/
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/5hf502dvxv04z8lnlzbqr616vy4p5hm6-yara-3.8.1/lib  /nix/store/5hf502dvxv04z8lnlzbqr616vy4p5hm6-yara-3.8.1/bin
patching script interpreter paths in /nix/store/5hf502dvxv04z8lnlzbqr616vy4p5hm6-yara-3.8.1
checking for references to /build in /nix/store/5hf502dvxv04z8lnlzbqr616vy4p5hm6-yara-3.8.1...
/nix/store/k0q25mfpd8kqn9mdanb48wg667k264d6-sddm-0.18.0
/nix/store/5lp8y3135jy4fm80897r9faiy5bqcml0-taglib-1.11.1
/nix/store/5hf502dvxv04z8lnlzbqr616vy4p5hm6-yara-3.8.1

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: sddm, taglib, yara

The following builds were skipped because they don't evaluate on aarch64-linux: batik, kiwix

Partial log (click to expand)

stripping (with command strip and flags -S) in /nix/store/59w9rx2yqs8wlhqamby4rx7cd1jxhc05-sddm-0.18.0/lib  /nix/store/59w9rx2yqs8wlhqamby4rx7cd1jxhc05-sddm-0.18.0/libexec  /nix/store/59w9rx2yqs8wlhqamby4rx7cd1jxhc05-sddm-0.18.0/bin
patching script interpreter paths in /nix/store/59w9rx2yqs8wlhqamby4rx7cd1jxhc05-sddm-0.18.0
/nix/store/59w9rx2yqs8wlhqamby4rx7cd1jxhc05-sddm-0.18.0/share/sddm/scripts/wayland-session: interpreter directive changed from "/bin/sh" to "/nix/store/dsyc1z7ck08ga7l0b1jcxx35wj69qcii-bash-4.4-p23/bin/sh"
/nix/store/59w9rx2yqs8wlhqamby4rx7cd1jxhc05-sddm-0.18.0/share/sddm/scripts/Xsession: interpreter directive changed from " /bin/sh" to "/nix/store/dsyc1z7ck08ga7l0b1jcxx35wj69qcii-bash-4.4-p23/bin/sh"
checking for references to /build in /nix/store/59w9rx2yqs8wlhqamby4rx7cd1jxhc05-sddm-0.18.0...
postPatchMkspecs
postPatchMkspecs
/nix/store/59w9rx2yqs8wlhqamby4rx7cd1jxhc05-sddm-0.18.0
/nix/store/l6kbpaql9kq8axfdbm03bdylwx9drl71-taglib-1.11.1
/nix/store/15ss7z3pj1h80z45wwmsv37b32pc05ld-yara-3.8.1

Mic92
Mic92 approved these changes Oct 26, 2018
View reviewed changes
Copy link
Member

@Mic92 Mic92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested sddm, but not any other packages.

@andir andir merged commit 30a0b4c into NixOS:master Oct 26, 2018
@andir andir deleted the secfoo branch October 26, 2018 15:18
@bkchr
Copy link
Contributor

bkchr commented Oct 28, 2018

Hey, I had a pull request for sddm 0.18 since july: #43978
We did not merge it, because it breaks the plasma5 tests. Did that test works for you? For me locally it still fails with your commit.

@andir
Copy link
Member Author

andir commented Oct 28, 2018

@bkchr oh, I must have missed those. I did those commits a few weeks ago and asked mic92 to test it once more to not be blind for my own issues...

@GrahamcOfBorg test plasma5

@GrahamcOfBorg
Copy link

Timed out, unknown build status on x86_64-linux (full log)

Attempted: tests.plasma5

Partial log (click to expand)

building '/nix/store/sb02f4x1cnzxpv5yi82zws0h4y3xhg6g-xsession-wrapper.drv'...
building '/nix/store/3hb4bjvqx1sfrfbvzqxbvwdlya7v329h-sddm.conf.drv'...
cannot build derivation '/nix/store/37j5hbm63idrkq04y8siy7l9mg5i217w-etc.drv': 6 dependencies couldn't be built
cannot build derivation '/nix/store/h3vk19z8pikk2ixjn6xr1g73zwwc39kj-nixos-system-machine-19.03.git.07db5f1.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/50djkzr9kx05hbjygdnnbwgibz4l5nh1-closure-info.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/d7ayn91z6p433razm2bnhyn0rs6v6wsn-run-nixos-vm.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/x4hk7zh7vr4j0arwxcm8sv0am6dsbg6s-nixos-vm.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/qraf9dglhxm1qkvjprid7lpkd73lnchq-nixos-test-driver-plasma5.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/mw088c40hqy7bmh8r20cz82l2kncb0d2-vm-test-run-plasma5.drv': 1 dependencies couldn't be built
error: build of '/nix/store/mw088c40hqy7bmh8r20cz82l2kncb0d2-vm-test-run-plasma5.drv' failed

@GrahamcOfBorg
Copy link

Timed out, unknown build status on aarch64-linux (full log)

Attempted: tests.plasma5

Partial log (click to expand)

machine: performing optical character recognition
machine: sending monitor command: screendump /build/ocrin.ppm
machine: performing optical character recognition
machine: sending monitor command: screendump /build/ocrin.ppm
machine: performing optical character recognition
machine: sending monitor command: screendump /build/ocrin.ppm
machine: performing optical character recognition
machine: sending monitor command: screendump /build/ocrin.ppm
building of '/nix/store/0iydfszs8nsfyy149hgrkfq6srfy16cl-vm-test-run-plasma5.drv' timed out after 3600 seconds
error: build of '/nix/store/0iydfszs8nsfyy149hgrkfq6srfy16cl-vm-test-run-plasma5.drv' failed

@samueldr samueldr removed the 9.needs: port to stable A PR needs a backport to the stable release. label Apr 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 approved these changes

Assignees
No one assigned
Labels
1.severity: security 6.topic: GNOME GNOME desktop environment and its underlying platform 10.rebuild-darwin: 11-100 10.rebuild-linux: 101-500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@andir @GrahamcOfBorg @bkchr @Mic92 @samueldr