Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Update: pythonPackages.moinmoin: 1.9.9 -> 1.9.10 #48589

Closed
wants to merge 1 commit into from
Closed

Security Update: pythonPackages.moinmoin: 1.9.9 -> 1.9.10 #48589

wants to merge 1 commit into from

Conversation

florianjacob
Copy link
Contributor

contains fix for CVE-2017-5934: http://moinmo.in/SecurityFixes
Patch can be removed as it's integrated in 1.9.10:
moinwiki/moin-1.9@672e54a

Motivation for this change

This minor release fixes a security-critical XSS attack vector and should be backported to stable.
This release also changes some behaviour by including better defaults, I see nothing in the Changelog that would be a breaking change.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@florianjacob florianjacob changed the title moinmoin: 1.9.9 -> 1.9.10 pythonPackages.moinmoin: 1.9.9 -> 1.9.10 Oct 16, 2018
@xeji
Copy link
Contributor

xeji commented Oct 16, 2018

@GrahamcOfBorg build python27Packages.moinmoin

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Attempted: python27Packages.moinmoin

Partial log (click to expand)



----------------------------------------------------------------------
Ran 9 tests in 0.001s

FAILED (errors=9)
Test failed: <unittest.runner.TextTestResult run=9 errors=9 failures=0>
error: Test failed: <unittest.runner.TextTestResult run=9 errors=9 failures=0>
builder for '/nix/store/df0kp971qvnaw1qx9wni9myxf571aivr-python2.7-moinmoin-1.9.10.drv' failed with exit code 1
error: build of '/nix/store/df0kp971qvnaw1qx9wni9myxf571aivr-python2.7-moinmoin-1.9.10.drv' failed

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: python27Packages.moinmoin

Partial log (click to expand)

running build_ext
2018-10-16 22:48:29,405 INFO MoinMoin.log:151 using logging configuration read from built-in fallback in MoinMoin.log module
2018-10-16 22:48:29,405 INFO MoinMoin.log:157 Running MoinMoin 1.9.10 release code from /build/moin-1.9.10/MoinMoin

----------------------------------------------------------------------
Ran 0 tests in 0.000s

OK
pytestcachePhase
/nix/store/hhcr947q89dz0bhkmpyz1ydb06792s7i-python2.7-moinmoin-1.9.10

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: python27Packages.moinmoin

Partial log (click to expand)

writing manifest file 'moin.egg-info/SOURCES.txt'
running build_ext
2018-10-17 01:34:34,474 INFO MoinMoin.log:151 using logging configuration read from built-in fallback in MoinMoin.log module
2018-10-17 01:34:34,474 INFO MoinMoin.log:157 Running MoinMoin 1.9.10 release code from /private/tmp/nix-build-python2.7-moinmoin-1.9.10.drv-0/moin-1.9.10/MoinMoin

----------------------------------------------------------------------
Ran 0 tests in 0.000s

OK
pytestcachePhase

@xeji
Copy link
Contributor

xeji commented Oct 16, 2018

This looks weird. 0 tests run on aarch64/darwin, but 9 tests run and failed on x86_64-linux. What's wrong here?

FRidh
FRidh requested changes Oct 17, 2018
View reviewed changes
Copy link
Member

@FRidh FRidh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tests need to be fixed

@florianjacob
Copy link
Contributor Author

@GrahamcOfBorg build python27Packages.moinmoin

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Attempted: python27Packages.moinmoin

Partial log (click to expand)



----------------------------------------------------------------------
Ran 9 tests in 0.001s

FAILED (errors=9)
Test failed: <unittest.runner.TextTestResult run=9 errors=9 failures=0>
error: Test failed: <unittest.runner.TextTestResult run=9 errors=9 failures=0>
builder for '/nix/store/yafdvsi8bvr4pxsnpdch3zvqfgy5clpn-python2.7-moinmoin-1.9.10.drv' failed with exit code 1
error: build of '/nix/store/yafdvsi8bvr4pxsnpdch3zvqfgy5clpn-python2.7-moinmoin-1.9.10.drv' failed

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: python27Packages.moinmoin

Partial log (click to expand)

writing manifest file 'moin.egg-info/SOURCES.txt'
running build_ext
2018-10-17 17:48:46,046 INFO MoinMoin.log:151 using logging configuration read from built-in fallback in MoinMoin.log module
2018-10-17 17:48:46,046 INFO MoinMoin.log:157 Running MoinMoin 1.9.10 release code from /build/moin-1.9.10/MoinMoin

----------------------------------------------------------------------
Ran 0 tests in 0.000s

OK
pytestcachePhase

@florianjacob
Copy link
Contributor Author

The tests fail because the werkzeug library can't be imported during the tests. werkzeug is in checkInput though, which should allow exactly this.

Could somebody explain to me please how it's possible that OfBorg runs the tests even if doCheck is not explicitly set to true? Also, is there a way to enable tests ad-hoc for a single package when building? Did not detect this as my computer was just not running the tests, but instead gives the same output as the darwin and aarch64 builds. So whereever doCheck is activated, it's probably only done for x86_64-linux.

It's strange though that while doCheck is not specifiied, there's the patch and checkInputs to make them work in theory.

@xeji
Copy link
Contributor

xeji commented Oct 17, 2018

Could somebody explain to me please how it's possible that OfBorg runs the tests even if doCheck is not explicitly set to true?

buildPythonPackage enables doCheck on all platforms by default (at least when using setuptools, which it does in most cases). This is different to non-Python packages, where doCheck = false by default.

@florianjacob
Copy link
Contributor Author

@GrahamcOfBorg build python27Packages.moinmoin

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: python27Packages.moinmoin

Partial log (click to expand)

running build_ext
2018-11-13 13:10:58,152 INFO MoinMoin.log:151 using logging configuration read from built-in fallback in MoinMoin.log module
2018-11-13 13:10:58,153 INFO MoinMoin.log:157 Running MoinMoin 1.9.10 release code from /build/moin-1.9.10/MoinMoin

----------------------------------------------------------------------
Ran 0 tests in 0.000s

OK
pytestcachePhase
/nix/store/7p4syhrd3zml1k6izp7j8czpvrwjhrbx-python2.7-moinmoin-1.9.10

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: python27Packages.moinmoin

Partial log (click to expand)


----------------------------------------------------------------------
Ran 0 tests in 0.000s

OK
pytestcachePhase
cannot link '/nix/store/.links/175xcigmq0y3gmfj9rki08ps89240rx7rmi0c42jixh79jjzivxg' to '/nix/store/w5cx940x1715qfmmx6zjzpw3a3843z23-python2.7-moinmoin-1.9.10/lib/python2.7/site-packages/MoinMoin/parser/text_python.pyc': No space left on device
cannot link '/nix/store/.links/0km1r7w2h4ksnk5krr6a252z7n6vc0hxa8v9kvh3lxhpjqwrfb7q' to '/nix/store/w5cx940x1715qfmmx6zjzpw3a3843z23-python2.7-moinmoin-1.9.10/lib/python2.7/site-packages/MoinMoin/web/static/htdocs/classic/img/moin-raw.png': No space left on device
cannot link '/nix/store/.links/0km1r7w2h4ksnk5krr6a252z7n6vc0hxa8v9kvh3lxhpjqwrfb7q' to '/nix/store/w5cx940x1715qfmmx6zjzpw3a3843z23-python2.7-moinmoin-1.9.10/lib/python2.7/site-packages/MoinMoin/web/static/htdocs/modern/img/moin-raw.png': No space left on device
cannot link '/nix/store/.links/0km1r7w2h4ksnk5krr6a252z7n6vc0hxa8v9kvh3lxhpjqwrfb7q' to '/nix/store/w5cx940x1715qfmmx6zjzpw3a3843z23-python2.7-moinmoin-1.9.10/lib/python2.7/site-packages/MoinMoin/web/static/htdocs/rightsidebar/img/moin-raw.png': No space left on device

@florianjacob
Copy link
Contributor Author

Well, one month later, my local nix-build nixpkgs/nixos -A pkgs.pythonPackages.moinmoin still runs 0 tests, but at least GrahamcOfBorg now agrees with my local machine.

Still no idea why the tests are not executed though, even inserting a manual doCheck = true; makes no difference.

@florianjacob florianjacob changed the title pythonPackages.moinmoin: 1.9.9 -> 1.9.10 Security Update: pythonPackages.moinmoin: 1.9.9 -> 1.9.10 Dec 22, 2018
@florianjacob
moinmoin: 1.9.9 -> 1.9.10
651ffd1 
contains fix for CVE-2017-5934
patch can be removed as it's integrated in 1.9.10:
moinwiki/moin-1.9@672e54a
@florianjacob
Copy link
Contributor Author

@GrahamcOfBorg build python27Packages.moinmoin

@xeji xeji mentioned this pull request Mar 7, 2019
Merged
10 tasks
@xeji
Copy link
Contributor

xeji commented Mar 8, 2019

closing in favor of #56970

@xeji xeji closed this Mar 8, 2019
@florianjacob florianjacob deleted the moinmoin branch March 10, 2019 08:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FRidh FRidh FRidh requested changes

Assignees
No one assigned
Labels
6.topic: python 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@florianjacob @xeji @GrahamcOfBorg @FRidh