Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 6a3f5bcb061e
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: f4bb9c421f6a
Choose a head ref
  • 13 commits
  • 12 files changed
  • 7 contributors

Commits on Oct 6, 2018

  1. dbeaver: 5.2.0 -> 5.2.1 

    (cherry picked from commit 2012860)
    @samueldr
    samueldr committed Oct 6, 2018
    Copy the full SHA
    8810238 View commit details

  2. miniupnpd: wrap iptables scripts to use correct PATH 

    (cherry picked from commit 2039327)
    @bobvanderlinden @samueldr
    bobvanderlinden authored and samueldr committed Oct 6, 2018
    Copy the full SHA
    9dc6bdc View commit details

  3. nixos: miniupnpd: use iptables scripts 

    (cherry picked from commit d3eff01)
    @bobvanderlinden @samueldr
    bobvanderlinden authored and samueldr committed Oct 6, 2018
    Copy the full SHA
    4342bdd View commit details

  4. tests: upnp: init test for upnp using miniupnpd / miniupnpc 

    (cherry picked from commit 32c63c6)
    @bobvanderlinden @samueldr
    bobvanderlinden authored and samueldr committed Oct 6, 2018
    Copy the full SHA
    3ab4c76 View commit details

  5. tests: bittorrent: improve stability 

    This attempts to improve stability of the test by using existing
services for miniupnpd and transmission.

It also uses explicit addresses for the network interfaces so that the
external IP addresses are valid internet addresses (thus fixing
validation problems from upnpc).

Also disable eth0 from being used to transfer torrents over without that
being the intention.

(cherry picked from commit 276ffc5)
    @bobvanderlinden @samueldr
    bobvanderlinden authored and samueldr committed Oct 6, 2018
    Copy the full SHA
    b453212 View commit details

  6. tests: bittorrent: add bobvanderlinden as maintainer 

    (cherry picked from commit 5fbc521)
    @bobvanderlinden @samueldr
    bobvanderlinden authored and samueldr committed Oct 6, 2018
    Copy the full SHA
    fc8769d View commit details

  7. ghostscript: 9.24 -> 9.25 (#47948) 

    Highlights in this release include:

This release fixes problems with argument handling, some unintended results of the security fixes to the SAFER file access restrictions (specifically accessing ICC profile files), and some additional security issues over the recent 9.24 release.

CVE-2018-16802
CVE-2018-17183

Note: The ps2epsi utility does not, and cannot call Ghostscript with the -dSAFER command line option. It should never be called with input from untrusted sources.

Security issues have been the primary focus of this release, including solving several (well publicised) real and potential exploits.
PLEASE NOTE: We strongly urge users to upgrade to this latest release to avoid these issues.

As well as Ghostscript itself, jbig2dec has had a significant amount of work improving its robustness in the face of out specification files.

IMPORTANT: We are in the process of forking LittleCMS. LCMS2 is not thread safe, and cannot be made thread safe without breaking the ABI. Our fork will be thread safe, and include performance enhancements (these changes have all be been offered and rejected upstream). We will maintain compatibility between Ghostscript and LCMS2 for a time, but not in perpetuity. Our fork will be available as its own package separately from Ghostscript (and MuPDF).

The usual round of bug fixes, compatibility changes, and incremental improvements.

(cherry picked from commit 5b77b0d2f1eda9a42fe188eafb499230741e7925)
    @flokli @xeji
    flokli authored and xeji committed Oct 6, 2018
    Copy the full SHA
    dbcbf7c View commit details

  8. Merge pull request #47952 from samueldr/auto/dbeaver/nixos-18.09/5.2.1 

    dbeaver: 5.2.0 -> 5.2.1 (18.09)
    @Mic92
    Mic92 authored Oct 6, 2018

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    c7dc01c View commit details

  9. firefox-esr-52: mark as unsupported 

    The ESR release is no longer supported by Mozilla. We should mark it as
insecure as we did on 18.03 and master.

Originally marked as insecure on master in 0a3f070.
    @andir
    andir committed Oct 6, 2018

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    andir Andreas Rammhold
    GPG key ID: E432E410B5E48C86
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    f26df15 View commit details

  10. firefox: provide clang configure flags on i686 

    With the upgrade to firefox 62 clang flags are now required on i686.

(cherry picked from commit acf4a4e)
    @andir
    andir committed Oct 6, 2018

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    andir Andreas Rammhold
    GPG key ID: E432E410B5E48C86
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    98e6fa3 View commit details

  11. telepresence: 0.85 -> 0.93 (#47966) 

    (cherry picked from commit a134b9a)

backported because previouse version failed to build
    @offlinehacker @xeji
    offlinehacker authored and xeji committed Oct 6, 2018
    Copy the full SHA
    9eb724f View commit details

  12. nodePackages.webtorrent-cli: add node-gyp dependency, fixes build 

    (cherry picked from commit ce4072c)
    @schneefux @Mic92
    schneefux authored and Mic92 committed Oct 6, 2018
    Copy the full SHA
    299814b View commit details

  13. Merge pull request #47956 from samueldr/18.09/backport-46443 

    [backport] Miniupnpd and bittorrent improvements (#46443)
    @samueldr
    samueldr authored Oct 6, 2018

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    f4bb9c4 View commit details
24 changes: 2 additions & 22 deletions nixos/modules/services/networking/miniupnpd.nix
View file
Original file line number Diff line number Diff line change
@@ -57,32 +57,12 @@ in
};

config = mkIf cfg.enable {
# from miniupnpd/netfilter/iptables_init.sh
networking.firewall.extraCommands = ''
iptables -t nat -N MINIUPNPD
iptables -t nat -A PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD
iptables -t mangle -N MINIUPNPD
iptables -t mangle -A PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD
iptables -t filter -N MINIUPNPD
iptables -t filter -A FORWARD -i ${cfg.externalInterface} ! -o ${cfg.externalInterface} -j MINIUPNPD
iptables -t nat -N MINIUPNPD-PCP-PEER
iptables -t nat -A POSTROUTING -o ${cfg.externalInterface} -j MINIUPNPD-PCP-PEER
${pkgs.bash}/bin/bash -x ${pkgs.miniupnpd}/etc/miniupnpd/iptables_init.sh -i ${cfg.externalInterface}
'';

# from miniupnpd/netfilter/iptables_removeall.sh
networking.firewall.extraStopCommands = ''
iptables -t nat -F MINIUPNPD
iptables -t nat -D PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD
iptables -t nat -X MINIUPNPD
iptables -t mangle -F MINIUPNPD
iptables -t mangle -D PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD
iptables -t mangle -X MINIUPNPD
iptables -t filter -F MINIUPNPD
iptables -t filter -D FORWARD -i ${cfg.externalInterface} ! -o ${cfg.externalInterface} -j MINIUPNPD
iptables -t filter -X MINIUPNPD
iptables -t nat -F MINIUPNPD-PCP-PEER
iptables -t nat -D POSTROUTING -o ${cfg.externalInterface} -j MINIUPNPD-PCP-PEER
iptables -t nat -X MINIUPNPD-PCP-PEER
${pkgs.bash}/bin/bash -x ${pkgs.miniupnpd}/etc/miniupnpd/iptables_removeall.sh -i ${cfg.externalInterface}
'';

systemd.services.miniupnpd = {
1 change: 1 addition & 0 deletions nixos/release.nix
View file
Original file line number Diff line number Diff line change
@@ -247,6 +247,7 @@ in rec {
tests.acme = callTest tests/acme.nix {};
tests.avahi = callTest tests/avahi.nix {};
tests.beegfs = callTest tests/beegfs.nix {};
tests.upnp = callTest tests/upnp.nix {};
tests.bittorrent = callTest tests/bittorrent.nix {};
tests.bind = callTest tests/bind.nix {};
#tests.blivet = callTest tests/blivet.nix {}; # broken since 2017-07024
101 changes: 67 additions & 34 deletions nixos/tests/bittorrent.nix
View file
Original file line number Diff line number Diff line change
@@ -13,57 +13,95 @@ let
# Some random file to serve.
file = pkgs.hello.src;

miniupnpdConf = nodes: pkgs.writeText "miniupnpd.conf"
''
ext_ifname=eth1
listening_ip=${(pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ipv4.addresses).address}/24
allow 1024-65535 192.168.2.0/24 1024-65535
'';

internalRouterAddress = "192.168.3.1";
internalClient1Address = "192.168.3.2";
externalRouterAddress = "80.100.100.1";
externalClient2Address = "80.100.100.2";
externalTrackerAddress = "80.100.100.3";
in

{
name = "bittorrent";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ domenkozar eelco chaoflow rob wkennington ];
maintainers = [ domenkozar eelco chaoflow rob wkennington bobvanderlinden ];
};

nodes =
{ tracker =
{ pkgs, ... }:
{ environment.systemPackages = [ pkgs.transmission pkgs.opentracker ];
{ environment.systemPackages = [ pkgs.transmission ];

virtualisation.vlans = [ 1 ];
networking.interfaces.eth1.ipv4.addresses = [
{ address = externalTrackerAddress; prefixLength = 24; }
];

# We need Apache on the tracker to serve the torrents.
services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org";
services.httpd.documentRoot = "/tmp";

networking.firewall.enable = false; # FIXME: figure out what ports we actually need
networking.firewall.enable = false;

services.opentracker.enable = true;

services.transmission.enable = true;
services.transmission.settings.dht-enabled = false;
services.transmission.settings.port-forwaring-enabled = false;
};

router =
{ pkgs, ... }:
{ environment.systemPackages = [ pkgs.miniupnpd ];
virtualisation.vlans = [ 1 2 ];
{ pkgs, nodes, ... }:
{ virtualisation.vlans = [ 1 2 ];
networking.nat.enable = true;
networking.nat.internalInterfaces = [ "eth2" ];
networking.nat.externalInterface = "eth1";
networking.firewall.enable = false;
networking.firewall.enable = true;
networking.firewall.trustedInterfaces = [ "eth2" ];
networking.interfaces.eth0.ipv4.addresses = [];
networking.interfaces.eth1.ipv4.addresses = [
{ address = externalRouterAddress; prefixLength = 24; }
];
networking.interfaces.eth2.ipv4.addresses = [
{ address = internalRouterAddress; prefixLength = 24; }
];
services.miniupnpd = {
enable = true;
externalInterface = "eth1";
internalIPs = [ "eth2" ];
appendConfig = ''
ext_ip=${externalRouterAddress}
'';
};
};

client1 =
{ pkgs, nodes, ... }:
{ environment.systemPackages = [ pkgs.transmission ];
{ environment.systemPackages = [ pkgs.transmission pkgs.miniupnpc ];
virtualisation.vlans = [ 2 ];
networking.defaultGateway =
(pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ipv4.addresses).address;
networking.interfaces.eth0.ipv4.addresses = [];
networking.interfaces.eth1.ipv4.addresses = [
{ address = internalClient1Address; prefixLength = 24; }
];
networking.defaultGateway = internalRouterAddress;
networking.firewall.enable = false;
services.transmission.enable = true;
services.transmission.settings.dht-enabled = false;
services.transmission.settings.message-level = 3;
};

client2 =
{ pkgs, ... }:
{ environment.systemPackages = [ pkgs.transmission ];
virtualisation.vlans = [ 1 ];
networking.interfaces.eth0.ipv4.addresses = [];
networking.interfaces.eth1.ipv4.addresses = [
{ address = externalClient2Address; prefixLength = 24; }
];
networking.firewall.enable = false;
services.transmission.enable = true;
services.transmission.settings.dht-enabled = false;
services.transmission.settings.port-forwaring-enabled = false;
};
};

@@ -72,43 +110,38 @@ in
''
startAll;
# Enable NAT on the router and start miniupnpd.
$router->waitForUnit("nat");
$router->succeed(
"iptables -w -t nat -N MINIUPNPD",
"iptables -w -t nat -A PREROUTING -i eth1 -j MINIUPNPD",
"echo 1 > /proc/sys/net/ipv4/ip_forward",
"miniupnpd -f ${miniupnpdConf nodes}"
);
# Wait for network and miniupnpd.
$router->waitForUnit("network-online.target");
$router->waitForUnit("miniupnpd");
# Create the torrent.
$tracker->succeed("mkdir /tmp/data");
$tracker->succeed("cp ${file} /tmp/data/test.tar.bz2");
$tracker->succeed("transmission-create /tmp/data/test.tar.bz2 -p -t http://${(pkgs.lib.head nodes.tracker.config.networking.interfaces.eth1.ipv4.addresses).address}:6969/announce -o /tmp/test.torrent");
$tracker->succeed("transmission-create /tmp/data/test.tar.bz2 --private --tracker http://${externalTrackerAddress}:6969/announce --outfile /tmp/test.torrent");
$tracker->succeed("chmod 644 /tmp/test.torrent");
# Start the tracker. !!! use a less crappy tracker
$tracker->waitForUnit("network.target");
$tracker->succeed("opentracker -p 6969 >&2 &");
$tracker->waitForUnit("network-online.target");
$tracker->waitForUnit("opentracker.service");
$tracker->waitForOpenPort(6969);
# Start the initial seeder.
my $pid = $tracker->succeed("transmission-cli /tmp/test.torrent -M -w /tmp/data >&2 & echo \$!");
$tracker->succeed("transmission-remote --add /tmp/test.torrent --no-portmap --no-dht --download-dir /tmp/data");
# Now we should be able to download from the client behind the NAT.
$tracker->waitForUnit("httpd");
$client1->waitForUnit("network.target");
$client1->succeed("transmission-cli http://tracker/test.torrent -w /tmp >&2 &");
$client1->waitForUnit("network-online.target");
$client1->succeed("transmission-remote --add http://${externalTrackerAddress}/test.torrent --download-dir /tmp >&2 &");
$client1->waitForFile("/tmp/test.tar.bz2");
$client1->succeed("cmp /tmp/test.tar.bz2 ${file}");
# Bring down the initial seeder.
$tracker->succeed("kill -9 $pid");
# $tracker->stopJob("transmission");
# Now download from the second client. This can only succeed if
# the first client created a NAT hole in the router.
$client2->waitForUnit("network.target");
$client2->succeed("transmission-cli http://tracker/test.torrent -M -w /tmp >&2 &");
$client2->waitForUnit("network-online.target");
$client2->succeed("transmission-remote --add http://${externalTrackerAddress}/test.torrent --no-portmap --no-dht --download-dir /tmp >&2 &");
$client2->waitForFile("/tmp/test.tar.bz2");
$client2->succeed("cmp /tmp/test.tar.bz2 ${file}");
'';
94 changes: 94 additions & 0 deletions nixos/tests/upnp.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
# This tests whether UPnP port mappings can be created using Miniupnpd
# and Miniupnpc.
# It runs a Miniupnpd service on one machine, and verifies
# a client can indeed create a port mapping using Miniupnpc. If
# this succeeds an external client will try to connect to the port
# mapping.

import ./make-test.nix ({ pkgs, ... }:

let
internalRouterAddress = "192.168.3.1";
internalClient1Address = "192.168.3.2";
externalRouterAddress = "80.100.100.1";
externalClient2Address = "80.100.100.2";
in
{
name = "upnp";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ bobvanderlinden ];
};

nodes =
{
router =
{ pkgs, nodes, ... }:
{ virtualisation.vlans = [ 1 2 ];
networking.nat.enable = true;
networking.nat.internalInterfaces = [ "eth2" ];
networking.nat.externalInterface = "eth1";
networking.firewall.enable = true;
networking.firewall.trustedInterfaces = [ "eth2" ];
networking.interfaces.eth1.ipv4.addresses = [
{ address = externalRouterAddress; prefixLength = 24; }
];
networking.interfaces.eth2.ipv4.addresses = [
{ address = internalRouterAddress; prefixLength = 24; }
];
services.miniupnpd = {
enable = true;
externalInterface = "eth1";
internalIPs = [ "eth2" ];
appendConfig = ''
ext_ip=${externalRouterAddress}
'';
};
};

client1 =
{ pkgs, nodes, ... }:
{ environment.systemPackages = [ pkgs.miniupnpc pkgs.netcat ];
virtualisation.vlans = [ 2 ];
networking.defaultGateway = internalRouterAddress;
networking.interfaces.eth1.ipv4.addresses = [
{ address = internalClient1Address; prefixLength = 24; }
];
networking.firewall.enable = false;

services.httpd.enable = true;
services.httpd.listen = [{ ip = "*"; port = 9000; }];
services.httpd.adminAddr = "foo@example.org";
services.httpd.documentRoot = "/tmp";
};

client2 =
{ pkgs, ... }:
{ environment.systemPackages = [ pkgs.miniupnpc ];
virtualisation.vlans = [ 1 ];
networking.interfaces.eth1.ipv4.addresses = [
{ address = externalClient2Address; prefixLength = 24; }
];
networking.firewall.enable = false;
};
};

testScript =
{ nodes, ... }:
''
startAll;
# Wait for network and miniupnpd.
$router->waitForUnit("network-online.target");
# $router->waitForUnit("nat");
$router->waitForUnit("firewall.service");
$router->waitForUnit("miniupnpd");
$client1->waitForUnit("network-online.target");
$client1->succeed("upnpc -a ${internalClient1Address} 9000 9000 TCP");
$client1->waitForUnit("httpd");
$client2->waitUntilSucceeds("curl http://${externalRouterAddress}:9000/");
'';

})
4 changes: 2 additions & 2 deletions pkgs/applications/misc/dbeaver/default.nix
View file
Original file line number Diff line number Diff line change
@@ -7,7 +7,7 @@

stdenv.mkDerivation rec {
name = "dbeaver-ce-${version}";
version = "5.2.0";
version = "5.2.1";

desktopItem = makeDesktopItem {
name = "dbeaver";
@@ -30,7 +30,7 @@ stdenv.mkDerivation rec {

src = fetchurl {
url = "https://dbeaver.io/files/${version}/dbeaver-ce-${version}-linux.gtk.x86_64.tar.gz";
sha256 = "13j2qc4g24d2gmkxj9zpqrcbai9aq8rassrq3c9mp9ir6sf4q0jf";
sha256 = "0zm320cdpypv2s58gcg89mdkir9xpz1824dscfqkmahx89g1ma81";
};

installPhase = ''
3 changes: 1 addition & 2 deletions pkgs/applications/networking/browsers/firefox/common.nix
View file
Original file line number Diff line number Diff line change
@@ -187,8 +187,7 @@ stdenv.mkDerivation (rec {
]
++ lib.optional (stdenv.isDarwin && lib.versionAtLeast version "61") "--disable-xcode-checks"
++ lib.optional (lib.versionOlder version "61") "--enable-system-hunspell"
++ lib.optionals (lib.versionAtLeast version "56" && !stdenv.hostPlatform.isi686) [
# on i686-linux: --with-libclang-path is not available in this configuration
++ lib.optionals (lib.versionAtLeast version "56") [
"--with-libclang-path=${llvmPackages.libclang}/lib"
"--with-clang-path=${llvmPackages.clang}/bin/clang"
]
1 change: 1 addition & 0 deletions pkgs/applications/networking/browsers/firefox/packages.nix
View file
Original file line number Diff line number Diff line change
@@ -60,6 +60,7 @@ rec {

meta = firefox.meta // {
description = "A web browser built from Firefox Extended Support Release source tree";
knownVulnerabilities = [ "Support ended in August 2018." ];
};
updateScript = callPackage ./update.nix {
attrPath = "firefox-esr-52-unwrapped";
4 changes: 4 additions & 0 deletions pkgs/development/node-packages/default-v8.nix
View file
Original file line number Diff line number Diff line change
@@ -107,4 +107,8 @@ nodePackages // {
dontNpmInstall = true; # We face an error with underscore not found, but the package will work fine if we ignore this.
};

webtorrent-cli = nodePackages.webtorrent-cli.override {
buildInputs = [ nodePackages.node-gyp-build ];
};

}
5 changes: 2 additions & 3 deletions pkgs/misc/ghostscript/default.nix
View file
Original file line number Diff line number Diff line change
@@ -9,9 +9,8 @@ assert x11Support -> xlibsWrapper != null;
assert cupsSupport -> cups != null;
let
version = "9.${ver_min}";
ver_min = "24";
# ghostscript*.tar.xz in https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9xx/SHA512SUMS
sha512 = "dcbeeb5d3dd5ccaf949dc4be68363c50b1d35e647be4790a50b1bbf5f259f1d9181f705be27bfca708c4d270f945ff4b24e3db10b57800c1ee0ea7a40931c547";
ver_min = "25";
sha512 = "18pcqzva7pq2a9mmqf9pq8x4winb6qmzni49vq2qx50k60rwyv1kdmixik3ym2bpj5p1j8g0vb47w7w2cf4lba5q583ylpd8rshn73s";

fonts = stdenv.mkDerivation {
name = "ghostscript-fonts";
16 changes: 14 additions & 2 deletions pkgs/tools/networking/miniupnpd/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
{ stdenv, fetchurl, iptables, libuuid, pkgconfig }:
{ stdenv, lib, fetchurl, iptables, libuuid, pkgconfig
, which, iproute, gnused, coreutils, gawk, makeWrapper
}:

let
scriptBinEnv = lib.makeBinPath [ which iproute iptables gnused coreutils gawk ];
in
stdenv.mkDerivation rec {
name = "miniupnpd-2.1";

@@ -10,14 +15,21 @@ stdenv.mkDerivation rec {
};

buildInputs = [ iptables libuuid ];
nativeBuildInputs= [ pkgconfig ];
nativeBuildInputs= [ pkgconfig makeWrapper ];

makefile = "Makefile.linux";

buildFlags = [ "miniupnpd" "genuuid" ];

installFlags = [ "PREFIX=$(out)" "INSTALLPREFIX=$(out)" ];

postFixup = ''
for script in $out/etc/miniupnpd/ip{,6}tables_{init,removeall}.sh
do
wrapProgram $script --set PATH '${scriptBinEnv}:$PATH'
done
'';

meta = with stdenv.lib; {
homepage = http://miniupnp.free.fr/;
description = "A daemon that implements the UPnP Internet Gateway Device (IGD) specification";
Loading