Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: d3be52c83bf0
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: ede8a2f1ac80
Choose a head ref
  • 7 commits
  • 3 files changed
  • 2 contributors

Commits on Oct 25, 2018

  1. fuse3: 3.2.1 -> 3.2.2 

    Stop using bin/mount.fuse from fuse3 for fuse2 (mount.fuse from fuse3
isn't guaranteed to remain backwards compatible).

(cherry picked from commit c00b5bf)
    @primeos
    primeos committed Oct 25, 2018
    Copy the full SHA
    c178111 View commit details

  2. fuse3: install fuse.conf without execute bit 

    (cherry picked from commit 085eab7)
    @7c6f434c @primeos
    7c6f434c authored and primeos committed Oct 25, 2018
    Copy the full SHA
    f486260 View commit details

  3. fuse3: 3.2.2 -> 3.2.3 

    (cherry picked from commit d3e3e13)
    @primeos
    primeos committed Oct 25, 2018
    Copy the full SHA
    ea1b61c View commit details

  4. fuse3: 3.2.3 -> 3.2.4 

    (cherry picked from commit fa6941f)
    @primeos
    primeos committed Oct 25, 2018
    Copy the full SHA
    289390b View commit details

  5. fuse3: 3.2.4 -> 3.2.5 (security, CVE-2018-10906) 

    Upstream changelog:
- SECURITY UPDATE: In previous versions of libfuse it was possible to
  for unprivileged users to specify the allow_other option even when
  this was forbidden in /etc/fuse.conf. The vulnerability is present
  only on systems where SELinux is active (including in permissive
  mode).
- The fusermount binary has been hardened in several ways to reduce
  potential attack surface. Most importantly, mountpoints and mount
  options must now match a hard-coded whitelist. It is expected that
  this whitelist covers all regular use-cases.
- Added a test of seekdir to test_syscalls.
- Fixed readdir bug when non-zero offsets are given to filler and the
  filesystem client, after reading a whole directory, re-reads it from a
  non-zero offset e. g. by calling seekdir followed by readdir.

(cherry picked from commit 46cd782)
    @primeos
    primeos committed Oct 25, 2018
    Copy the full SHA
    0e58950 View commit details

  6. fuse: 2.9.7 -> 2.9.8 (security, CVE-2018-10906) 

    Upstream changelog:
- SECURITY UPDATE: In previous versions of libfuse it was possible to
  for unprivileged users to specify the allow_other option even when
  this was forbidden in /etc/fuse.conf. The vulnerability is present
  only on systems where SELinux is active (including in permissive
  mode).
- libfuse no longer segfaults when fuse_interrupted() is called outside
  the event loop.
- The fusermount binary has been hardened in several ways to reduce
  potential attack surface. Most importantly, mountpoints and mount
  options must now match a hard-coded whitelist. It is expected that
  this whitelist covers all regular use-cases.
- Fixed rename deadlock on FreeBSD.

(cherry picked from commit ec1082c)
    @primeos
    primeos committed Oct 25, 2018
    Copy the full SHA
    228acdc View commit details

  7. Merge pull request #48757 from primeos/security-backports-for-18.03 

    [18.03] Security backport for fuse (CVE-2018-10906)
    @primeos
    primeos authored Oct 25, 2018
    Copy the full SHA
    ede8a2f View commit details
Showing with 20 additions and 24 deletions.
  1. +8 −13 pkgs/os-specific/linux/fuse/common.nix
  2. +4 −7 pkgs/os-specific/linux/fuse/default.nix
  3. +8 −4 pkgs/os-specific/linux/fuse/fuse3-install.patch
21 changes: 8 additions & 13 deletions pkgs/os-specific/linux/fuse/common.nix
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{ version, sha256Hash, maintainers }:
{ version, sha256Hash }:

{ stdenv, fetchFromGitHub, fetchpatch
, fusePackages, utillinux, gettext
@@ -27,7 +27,6 @@ in stdenv.mkDerivation rec {
})
++ stdenv.lib.optional isFuse3 ./fuse3-install.patch;


nativeBuildInputs = if isFuse3
then [ meson ninja pkgconfig ]
else [ autoconf automake libtool ];
@@ -52,30 +51,26 @@ in stdenv.mkDerivation rec {
# The configure phase will delete these files (temporary workaround for
# ./fuse3-install_man.patch)
install -D -m444 doc/fusermount3.1 $out/share/man/man1/fusermount3.1
install -D -m444 doc/mount.fuse.8 $out/share/man/man8/mount.fuse.8
install -D -m444 doc/mount.fuse3.8 $out/share/man/man8/mount.fuse3.8
'' else ''
sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh
./makeconf.sh
'');

postFixup = "cd $out\n" + (if isFuse3 then ''
mv bin/mount.fuse3 bin/mount.fuse
install -D -m555 bin/mount.fuse $common/bin/mount.fuse
install -D -m444 etc/udev/rules.d/99-fuse.rules $common/etc/udev/rules.d/99-fuse.rules
install -D -m444 share/man/man8/mount.fuse.8.gz $common/share/man/man8/mount.fuse.8.gz
install -D -m444 etc/fuse.conf $common/etc/fuse.conf
install -D -m444 etc/udev/rules.d/99-fuse3.rules $common/etc/udev/rules.d/99-fuse.rules
'' else ''
cp ${fusePackages.fuse_3.common}/bin/mount.fuse bin/mount.fuse
cp ${fusePackages.fuse_3.common}/etc/fuse.conf etc/fuse.conf
cp ${fusePackages.fuse_3.common}/etc/udev/rules.d/99-fuse.rules etc/udev/rules.d/99-fuse.rules
cp ${fusePackages.fuse_3.common}/share/man/man8/mount.fuse.8.gz share/man/man8/mount.fuse.8.gz
'');

enableParallelBuilding = true;

meta = {
meta = with stdenv.lib; {
inherit (src.meta) homepage;
description = "Kernel module and library that allows filesystems to be implemented in user space";
platforms = stdenv.lib.platforms.linux;
inherit maintainers;
platforms = platforms.linux;
maintainers = [ maintainers.primeos ];
};
}
11 changes: 4 additions & 7 deletions pkgs/os-specific/linux/fuse/default.nix
View file
Original file line number Diff line number Diff line change
@@ -4,17 +4,14 @@ let
mkFuse = args: callPackage (import ./common.nix args) {
inherit utillinux;
};
maintainers = stdenv.lib.maintainers;
in {
fuse_2 = mkFuse {
version = "2.9.7";
sha256Hash = "1wyjjfb7p4jrkk15zryzv33096a5fmsdyr2p4b00dd819wnly2n2";
maintainers = [ ];
version = "2.9.8";
sha256Hash = "0s04ln4k9zvvbjih8ybaa19fxg8xv7dcsz2yrlbk35psnf3l67af";
};

fuse_3 = mkFuse {
version = "3.2.1";
sha256Hash = "19bsvb5lc8k1i0h5ld109kixn6mdshzvg3y7820k9mnw34kh09y0";
maintainers = [ maintainers.primeos ];
version = "3.2.5";
sha256Hash = "0ibf2isbkm8p1gfaqpqblwsg0lm4s1rmcipv1qcg0wc4wwsbnqpx";
};
}
12 changes: 8 additions & 4 deletions pkgs/os-specific/linux/fuse/fuse3-install.patch
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
--- a/util/install_helper.sh 1970-01-01 01:00:01.000000000 +0100
+++ b/util/install_helper.sh 2017-09-21 23:43:50.703942577 +0200
@@ -11,19 +11,11 @@
--- a/util/install_helper.sh 2018-04-01 01:05:19.613723599 +0200
+++ b/util/install_helper.sh 2018-04-01 01:06:02.952845382 +0200
@@ -11,22 +11,14 @@
udevrulesdir="$3"
prefix="${MESON_INSTALL_DESTDIR_PREFIX}"

@@ -14,11 +14,15 @@
-
install -D -m 644 "${MESON_SOURCE_ROOT}/util/udev.rules" \
- "${DESTDIR}/${udevrulesdir}/99-fuse3.rules"
+ "${prefix}/${udevrulesdir}/99-fuse.rules"
+ "${prefix}/${udevrulesdir}/99-fuse3.rules"

install -D -m 755 "${MESON_SOURCE_ROOT}/util/init_script" \
- "${DESTDIR}/etc/init.d/fuse3"
+ "${prefix}/etc/init.d/fuse3"

install -D -m 644 "${MESON_SOURCE_ROOT}/util/fuse.conf" \
- "${DESTDIR}/etc/fuse.conf"
+ "${prefix}/etc/fuse.conf"

if test -x /usr/sbin/update-rc.d && test -z "${DESTDIR}"; then
/usr/sbin/update-rc.d fuse3 start 34 S . start 41 0 6 . || /bin/true