Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zziplib: 0.13.67 -> 0.13.68 #35423

Merged
merged 3 commits into from Feb 24, 2018
Merged

zziplib: 0.13.67 -> 0.13.68 #35423

merged 3 commits into from Feb 24, 2018

Conversation

flokli
Copy link
Contributor

@flokli flokli commented Feb 23, 2018

Motivation for this change

Bump zziplib to 0.13.68 to fix multiple CVE issues:

Unfortunately, getting only those patches is hard, as they're not well referenced to linked issues.
The testsuite is currently broken, and the newer python testsuite checking for vulns requires network access.

gdraheim/zziplib#20 might still be an issue, so keeping this as a TODO here.

Vulnerability roundup 37 (release-17.09) #35409

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@flokli
zziplib: use postPatch instead of patchPhase
74da4a2 
(cherry picked from commit cdf19ab)
@flokli
zziplib: add docbook_xml_dtd_412
e6da64d 
(cherry picked from commit ee16fee)
@flokli
zziplib: 0.13.67 -> 0.13.68
388363b 
Bump zziplib to 0.13.68 to fix multiple CVE issues:

 - CVE-2018-6381
 (gdraheim/zziplib@a803559)
 - CVE-2018-6484
 (gdraheim/zziplib#14 (comment))
 - CVE-2018-6540
 (gdraheim/zziplib@72ec933)
 - CVE-2018-6541
 (gdraheim/zziplib#16 (comment))
 - CVE-2018-6542
 (gdraheim/zziplib@931f962)

Unfortunately, getting only those patches is hard, as they're not well
referenced to linked issues. The testsuite checking for vulns
requires network access (so we can't easily test it here).

gdraheim/zziplib#20 might still be an issue,
so keeping this as a TODO here.

(cherry picked from commit 9f6a942)
@vcunat vcunat merged commit 388363b into NixOS:release-17.09 Feb 24, 2018
vcunat added a commit that referenced this pull request Feb 24, 2018
@vcunat
Merge #35423: zziplib: 0.13.67 -> 0.13.68 (security)
435ab6d
@adisbladis adisbladis mentioned this pull request Feb 24, 2018
Closed
6 tasks
@flokli flokli deleted the CVE-zziplib-0.13.67-nixos-17.09 branch May 23, 2018 23:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vcunat vcunat vcunat approved these changes

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 11-100 10.rebuild-linux: 501+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@flokli @vcunat @GrahamcOfBorg