Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade OpenSSL for CVE-2017-3732, CVE-2017-3193 #31147

Merged
merged 3 commits into from Nov 2, 2017
Merged

Upgrade OpenSSL for CVE-2017-3732, CVE-2017-3193 #31147

merged 3 commits into from Nov 2, 2017

Conversation

grahamc
Copy link
Member

@grahamc grahamc commented Nov 2, 2017
edited

Motivation for this change

Closes #31144

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

lheckemann
lheckemann reviewed Nov 2, 2017
View reviewed changes
pkgs/development/libraries/openssl/nix-ssl-cert-file.patch Outdated
- file = (char *)getenv(X509_get_default_cert_file_env());
+ file = (char *)getenv("NIX_SSL_CERT_FILE");
- file = getenv(X509_get_default_cert_file_env());
+ file = getenv("NIX_SSL_CERT_FILE");
+ if (!file)
+ file = (char *)getenv(X509_get_default_cert_file_env());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should probably remove the (char *) here as well to match the upstream code more closely and because the cast isn't actually safe AFAIK.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops...

manveru
manveru reviewed Nov 2, 2017
View reviewed changes
pkgs/development/libraries/openssl/nix-ssl-cert-file.patch Outdated
- file = (char *)getenv(X509_get_default_cert_file_env());
+ file = (char *)getenv("NIX_SSL_CERT_FILE");
- file = getenv(X509_get_default_cert_file_env());
+ file = getenv("NIX_SSL_CERT_FILE");
+ if (!file)
+ file = (char *)getenv(X509_get_default_cert_file_env());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given the first one removed the cast, I think we don't need the (char *) in the second getenv call anymore.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops... :)

@grahamc grahamc merged commit e080b87 into NixOS:master Nov 2, 2017
@grahamc grahamc deleted the openssl branch November 2, 2017 19:21
@NeQuissimus
Copy link
Member

NeQuissimus commented Nov 2, 2017
edited

Building them now to verify...

Edit: My laptop is sweating and says they both build fine :)

@lheckemann
Copy link
Member

For reference: openssl/openssl@a020f54#diff-c6d4516ecf80b8c5f05c60e476619d0d is the commit that breaks our patch. (thanks @manveru for digging it up)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manveru manveru manveru approved these changes

@lheckemann lheckemann lheckemann approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@grahamc @NeQuissimus @lheckemann @manveru