Skip to content

Fix multiple cves #31437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 9 commits into from
Closed

Fix multiple cves #31437

wants to merge 9 commits into from
+69 −18

Conversation

andir
Copy link
Member

@andir andir commented Nov 9, 2017

Motivation for this change

I created a new tool to generate a list of packages affected by CVEs and started working through the list for the unstable channel.
This is just the ones that seemed fixable and where proper upstream commits/patches could be found.
The complete list from my WIP tool can be found here.

Some of the commits might be worth backporting to stable.

I am not so sure about the others since they might involve bumping versions. Is that something we do for an already released stable version?

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

andir added 9 commits November 9, 2017 12:48
@andir
yara: 3.6.0 -> 3.6.3 (fixes CVE-2017-11328)
e15d6e1
@andir
rzip: fix CVE-2017-8364
4b759a0
@andir
redis: fix CVE-2017-15047
f8b53a7 
Fix is based on work at [1] which upstream seems to have implemented as seen at [2].

[1] https://github.com/antirez/redis/pull/4365
[2] antirez/redis@ffcf7d5
@andir
radare2: 2.0.0 -> 2.0.1 (+ fix for CVE-2017-15385)
8312eaf
@andir
qpdf: 6.0.0 -> 7.0.0 (fixes several CVEs)
b6fd7bf 
fixes CVE-2017-11624,CVE-2017-11625,CVE-2017-11626,CVE-2017-11627,CVE-2017-12595,CVE-2017-9208,CVE-2017-9209,CVE-2017-9210
@andir
partclone: 0.2.89 -> 0.3.11 (fixes CVE-2017-6596)
8c8f847
@andir
libextractor: 1.4 -> 1.6 (+ fixes multiple CVEs)
e0727bd 
fixes CVE-2017-15266,CVE-2017-15267,CVE-2017-15600,CVE-2017-15601,CVE-2017-15602,CVE-2017-15922
@andir
libexif: fix CVE-2017-7544
0b4e8b9
@andir
busybox: fix CVE-2017-1587{34}
e8a3ce0
@c0bw3b c0bw3b added 1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: package (update) This PR updates a package to a newer version labels Nov 9, 2017
@vcunat
Copy link
Member

vcunat commented Nov 9, 2017

Yet another tool to list CVEs for our packages :-)

@andir
Copy link
Member Author

andir commented Nov 9, 2017

Not just CVEs, also "upstream" version changes from e.g. release-monitoring.org... :-)

@vcunat
Copy link
Member

vcunat commented Nov 9, 2017

That reminds me of https://github.com/Phreedom/nixpkgs-monitor

@copumpkin
Copy link
Member

cc @NixOS/security-notifications on both the specific fixes and the tool

orivej
orivej reviewed Nov 11, 2017
View reviewed changes
pkgs/tools/backup/partclone/default.nix

src = fetchFromGitHub {
owner = "Thomas-Tsai";
repo = "partclone";
rev = version;
sha256 = "0gw47pchqshhm00yf34qgxh6bh2jfryv0sm7ghwn77bv5gzwr481";
sha256 = "1gw47pchqshhm00yf34qgxh6bh2jfryv0sm7ghwn77bv5gzwr481";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sha256 is invalid, it should be 0bv15i0gxym4dv48rgaavh8p94waryn1l6viis6qh5zm9cd08skg.

@vcunat vcunat added the 9.needs: port to stable A PR needs a backport to the stable release. label Nov 11, 2017
vcunat
vcunat reviewed Nov 11, 2017
View reviewed changes
Copy link
Member

@vcunat vcunat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, with some additional changes.

pkgs/tools/compression/rzip/default.nix
sha256 = "0jcjlx9ksdvxvjyxmyzscx9ar9992iy5icw0sc3n0p09qi4d6x1r";
})
];

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For non-generated patches it seems better to use fetchurl, but let's keep this as it is.

vcunat added a commit that referenced this pull request Nov 11, 2017
@vcunat
Merge security fixes adapted from #31437
cbfb586
@vcunat
Copy link
Member

vcunat commented Nov 11, 2017

Merged as cbfb586 with some changes in 6255e95, ac677c7 and 73bec97.

For partclone I could find no reasonable news/announcement (it at least has no reverse dependencies in nixpkgs); the rest seems safe for cherry-picking to me.

@vcunat vcunat closed this Nov 11, 2017
@andir andir deleted the fix-multiple-cves branch November 11, 2017 20:11
@fpletz
Copy link
Member

fpletz commented Nov 14, 2017

Thank you for working on and merging this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orivej orivej

@vcunat vcunat

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: package (update) This PR updates a package to a newer version 9.needs: port to stable A PR needs a backport to the stable release. 10.rebuild-darwin: 11-100 10.rebuild-linux: 101-500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@andir @vcunat @copumpkin @fpletz @orivej @c0bw3b