Fix multiple cves #31437

andir · 2017-11-09T11:57:53Z

Motivation for this change

I created a new tool to generate a list of packages affected by CVEs and started working through the list for the unstable channel.
This is just the ones that seemed fixable and where proper upstream commits/patches could be found.
The complete list from my WIP tool can be found here.

Some of the commits might be worth backporting to stable.

e8a3ce0 busybox
0b4e8b9 libexif
f8b53a7 redis
4b759a0 rzip
e15d6e1 yara (minor version bump)
8312eaf radare2 (minor version bump + patch)

I am not so sure about the others since they might involve bumping versions. Is that something we do for an already released stable version?

Things done

Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
Built on platform(s)
- NixOS
- macOS
- other Linux distributions
Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
Tested execution of all binary files (usually in ./result/bin/)
Fits CONTRIBUTING.md.

Fix is based on work at [1] which upstream seems to have implemented as seen at [2]. [1] redis/redis#4365 [2] redis/redis@ffcf7d5

fixes CVE-2017-11624,CVE-2017-11625,CVE-2017-11626,CVE-2017-11627,CVE-2017-12595,CVE-2017-9208,CVE-2017-9209,CVE-2017-9210

fixes CVE-2017-15266,CVE-2017-15267,CVE-2017-15600,CVE-2017-15601,CVE-2017-15602,CVE-2017-15922

vcunat · 2017-11-09T20:51:12Z

Yet another tool to list CVEs for our packages :-)

andir · 2017-11-09T20:59:02Z

Not just CVEs, also "upstream" version changes from e.g. release-monitoring.org... :-)

vcunat · 2017-11-09T21:04:24Z

That reminds me of https://github.com/Phreedom/nixpkgs-monitor

copumpkin · 2017-11-10T12:24:11Z

cc @NixOS/security-notifications on both the specific fixes and the tool

orivej · 2017-11-11T02:48:34Z

pkgs/tools/backup/partclone/default.nix


  src = fetchFromGitHub {
    owner = "Thomas-Tsai";
    repo = "partclone";
    rev = version;
-    sha256 = "0gw47pchqshhm00yf34qgxh6bh2jfryv0sm7ghwn77bv5gzwr481";
+    sha256 = "1gw47pchqshhm00yf34qgxh6bh2jfryv0sm7ghwn77bv5gzwr481";


This sha256 is invalid, it should be 0bv15i0gxym4dv48rgaavh8p94waryn1l6viis6qh5zm9cd08skg.

vcunat

OK, with some additional changes.

vcunat · 2017-11-11T08:49:06Z

pkgs/tools/compression/rzip/default.nix

+      sha256 = "0jcjlx9ksdvxvjyxmyzscx9ar9992iy5icw0sc3n0p09qi4d6x1r";
+    })
+  ];
+


For non-generated patches it seems better to use fetchurl, but let's keep this as it is.

vcunat · 2017-11-11T12:38:53Z

Merged as cbfb586 with some changes in 6255e95, ac677c7 and 73bec97.

For partclone I could find no reasonable news/announcement (it at least has no reverse dependencies in nixpkgs); the rest seems safe for cherry-picking to me.

fpletz · 2017-11-14T11:08:36Z

Thank you for working on and merging this!

andir added 9 commits November 9, 2017 12:48

yara: 3.6.0 -> 3.6.3 (fixes CVE-2017-11328)

e15d6e1

rzip: fix CVE-2017-8364

4b759a0

redis: fix CVE-2017-15047

f8b53a7

Fix is based on work at [1] which upstream seems to have implemented as seen at [2]. [1] redis/redis#4365 [2] redis/redis@ffcf7d5

radare2: 2.0.0 -> 2.0.1 (+ fix for CVE-2017-15385)

8312eaf

qpdf: 6.0.0 -> 7.0.0 (fixes several CVEs)

b6fd7bf

fixes CVE-2017-11624,CVE-2017-11625,CVE-2017-11626,CVE-2017-11627,CVE-2017-12595,CVE-2017-9208,CVE-2017-9209,CVE-2017-9210

partclone: 0.2.89 -> 0.3.11 (fixes CVE-2017-6596)

8c8f847

libextractor: 1.4 -> 1.6 (+ fixes multiple CVEs)

e0727bd

fixes CVE-2017-15266,CVE-2017-15267,CVE-2017-15600,CVE-2017-15601,CVE-2017-15602,CVE-2017-15922

libexif: fix CVE-2017-7544

0b4e8b9

busybox: fix CVE-2017-1587{34}

e8a3ce0

c0bw3b added 1.severity: security 8.has: package (update) labels Nov 9, 2017

orivej added 10.rebuild-darwin: 11-100 10.rebuild-linux: 101-500 labels Nov 11, 2017

orivej reviewed Nov 11, 2017

View reviewed changes

vcunat added the 9.needs: port to stable A PR needs a backport to the stable release. label Nov 11, 2017

vcunat reviewed Nov 11, 2017

View reviewed changes

vcunat added a commit that referenced this pull request Nov 11, 2017

Merge security fixes adapted from #31437

cbfb586

vcunat closed this Nov 11, 2017

andir deleted the fix-multiple-cves branch November 11, 2017 20:11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix multiple cves #31437

Fix multiple cves #31437

andir commented Nov 9, 2017

vcunat commented Nov 9, 2017

andir commented Nov 9, 2017

vcunat commented Nov 9, 2017

copumpkin commented Nov 10, 2017

orivej Nov 11, 2017

vcunat left a comment

vcunat Nov 11, 2017

vcunat commented Nov 11, 2017

fpletz commented Nov 14, 2017

Fix multiple cves #31437

Fix multiple cves #31437

Conversation

andir commented Nov 9, 2017

Motivation for this change

Things done

vcunat commented Nov 9, 2017

andir commented Nov 9, 2017

vcunat commented Nov 9, 2017

copumpkin commented Nov 10, 2017

orivej Nov 11, 2017

Choose a reason for hiding this comment

vcunat left a comment

Choose a reason for hiding this comment

vcunat Nov 11, 2017

Choose a reason for hiding this comment

vcunat commented Nov 11, 2017

fpletz commented Nov 14, 2017