Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[18.03] procps-ng: 3.3.12 -> 3.3.15 #41326

Merged
merged 1 commit into from Jun 7, 2018

Conversation

veprbl
Copy link
Member

@veprbl veprbl commented May 31, 2018

Motivation for this change

fix CVE-2018-1124 and others

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

cc #41324 @xeji

@veprbl veprbl changed the title procps-ng: fix CVE-2018-1124 [18.03] procps-ng: fix CVE-2018-1124 May 31, 2018
@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: procps-ng

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.


@GrahamcOfBorg
Copy link

Failure on aarch64-linux (full log)

Attempted: procps-ng

Partial log (click to expand)

   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       __bos (__s), __fmt, __va_arg_pack ());
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
make[2]: Leaving directory '/build/procps-ng-3.3.12'
make[1]: *** [Makefile:1672: all-recursive] Error 1
make[1]: Leaving directory '/build/procps-ng-3.3.12'
make: *** [Makefile:950: all] Error 2
builder for '/nix/store/1m927wg2l6rniks5lhjjdszzlc944wk6-procps-3.3.12.drv' failed with exit code 2
�[31;1merror:�[0m build of '/nix/store/1m927wg2l6rniks5lhjjdszzlc944wk6-procps-3.3.12.drv' failed

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Attempted: procps-ng

Partial log (click to expand)

   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       __bos (__s), __fmt, __va_arg_pack ());
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
make[2]: Leaving directory '/build/procps-ng-3.3.12'
make[1]: *** [Makefile:1672: all-recursive] Error 1
make[1]: Leaving directory '/build/procps-ng-3.3.12'
make: *** [Makefile:950: all] Error 2
builder for '/nix/store/j4sl6jxm15dz51cbmfqksfackgghd0ij-procps-3.3.12.drv' failed with exit code 2
error: build of '/nix/store/j4sl6jxm15dz51cbmfqksfackgghd0ij-procps-3.3.12.drv' failed

@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: procps-ng

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.


@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: procps-ng

Partial log (click to expand)

shrinking /nix/store/08apj9n0ggqxrh923w25r7wvdr1izbs1-procps-3.3.12/bin/slabtop
shrinking /nix/store/08apj9n0ggqxrh923w25r7wvdr1izbs1-procps-3.3.12/bin/watch
shrinking /nix/store/08apj9n0ggqxrh923w25r7wvdr1izbs1-procps-3.3.12/bin/top
shrinking /nix/store/08apj9n0ggqxrh923w25r7wvdr1izbs1-procps-3.3.12/sbin/sysctl
gzipping man pages under /nix/store/08apj9n0ggqxrh923w25r7wvdr1izbs1-procps-3.3.12/share/man/
strip is /nix/store/b0zlxla7dmy1iwc3g459rjznx59797xy-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/08apj9n0ggqxrh923w25r7wvdr1izbs1-procps-3.3.12/lib  /nix/store/08apj9n0ggqxrh923w25r7wvdr1izbs1-procps-3.3.12/bin  /nix/store/08apj9n0ggqxrh923w25r7wvdr1izbs1-procps-3.3.12/sbin
patching script interpreter paths in /nix/store/08apj9n0ggqxrh923w25r7wvdr1izbs1-procps-3.3.12
checking for references to /build in /nix/store/08apj9n0ggqxrh923w25r7wvdr1izbs1-procps-3.3.12...
moving /nix/store/08apj9n0ggqxrh923w25r7wvdr1izbs1-procps-3.3.12/sbin/* to /nix/store/08apj9n0ggqxrh923w25r7wvdr1izbs1-procps-3.3.12/bin

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: procps-ng

Partial log (click to expand)

shrinking /nix/store/bygh9w67wqbphy88rs0bkr0bbb0wi90k-procps-3.3.12/bin/free
shrinking /nix/store/bygh9w67wqbphy88rs0bkr0bbb0wi90k-procps-3.3.12/bin/ps
shrinking /nix/store/bygh9w67wqbphy88rs0bkr0bbb0wi90k-procps-3.3.12/lib/libprocps.so.6.0.0
gzipping man pages under /nix/store/bygh9w67wqbphy88rs0bkr0bbb0wi90k-procps-3.3.12/share/man/
strip is /nix/store/ppn001bfygzlqx4h50n9zgxc3kqv2d6k-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/bygh9w67wqbphy88rs0bkr0bbb0wi90k-procps-3.3.12/lib  /nix/store/bygh9w67wqbphy88rs0bkr0bbb0wi90k-procps-3.3.12/bin  /nix/store/bygh9w67wqbphy88rs0bkr0bbb0wi90k-procps-3.3.12/sbin
patching script interpreter paths in /nix/store/bygh9w67wqbphy88rs0bkr0bbb0wi90k-procps-3.3.12
checking for references to /build in /nix/store/bygh9w67wqbphy88rs0bkr0bbb0wi90k-procps-3.3.12...
moving /nix/store/bygh9w67wqbphy88rs0bkr0bbb0wi90k-procps-3.3.12/sbin/* to /nix/store/bygh9w67wqbphy88rs0bkr0bbb0wi90k-procps-3.3.12/bin
/nix/store/bygh9w67wqbphy88rs0bkr0bbb0wi90k-procps-3.3.12

@xeji
Copy link
Contributor

xeji commented May 31, 2018

Thank you.
@vcunat should this go to staging-18.03 first?

@vcunat vcunat self-assigned this May 31, 2018
@vcunat
Copy link
Member

vcunat commented May 31, 2018

This doesn't fix all the security issues, does it? https://www.freelists.org/post/procps/Procps-3315-Security-Update

This kind of change can go directly to 18.03 – it's a few thousand rebuilds but security...

@xeji
Copy link
Contributor

xeji commented May 31, 2018

We'd probably have to bump it from 3.3.12 -> 3.3.15 to include all fixes. Easy to do, no extra patches required, but at a higher risk of breakage.

@veprbl veprbl changed the title [18.03] procps-ng: fix CVE-2018-1124 [18.03] procps-ng: 3.3.12 -> 3.3.15 May 31, 2018
@veprbl
Copy link
Member Author

veprbl commented May 31, 2018

I get some strange download problem

these derivations will be built:
  /nix/store/wkclaf1jliv18li7rwsyrbiixyw6nwqn-procps-ng-3.3.15.tar.xz.drv
  /nix/store/35p59fh2z2p10l3pc4jiw1ac9is20i22-procps-3.3.15.drv
building path(s) ‘/nix/store/x4766ppwlqp09qq94d30bs5v4qknrr6a-procps-ng-3.3.15.tar.xz’

trying http://downloads.sourceforge.net/procps-ng/procps-ng-3.3.15.tar.xz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   746  100   746    0     0   1497      0 --:--:-- --:--:-- --:--:--     0
output path ‘/nix/store/x4766ppwlqp09qq94d30bs5v4qknrr6a-procps-ng-3.3.15.tar.xz’ has sha256 hash ‘1vc97w0kvchxzlf0v7nn1fzx7pi0ih29cdqd6r7rg1y6parqa6i5’ when ‘0r84kwa5fl0sjdashcn4vh7hgfm7ahdcysig3mcjvpmkzi7p9g8h’ was expected
cannot build derivation ‘/nix/store/35p59fh2z2p10l3pc4jiw1ac9is20i22-procps-3.3.15.drv’: 1 dependencies couldn't be built
error: build of ‘/nix/store/35p59fh2z2p10l3pc4jiw1ac9is20i22-procps-3.3.15.drv’ failed

@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: procps-ng

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.


@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: procps-ng

Partial log (click to expand)

shrinking /nix/store/fwzrax38xl6bspfy2vcd7fp3zz2qj65j-procps-3.3.15/bin/free
shrinking /nix/store/fwzrax38xl6bspfy2vcd7fp3zz2qj65j-procps-3.3.15/bin/ps
shrinking /nix/store/fwzrax38xl6bspfy2vcd7fp3zz2qj65j-procps-3.3.15/lib/libprocps.so.7.1.0
gzipping man pages under /nix/store/fwzrax38xl6bspfy2vcd7fp3zz2qj65j-procps-3.3.15/share/man/
strip is /nix/store/ppn001bfygzlqx4h50n9zgxc3kqv2d6k-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/fwzrax38xl6bspfy2vcd7fp3zz2qj65j-procps-3.3.15/lib  /nix/store/fwzrax38xl6bspfy2vcd7fp3zz2qj65j-procps-3.3.15/bin  /nix/store/fwzrax38xl6bspfy2vcd7fp3zz2qj65j-procps-3.3.15/sbin
patching script interpreter paths in /nix/store/fwzrax38xl6bspfy2vcd7fp3zz2qj65j-procps-3.3.15
checking for references to /build in /nix/store/fwzrax38xl6bspfy2vcd7fp3zz2qj65j-procps-3.3.15...
moving /nix/store/fwzrax38xl6bspfy2vcd7fp3zz2qj65j-procps-3.3.15/sbin/* to /nix/store/fwzrax38xl6bspfy2vcd7fp3zz2qj65j-procps-3.3.15/bin
/nix/store/fwzrax38xl6bspfy2vcd7fp3zz2qj65j-procps-3.3.15

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: procps-ng

Partial log (click to expand)

shrinking /nix/store/r8gqxs96sf6xvssv28chxwh6jg9j2zmi-procps-3.3.15/bin/watch
shrinking /nix/store/r8gqxs96sf6xvssv28chxwh6jg9j2zmi-procps-3.3.15/bin/top
shrinking /nix/store/r8gqxs96sf6xvssv28chxwh6jg9j2zmi-procps-3.3.15/sbin/sysctl
gzipping man pages under /nix/store/r8gqxs96sf6xvssv28chxwh6jg9j2zmi-procps-3.3.15/share/man/
strip is /nix/store/b0zlxla7dmy1iwc3g459rjznx59797xy-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/r8gqxs96sf6xvssv28chxwh6jg9j2zmi-procps-3.3.15/lib  /nix/store/r8gqxs96sf6xvssv28chxwh6jg9j2zmi-procps-3.3.15/bin  /nix/store/r8gqxs96sf6xvssv28chxwh6jg9j2zmi-procps-3.3.15/sbin
patching script interpreter paths in /nix/store/r8gqxs96sf6xvssv28chxwh6jg9j2zmi-procps-3.3.15
checking for references to /build in /nix/store/r8gqxs96sf6xvssv28chxwh6jg9j2zmi-procps-3.3.15...
moving /nix/store/r8gqxs96sf6xvssv28chxwh6jg9j2zmi-procps-3.3.15/sbin/* to /nix/store/r8gqxs96sf6xvssv28chxwh6jg9j2zmi-procps-3.3.15/bin
/nix/store/r8gqxs96sf6xvssv28chxwh6jg9j2zmi-procps-3.3.15

@veprbl
Copy link
Member Author

veprbl commented Jun 1, 2018

The download seems to work again. Probably should be fine. At least master will have the same problem, because it uses the same url.

@vcunat
Copy link
Member

vcunat commented Jun 2, 2018

OK, let's wait a while for this version on master/staging; Hydra is overwhelmed ATM anyway.

vcunat added a commit that referenced this pull request Jun 6, 2018
@vcunat vcunat merged commit 589636a into NixOS:release-18.03 Jun 7, 2018
@veprbl veprbl deleted the pr/CVE-2018-1124_18.03 branch December 1, 2020 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants