Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gnupatch: fix CVE-2018-6951 #39045

Closed
wants to merge 1 commit into from
Closed

gnupatch: fix CVE-2018-6951 #39045

wants to merge 1 commit into from

Conversation

nlewo
Copy link
Member

@nlewo nlewo commented Apr 17, 2018

Fix CVE for #38993

I can't use fetchpatch in gnupatch so I used fetchurl to fetch the patch.
Is it an expected behavior? (I wouldn't be surprised we can't use gnupatch to build gnupatch but I didn't look at this in details).

Should I rebase this patch on staging?

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: gnupatch

Partial log (click to expand)

make[2]: Leaving directory '/build/patch-2.7.6'
make[1]: Leaving directory '/build/patch-2.7.6'
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/qnf8nzndzlpm4k0p7gl3lg2jif4mfkh1-patch-2.7.6
shrinking /nix/store/qnf8nzndzlpm4k0p7gl3lg2jif4mfkh1-patch-2.7.6/bin/patch
gzipping man pages under /nix/store/qnf8nzndzlpm4k0p7gl3lg2jif4mfkh1-patch-2.7.6/share/man/
strip is /nix/store/d1prcspbh2qsviipvnaxizcj8l3g7fpw-bootstrap-tools/bin/strip
stripping (with command strip and flags -S) in /nix/store/qnf8nzndzlpm4k0p7gl3lg2jif4mfkh1-patch-2.7.6/bin
checking for references to /build in /nix/store/qnf8nzndzlpm4k0p7gl3lg2jif4mfkh1-patch-2.7.6...
/nix/store/qnf8nzndzlpm4k0p7gl3lg2jif4mfkh1-patch-2.7.6

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: gnupatch

Partial log (click to expand)

make[2]: Leaving directory '/build/patch-2.7.6'
make[1]: Leaving directory '/build/patch-2.7.6'
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/h3wkr3m94hk8rxz20igsp71vm8qlpjm8-patch-2.7.6
shrinking /nix/store/h3wkr3m94hk8rxz20igsp71vm8qlpjm8-patch-2.7.6/bin/patch
gzipping man pages under /nix/store/h3wkr3m94hk8rxz20igsp71vm8qlpjm8-patch-2.7.6/share/man/
strip is /nix/store/gfgczbs0cy0blibb0acv39cayq7qbplg-bootstrap-tools/bin/strip
stripping (with command strip and flags -S) in /nix/store/h3wkr3m94hk8rxz20igsp71vm8qlpjm8-patch-2.7.6/bin
checking for references to /build in /nix/store/h3wkr3m94hk8rxz20igsp71vm8qlpjm8-patch-2.7.6...
/nix/store/h3wkr3m94hk8rxz20igsp71vm8qlpjm8-patch-2.7.6

Mic92
Mic92 reviewed Apr 17, 2018
View reviewed changes
pkgs/tools/text/gnupatch/default.nix Outdated
name = "CVE-2018-6951.patch";
url = "https://git.savannah.gnu.org/cgit/patch.git/patch/?id=f290f48a621867084884bfff87f8093c15195e6a";
sha256 = "0289g8ihyiqdxw4p3zkal7ivbpy4dp5s31x2vy9ajw67q0694ywa";
};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is better to add the patch to nixpkgs instead + add the source url as a comment. There is a version number of cgit in the footer that will eventually break the hash.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: gnupatch

Partial log (click to expand)

make[2]: Leaving directory '/build/patch-2.7.6'
make[1]: Leaving directory '/build/patch-2.7.6'
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/nmf4pcf2ya2qzg5k4cws2zb26w3fxivz-patch-2.7.6
shrinking /nix/store/nmf4pcf2ya2qzg5k4cws2zb26w3fxivz-patch-2.7.6/bin/patch
gzipping man pages under /nix/store/nmf4pcf2ya2qzg5k4cws2zb26w3fxivz-patch-2.7.6/share/man/
strip is /nix/store/d1prcspbh2qsviipvnaxizcj8l3g7fpw-bootstrap-tools/bin/strip
stripping (with command strip and flags -S) in /nix/store/nmf4pcf2ya2qzg5k4cws2zb26w3fxivz-patch-2.7.6/bin
checking for references to /build in /nix/store/nmf4pcf2ya2qzg5k4cws2zb26w3fxivz-patch-2.7.6...
/nix/store/nmf4pcf2ya2qzg5k4cws2zb26w3fxivz-patch-2.7.6

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: gnupatch

Partial log (click to expand)

make[2]: Leaving directory '/build/patch-2.7.6'
make[1]: Leaving directory '/build/patch-2.7.6'
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/xq01dqf1qll8lm6mh90jchgk9zyywbv0-patch-2.7.6
shrinking /nix/store/xq01dqf1qll8lm6mh90jchgk9zyywbv0-patch-2.7.6/bin/patch
gzipping man pages under /nix/store/xq01dqf1qll8lm6mh90jchgk9zyywbv0-patch-2.7.6/share/man/
strip is /nix/store/gfgczbs0cy0blibb0acv39cayq7qbplg-bootstrap-tools/bin/strip
stripping (with command strip and flags -S) in /nix/store/xq01dqf1qll8lm6mh90jchgk9zyywbv0-patch-2.7.6/bin
checking for references to /build in /nix/store/xq01dqf1qll8lm6mh90jchgk9zyywbv0-patch-2.7.6...
/nix/store/xq01dqf1qll8lm6mh90jchgk9zyywbv0-patch-2.7.6

Mic92 pushed a commit that referenced this pull request Apr 17, 2018
@nlewo @Mic92
gnupatch: fix CVE-2018-6951
11fd378 
fixes #39045
@Mic92
Copy link
Member

Mic92 commented Apr 17, 2018

Cherry-picked to staging since it is only a NULL-pointer dereference: 11fd378

@Mic92 Mic92 closed this Apr 17, 2018
@nlewo
Copy link
Member Author

nlewo commented Apr 18, 2018

@Mic92 Thanks. We should also apply this patch on release 18.03.
I don't know the procedure for this kind of patch (lot of rebuilds). Once staging is merged on master, we can cherry-pick it to 18.03?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

Assignees
No one assigned
Labels
10.rebuild-darwin: 501+ 10.rebuild-darwin-stdenv 10.rebuild-linux: 501+ 10.rebuild-linux-stdenv
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nlewo @GrahamcOfBorg @Mic92