Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enhanced-ctorrent: fix CVE-2009-1759 #39311

Merged
merged 2 commits into from Apr 22, 2018
Merged

enhanced-ctorrent: fix CVE-2009-1759 #39311

merged 2 commits into from Apr 22, 2018

Conversation

MostAwesomeDude
Copy link
Contributor

This package has a checkered history; the version used here is "enhanced
ctorrent", which contains many updates. (The original tarball doesn't even
build on NixOS!)

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@Mic92
Copy link
Member

Mic92 commented Apr 21, 2018

Last update was 2008 https://sourceforge.net/projects/dtorrent/files/?source=navbar
Is this still in maintained?

@MostAwesomeDude
Copy link
Contributor Author

I searched for a bit. This is the right upstream. There do appear to be Debian patches, including one to fix a CVE which I don't think this tarball has. I've fixed the CVE with Debian's patches.

@Mic92
Copy link
Member

Mic92 commented Apr 22, 2018
edited

We also have pkgs/applications/networking/enhanced-ctorrent. That version probably also does not have the patches applied.

@Mic92
Copy link
Member

Mic92 commented Apr 22, 2018

Ok, this is the same version you want to add: http://www.rahul.net/dholmes/ctorrent/

@MostAwesomeDude
Copy link
Contributor Author

Oh, then it sounds like I should retarget my fix and put it on that existing package.

@MostAwesomeDude MostAwesomeDude changed the title ctorrent: init at 3.3.2 enhanced-ctorrent: fix CVE-2009-1759 Apr 22, 2018
@Mic92
Copy link
Member

Mic92 commented Apr 22, 2018

@GrahamcOfBorg build enhanced-ctorrent

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: enhanced-ctorrent

Partial log (click to expand)

make[1]: Nothing to be done for 'install-data-am'.
make[1]: Leaving directory '/build/ctorrent-dnh3.3.2'
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/a9712pci88ysaaggw0cjn07z12dhs1ld-enhanced-ctorrent
shrinking /nix/store/a9712pci88ysaaggw0cjn07z12dhs1ld-enhanced-ctorrent/bin/ctorrent
strip is /nix/store/j75dgadrff2d1fyc4fczmcgqkid2imdx-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/a9712pci88ysaaggw0cjn07z12dhs1ld-enhanced-ctorrent/bin
patching script interpreter paths in /nix/store/a9712pci88ysaaggw0cjn07z12dhs1ld-enhanced-ctorrent
checking for references to /build in /nix/store/a9712pci88ysaaggw0cjn07z12dhs1ld-enhanced-ctorrent...
/nix/store/a9712pci88ysaaggw0cjn07z12dhs1ld-enhanced-ctorrent

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: enhanced-ctorrent

Partial log (click to expand)

make[1]: Entering directory '/private/tmp/nix-build-enhanced-ctorrent.drv-0/ctorrent-dnh3.3.2'
test -z "/nix/store/wcn76520vav5vypjwwhv631jg6wnmkr2-enhanced-ctorrent/bin" || mkdir -p -- "/nix/store/wcn76520vav5vypjwwhv631jg6wnmkr2-enhanced-ctorrent/bin"
  /nix/store/5lkrw9dnsgy62qm1ampvww1c5n1pdm4b-coreutils-8.29/bin/install -c 'ctorrent' '/nix/store/wcn76520vav5vypjwwhv631jg6wnmkr2-enhanced-ctorrent/bin/ctorrent'
make[1]: Nothing to be done for 'install-data-am'.
make[1]: Leaving directory '/private/tmp/nix-build-enhanced-ctorrent.drv-0/ctorrent-dnh3.3.2'
post-installation fixup
strip is /nix/store/kdff2gim6417493yha769kh00n63lnrw-cctools-binutils-darwin/bin/strip
stripping (with command strip and flags -S) in /nix/store/wcn76520vav5vypjwwhv631jg6wnmkr2-enhanced-ctorrent/bin
patching script interpreter paths in /nix/store/wcn76520vav5vypjwwhv631jg6wnmkr2-enhanced-ctorrent
/nix/store/wcn76520vav5vypjwwhv631jg6wnmkr2-enhanced-ctorrent

@Mic92 Mic92 merged commit 69f23d9 into NixOS:master Apr 22, 2018
@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: enhanced-ctorrent

Partial log (click to expand)

make[1]: Nothing to be done for 'install-data-am'.
make[1]: Leaving directory '/build/ctorrent-dnh3.3.2'
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/5vc8pnxg3dnkp68sgpcc4dagrgpsrfnw-enhanced-ctorrent
shrinking /nix/store/5vc8pnxg3dnkp68sgpcc4dagrgpsrfnw-enhanced-ctorrent/bin/ctorrent
strip is /nix/store/j7d4mr0ikv974ig7yzhknpsq288js4bs-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/5vc8pnxg3dnkp68sgpcc4dagrgpsrfnw-enhanced-ctorrent/bin
patching script interpreter paths in /nix/store/5vc8pnxg3dnkp68sgpcc4dagrgpsrfnw-enhanced-ctorrent
checking for references to /build in /nix/store/5vc8pnxg3dnkp68sgpcc4dagrgpsrfnw-enhanced-ctorrent...
/nix/store/5vc8pnxg3dnkp68sgpcc4dagrgpsrfnw-enhanced-ctorrent

Mic92 pushed a commit that referenced this pull request Apr 22, 2018
@MostAwesomeDude @Mic92
enhanced-ctorrent: fix CVE-2009-1759 (#39311)
691a6fc 
Patches from Debian.

(cherry picked from commit 69f23d9)
@Mic92
Copy link
Member

Mic92 commented Apr 22, 2018

18.03 backport:

[detached HEAD 691a6fc] enhanced-ctorrent: fix CVE-2009-1759 (#39311)
Author: Corbin Simpson MostAwesomeDude@gmail.com
Date: Sun Apr 22 14:42:20 2018 -0700
1 file changed, 14 insertions(+), 1 deletion(-)

@MostAwesomeDude MostAwesomeDude deleted the ctorrent branch April 22, 2018 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
8.has: package (new) 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@MostAwesomeDude @Mic92 @GrahamcOfBorg