New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability Roundup 21 #22549

Closed
grahamc opened this Issue Feb 8, 2017 · 35 comments

Comments

Projects
None yet
9 participants
@grahamc
Member

grahamc commented Feb 8, 2017

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.

cc: @nlewo @7c6f434c @bachp @vcunat @peterhoeg @fpletz @Szczyp @NeQuissimus @obadz @joachifm @shlevy.

Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.

Permanent CC's: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001
@NixOS/security-notifications
If you would like to be CC'd on all roundups (or removed from the
list), open a PR editing
https://github.com/NixOS/security/blob/master/lwnvulns/src/bin/instructions.md.

Notes on the list

  1. The reports have been roughly grouped by the package name. This
    isn't perfect, but is intended to help identify if a whole group
    of reports is resolved already.
  2. Some issues will be duplicated, because it affects multiple
    packages. For example, there are sometimes problems that impact
    thunderbird, and firefox. LWN might report in one vulnerability
    "thunderbird firefox". These names have been split to make sure
    both packages get addressed.
  3. By each issue is a link to code search for the package name, and
    a Github search by filename. These are to help, but may not return
    results when we do in fact package the software. If a search
    doesn't turn up, please try altering the search criteria or
    looking in nixpkgs manually before asserting we don't have it.
  4. This issue is created by https://github.com/NixOS/security

Instructions:

  1. Triage a report: If we don't have the software or our version isn't
    vulnerable, tick the box or add a comment with the report number,
    stating it isn't vulnerable.
  2. Fix the issue: If we do have the software and it is vulnerable,
    either leave a comment on this issue saying so, even open a pull
    request with the fix. If you open a PR, make sure to tag this
    issue so we can coordinate.
  3. When an entire section is completed, move the section to the
    "Triaged and Resolved Issues" details block below.

Upon Completion ...

Without further ado...

Assorted (27 issues)

GraphicsMagick (2 issues)

kernel (3 issues)

libtiff (2 issues)

rtmpdump (2 issues)

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 8, 2017

Member

wordpress in master is already on 4.7.2 - only earlier versions are affected.

Also ok on 16.09

Member

peterhoeg commented Feb 8, 2017

wordpress in master is already on 4.7.2 - only earlier versions are affected.

Also ok on 16.09

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 8, 2017

Member

iio-sensor-proxy is not packaged yet. I have a branch with the software and a nixos module, but it's not merged.

Member

peterhoeg commented Feb 8, 2017

iio-sensor-proxy is not packaged yet. I have a branch with the software and a nixos module, but it's not merged.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 8, 2017

Member

Thank you! I ticked them off. Remember 17.03's branch-off is coming up, if you want to get that in to stable :)

Member

grahamc commented Feb 8, 2017

Thank you! I ticked them off. Remember 17.03's branch-off is coming up, if you want to get that in to stable :)

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 8, 2017

Member

I'm plodding through the gstreamer updates :)

Member

grahamc commented Feb 8, 2017

I'm plodding through the gstreamer updates :)

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 8, 2017

Member

gstreamer fixed in afd5981 and 504d394.

Member

grahamc commented Feb 8, 2017

gstreamer fixed in afd5981 and 504d394.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 8, 2017

Member

w00t we had already patched jasper.

Member

grahamc commented Feb 8, 2017

w00t we had already patched jasper.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 8, 2017

Member

deleted moodle in 7db1f72

Member

grahamc commented Feb 8, 2017

deleted moodle in 7db1f72

@NeQuissimus

This comment has been minimized.

Show comment
Hide comment
@NeQuissimus

NeQuissimus Feb 8, 2017

Member

Kernels are good

Member

NeQuissimus commented Feb 8, 2017

Kernels are good

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 8, 2017

Member

wireshark is already on version 2.2.4 which fixes to the 2 vulnerabilities.

Also ok on 16.09

Member

peterhoeg commented Feb 8, 2017

wireshark is already on version 2.2.4 which fixes to the 2 vulnerabilities.

Also ok on 16.09

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 8, 2017

Member

Currently building the derivations depending on wavpack, so don't waste your time on this.

wavpack is good with #22555

Member

peterhoeg commented Feb 8, 2017

Currently building the derivations depending on wavpack, so don't waste your time on this.

wavpack is good with #22555

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 8, 2017

Member

tiff is just a regular bug, not a vulnerability.
libtiff is not vulnerable (we are never).

Also ok on 16.09

Member

peterhoeg commented Feb 8, 2017

tiff is just a regular bug, not a vulnerability.
libtiff is not vulnerable (we are never).

Also ok on 16.09

@peterhoeg peterhoeg referenced this issue Feb 8, 2017

Merged

wavpack: 4.80.0 -> 5.1.0 #22555

4 of 7 tasks complete
@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 8, 2017

Member

php is ok in master and 16.09

Member

peterhoeg commented Feb 8, 2017

php is ok in master and 16.09

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 8, 2017

Member

mupdf is ok in master but not OK in 16.09. I'll handle this.

Member

peterhoeg commented Feb 8, 2017

mupdf is ok in master but not OK in 16.09. I'll handle this.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 8, 2017

Member

@peterhoeg can you verify against stable (16.09) as well?

Member

grahamc commented Feb 8, 2017

@peterhoeg can you verify against stable (16.09) as well?

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 8, 2017

Member

can you verify against stable (16.09) as well?

@grahamc - only mupdf is not ok (of the ones I looked at).

Member

peterhoeg commented Feb 8, 2017

can you verify against stable (16.09) as well?

@grahamc - only mupdf is not ok (of the ones I looked at).

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 8, 2017

Member

uicode-tool - we don't have it.

Member

peterhoeg commented Feb 8, 2017

uicode-tool - we don't have it.

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 8, 2017

Member

The fixes have been backported (not to nixpkgs), but don't we consider pdf readers (and especially those that can run javascript) critical like browsers, so they need the latest version?

Member

peterhoeg commented Feb 8, 2017

The fixes have been backported (not to nixpkgs), but don't we consider pdf readers (and especially those that can run javascript) critical like browsers, so they need the latest version?

@nlewo

This comment has been minimized.

Show comment
Hide comment
@nlewo

nlewo Feb 8, 2017

Member

Our RabbitMQ version is impacted while it is not the case for the latest one. I upgrade our rabbitmq version in #22573.

Member

nlewo commented Feb 8, 2017

Our RabbitMQ version is impacted while it is not the case for the latest one. I upgrade our rabbitmq version in #22573.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 9, 2017

Member

@peterhoeg For now, I'd rather apply the backported patches to 16.09 for mupdf, especially if they're being so kind as to backport patches for us :)

Member

grahamc commented Feb 9, 2017

@peterhoeg For now, I'd rather apply the backported patches to 16.09 for mupdf, especially if they're being so kind as to backport patches for us :)

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 9, 2017

Member

@codyopel, @viric, @spwhitt, @rbvermaa, would any of you like to update rtmpdump? Otherwise I'll probably mark it broken due to https://lwn.net/Vulnerabilities/713784/

Member

grahamc commented Feb 9, 2017

@codyopel, @viric, @spwhitt, @rbvermaa, would any of you like to update rtmpdump? Otherwise I'll probably mark it broken due to https://lwn.net/Vulnerabilities/713784/

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Feb 9, 2017

Member

@grahamc, we have another issue. webkitgtk24x is badly outdated with lots of vulnerabilities and yet is still in use by a number of packages:
https://search.nix.gsc.io/?q=webkitgtk24x&i=fosho&files=&repos=

Here are details:
https://blogs.gnome.org/mcatanzaro/2017/02/08/an-update-on-webkit-security-updates/

Specifically:

but this old version of WebKit is affected by over 200 known vulnerabilities and really has to go sooner rather than later

For emacs, if we simply only build the proper gtk UI, we should be fine and get rid of xwidgets.

I don't know about the others though.

Member

peterhoeg commented Feb 9, 2017

@grahamc, we have another issue. webkitgtk24x is badly outdated with lots of vulnerabilities and yet is still in use by a number of packages:
https://search.nix.gsc.io/?q=webkitgtk24x&i=fosho&files=&repos=

Here are details:
https://blogs.gnome.org/mcatanzaro/2017/02/08/an-update-on-webkit-security-updates/

Specifically:

but this old version of WebKit is affected by over 200 known vulnerabilities and really has to go sooner rather than later

For emacs, if we simply only build the proper gtk UI, we should be fine and get rid of xwidgets.

I don't know about the others though.

@vcunat

This comment has been minimized.

Show comment
Hide comment
@vcunat

vcunat Feb 9, 2017

Member

webkitgtk24x: we still have #18312 open for outdated webkit. For the liferea case: upstream now has a new -rc2 version that does build against newer libwebkit, but it didn't work well for me.

Member

vcunat commented Feb 9, 2017

webkitgtk24x: we still have #18312 open for outdated webkit. For the liferea case: upstream now has a new -rc2 version that does build against newer libwebkit, but it didn't work well for me.

@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Feb 9, 2017

Member

Ah, rtmpdump is an easy bump. Done

Member

7c6f434c commented Feb 9, 2017

Ah, rtmpdump is an easy bump. Done

@7c6f434c

This comment has been minimized.

Show comment
Hide comment
@7c6f434c

7c6f434c Feb 9, 2017

Member

irssi_otr fix is upstream, we have the correct version already.

Member

7c6f434c commented Feb 9, 2017

irssi_otr fix is upstream, we have the correct version already.

vcunat added a commit that referenced this issue Feb 9, 2017

vcunat added a commit that referenced this issue Feb 9, 2017

pythonPackages.gst-python: fix hash after afd5981
/cc #22549.

(cherry picked from commit 333e36e)
@fpletz

This comment has been minimized.

Show comment
Hide comment
@fpletz

fpletz Feb 9, 2017

Member

libgd2 (gd) was already fixed.

Member

fpletz commented Feb 9, 2017

libgd2 (gd) was already fixed.

fpletz added a commit that referenced this issue Feb 9, 2017

fpletz added a commit that referenced this issue Feb 9, 2017

@fpletz

This comment has been minimized.

Show comment
Hide comment
@fpletz

fpletz Feb 9, 2017

Member

The graphicsmagick CVEs are weird. They seem to rather apply to imagemagick. As OpenSUSE is generally lagging behind on security updates a bit compared to other distros and graphicsmagick has a revamped codebase, I don't think all those issues also apply to graphicsmagick and OpenSUSE made some kind of error here. In the Debian security tracker those CVEs were assigned to imagemagick and not to graphicsmagick.

Member

fpletz commented Feb 9, 2017

The graphicsmagick CVEs are weird. They seem to rather apply to imagemagick. As OpenSUSE is generally lagging behind on security updates a bit compared to other distros and graphicsmagick has a revamped codebase, I don't think all those issues also apply to graphicsmagick and OpenSUSE made some kind of error here. In the Debian security tracker those CVEs were assigned to imagemagick and not to graphicsmagick.

fpletz added a commit that referenced this issue Feb 9, 2017

epiphany: 3.22.5 -> 3.22.6 for security issue
From https://bugzilla.gnome.org/show_bug.cgi?id=752738:

  The page http://whatever.com has access to saved passwords of
  https://whatever.com. This was a very bad idea: it makes it easy to
  intercept passwords stored on secure websites, especially since we
  don't require any user interaction to fill in the password.

No CVE has been assigned as of now.

cc #22549
@fpletz

This comment has been minimized.

Show comment
Hide comment
@fpletz

fpletz Feb 9, 2017

Member

epiphany was fixed on master. The only relevant issue (https://bugzilla.gnome.org/show_bug.cgi?id=752738) seems to be present in 3.22.x only according to the bugtracker while we have 3.20 on 16.03. No CVE was assigned yet.

Member

fpletz commented Feb 9, 2017

epiphany was fixed on master. The only relevant issue (https://bugzilla.gnome.org/show_bug.cgi?id=752738) seems to be present in 3.22.x only according to the bugtracker while we have 3.20 on 16.03. No CVE was assigned yet.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 9, 2017

Member

What a treat to wake up to!

@peterhoeg if we drop xwidgets, will that break emacs on darwin? ( @LnL7, @copumpkin ) After 17.03 releases, we should be in much closer shape to drop 24. I don't know that there is anything we can do about this for now :( maybe either: Debian has patches in this area?

@fpletz:

GraphicsMagick / ImageMagick is always weird. The only way I can tell the difference is via version numbers being very different. I'll try and figure it out, but frequently I just go back and try and find out if we're behind in versions.

epiphany: "Thanks to Hussam for reporting this bug so quickly after it was introduced" seems to suggest it might not, indeed, be present in 3.20.

Member

grahamc commented Feb 9, 2017

What a treat to wake up to!

@peterhoeg if we drop xwidgets, will that break emacs on darwin? ( @LnL7, @copumpkin ) After 17.03 releases, we should be in much closer shape to drop 24. I don't know that there is anything we can do about this for now :( maybe either: Debian has patches in this area?

@fpletz:

GraphicsMagick / ImageMagick is always weird. The only way I can tell the difference is via version numbers being very different. I'll try and figure it out, but frequently I just go back and try and find out if we're behind in versions.

epiphany: "Thanks to Hussam for reporting this bug so quickly after it was introduced" seems to suggest it might not, indeed, be present in 3.20.

@grahamc grahamc referenced this issue Feb 9, 2017

Closed

Issue a release #96

@LnL7

This comment has been minimized.

Show comment
Hide comment
@LnL7

LnL7 Feb 9, 2017

Contributor

Not sure about emacs. I did add wxmac to nixpkgs for erlang, perhaps emacs could also use that?

Contributor

LnL7 commented Feb 9, 2017

Not sure about emacs. I did add wxmac to nixpkgs for erlang, perhaps emacs could also use that?

@joachifm

This comment has been minimized.

Show comment
Hide comment
@joachifm

joachifm Feb 10, 2017

Contributor

It seems unlikely that removing xwidgets would break emacs on darwin. xwidgets is for embedding other windows inside emacs, surely darwin emacs does not rely on that to function?

Contributor

joachifm commented Feb 10, 2017

It seems unlikely that removing xwidgets would break emacs on darwin. xwidgets is for embedding other windows inside emacs, surely darwin emacs does not rely on that to function?

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 10, 2017

Member

You're right, @joachifm -- it is an extra add-on, usually disabled by distributions.

Member

grahamc commented Feb 10, 2017

You're right, @joachifm -- it is an extra add-on, usually disabled by distributions.

@LnL7

This comment has been minimized.

Show comment
Hide comment
@LnL7

LnL7 Feb 10, 2017

Contributor

Yes it's optional, but I don't use emacs so I'm not sure what it's used for. We also have the emacs macport I assume that's what darwin people would prefer to use if they want a graphical version.

Contributor

LnL7 commented Feb 10, 2017

Yes it's optional, but I don't use emacs so I'm not sure what it's used for. We also have the emacs macport I assume that's what darwin people would prefer to use if they want a graphical version.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 10, 2017

Member

I'm marking libplist as "fixed" for now ,assuming they'll release a new version soon.

Member

grahamc commented Feb 10, 2017

I'm marking libplist as "fixed" for now ,assuming they'll release a new version soon.

@grahamc

This comment has been minimized.

Show comment
Hide comment
@grahamc

grahamc Feb 10, 2017

Member

Done: So fast this time :D Thank you all, again!

Member

grahamc commented Feb 10, 2017

Done: So fast this time :D Thank you all, again!

@grahamc grahamc closed this Feb 10, 2017

@vcunat

This comment has been minimized.

Show comment
Hide comment
@vcunat

vcunat Feb 11, 2017

Member

Hmm, new glibc claims to fix two CVEs and I can't see any reference to those around nixpkgs, so they might be new.

Member

vcunat commented Feb 11, 2017

Hmm, new glibc claims to fix two CVEs and I can't see any reference to those around nixpkgs, so they might be new.

@grahamc grahamc referenced this issue Feb 15, 2017

Closed

Vulnerability Roundup 22 #22826

27 of 27 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment