Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

file: add patch for CVE-2019-18218 #72025

Merged
merged 1 commit into from
Oct 28, 2019

Conversation

risicle
Copy link
Contributor

@risicle risicle commented Oct 26, 2019

Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2019-18218

Upstream patch https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84.patch doesn't apply directly, debian have a version which has been adapted for 5.37.

Massive list of reverse dependencies - I don't have the capacity to do the full build.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

@KamilaBorowska
Copy link
Member

This probably should be submitted to staging branch.

upstream patch https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84.patch
doesn't apply directly, debian have a version which has been adapted for
5.37.
@risicle risicle changed the base branch from master to staging October 26, 2019 17:18
@risicle
Copy link
Contributor Author

risicle commented Oct 26, 2019

Good call. Rebased.

@ofborg ofborg bot added the 6.topic: vim label Oct 26, 2019
@ofborg ofborg bot requested review from edolstra, lovek323 and globin October 26, 2019 17:33
@risicle
Copy link
Contributor Author

risicle commented Oct 27, 2019

@GrahamcOfBorg build file

@ckauhaus
Copy link
Contributor

The patch looks reasonable. I think we should go for Hydra to build all reverse deps -- it's unlikely that any developer will do that on their own machine.

@ckauhaus ckauhaus merged commit 9d87889 into NixOS:staging Oct 28, 2019
ckauhaus pushed a commit that referenced this pull request Oct 28, 2019
Cherry-picked from #72025

upstream patch https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84.patch
doesn't apply directly, debian have a version which has been adapted for
5.37.
@veprbl veprbl added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Nov 1, 2019
@veprbl
Copy link
Member

veprbl commented Jan 25, 2020

A fix for the dead URL: #78479

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants