Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability roundup 85: swftools-0.9.2: 17 advisories [8.8] #90991

Closed
17 tasks
ckauhaus opened this issue Jun 18, 2020 · 6 comments
Closed
17 tasks

Vulnerability roundup 85: swftools-0.9.2: 17 advisories [8.8] #90991

ckauhaus opened this issue Jun 18, 2020 · 6 comments
Labels
1.severity: security

Comments

@ckauhaus
Copy link
Contributor

search, files

Scanned versions: nixos-20.03: a84b797; nixos-unstable: 22c9881. May contain false positives.

Cc @k0ral
@k0ral
Copy link
Contributor

k0ral commented Jun 18, 2020

Possible trajectories:

  1. upgrade derivation to latest changeset from upstream github, in case security issues have been fixed there;
  2. mark package as insecure so that users have to explicitly set permittedInsecurePackages to build derivation
  3. remove derivation altogether from nixpkgs

As I suspect not many people are still using these tools (I personally haven't for a long time, and don't intend to in the future), I'd rather go with 3/ .

@ckauhaus
Copy link
Contributor Author

Yes, please remove it from nixpkgs. No upstream release since 2013.

@k0ral
Copy link
Contributor

k0ral commented Jun 22, 2020

Actually, I cannot just remove swftools as it is a dependency of infoqscraper (nixpkgs ref, upstream ref).
Cc @edwtjo .

@ckauhaus
Copy link
Contributor Author

@edwtjo would it be feasible to disable flash support in infoqscraper?

alyssais added a commit to alyssais/nixpkgs that referenced this issue Apr 9, 2021
@alyssais
swftools: mark insecure; clarify license
6070a97 
Fixes: NixOS#90991
@alyssais
Copy link
Member

In #118934 I propose marking infoqscraper as broken and swftools as insecure.

alyssais added a commit that referenced this issue Apr 16, 2021
@alyssais
swftools: mark insecure; clarify license
6694363 
Fixes: #90991
@ckauhaus
Copy link
Contributor Author

Looks like there's nothing left to do here.

@mingmingrr mingmingrr mentioned this issue Jun 1, 2021
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.severity: security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@k0ral @ckauhaus @alyssais