Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pythonPackages.cryptography: Fix CVE-2020-25659 #101929

Closed
wants to merge 1 commit into from

Conversation

@primeos
Copy link
Member

@primeos primeos commented Oct 28, 2020

Motivation for this change

Port of #101751 for the ancient Python 2 world.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@ajs124
Copy link
Member

@ajs124 ajs124 commented Oct 28, 2020

ancient Python 2 world

The issue they're trying to fix here (they say themselves their API doesn't really allow it) is older than python 2.0, so we might as well backport stuff like this.

@primeos
Copy link
Member Author

@primeos primeos commented Oct 28, 2020

@GrahamcOfBorg build pythonPackages.cryptography

@ajs124 not sure what you're trying to say here. That note didn't have anything to do with the fix / security issue. Only the fact that Python 2 should already be dead (https://pythonclock.org/, https://fedoraproject.org/wiki/Changes/RetirePython2, etc.; #NoOffense though :D).

@ajs124
Copy link
Member

@ajs124 ajs124 commented Oct 28, 2020

I'm just amazed that Bleichenbacher Oracle attacks are still relevant, after >20 years. I'm also amazed that people still use python2 (although I'm also too afraid to check if I still use python2 software).
So I guess I'm saying that it seems like old stuff that shouldn't be relevant anymore goes well together.

@jonringer
Copy link
Contributor

@jonringer jonringer commented Oct 28, 2020

@GrahamcOfBorg build pythonPackages.requests

@jonringer
Copy link
Contributor

@jonringer jonringer commented Oct 28, 2020

seems the patch doesn't apply nicely:

Hunk #1 succeeded at 6 (offset -1 lines).
patching file src/cryptography/hazmat/backends/openssl/rsa.py
Hunk #1 FAILED at 119.
1 out of 1 hunk FAILED -- saving rejects to file src/cryptography/hazmat/backends/openssl/rsa.py.rej
builder for '/nix/store/09lss32w0qz4j41lc6gj1d3pvirh4w5q-python2.7-cryptography-2.9.2.drv' failed with exit code 1
error: build of '/nix/store/09lss32w0qz4j41lc6gj1d3pvirh4w5q-python2.7-cryptography-2.9.2.drv' failed

@jonringer
Copy link
Contributor

@jonringer jonringer commented Oct 28, 2020

pythonPackages.cryptography may just need to be marked as vulnerable

@primeos
Copy link
Member Author

@primeos primeos commented Oct 28, 2020

@ajs124 oh, makes sense then.

seems the patch doesn't apply nicely:

@jonringer yeah, I just tried to apply it locally and unfortunately there are a lot of other changes which makes the backport non-trivial (at least for me; and since it's security critical code I don't even want to give it a try).

pythonPackages.cryptography may just need to be marked as vulnerable

I'd also like that. I just checked how many Packages still depend on pythonPackages.cryptography but unfortunately it still looks very bad... :o

nixpkgs-review results
541 packages updated:
alibuild amazon-glacier-cmd-interface aria2 asciidoc-full-with-plugins babashka
broadlink-cli buttersink cachix carddav CastXML check-esxi-hardware clj-kondo
cloudmonkey datadog-agent dd-agent euca2ools fast-export gdown git-review
glslviewer gnss-sdr gnuradio gnuradio-with-packages google-app-engine-go-sdk
google-cloud-sdk google-cloud-sdk google-compute-engine google-compute-engine
gqrx gr-ais gr-ais gr-gsm gr-gsm gr-limesdr gr-limesdr gr-nacl gr-nacl
gr-osmosdr gr-osmosdr gr-rds gr-rds graal haxor-news hercules-ci-agent
inspectrum jvmci kodi-plugin-yatp mercurial mx mysql-workbench mysql-workbench
ndn-cxx nixops nixops nixops ocropus opae ovito pantsbuild.pants persepolis
pipreqs pulseaudio-dlna-unstable pyside-apiextractor pyside-generatorrunner
python2.7-acme python2.7-adal python2.7-amazon_kclpy python2.7-androguard
python2.7-ansible python2.7-apache-libcloud python2.7-applicationinsights
python2.7-apprise python2.7-argcomplete python2.7-arrow python2.7-asana
python2.7-ase python2.7-atlassian-python-api python2.7-auth0-python
python2.7-authheaders python2.7-authlib python2.7-aws-sam-translator
python2.7-aws-xray-sdk python2.7-azure-applicationinsights
python2.7-azure-batch python2.7-azure-cosmos python2.7-azure-cosmosdb-table
python2.7-azure-datalake-store python2.7-azure-eventgrid
python2.7-azure-functions-devops-build python2.7-azure-graphrbac
python2.7-azure-loganalytics python2.7-azure-mgmt-advisor
python2.7-azure-mgmt-applicationinsights python2.7-azure-mgmt-authorization
python2.7-azure-mgmt-batch python2.7-azure-mgmt-batchai
python2.7-azure-mgmt-billing python2.7-azure-mgmt-cdn
python2.7-azure-mgmt-cognitiveservices python2.7-azure-mgmt-commerce
python2.7-azure-mgmt-common python2.7-azure-mgmt-consumption
python2.7-azure-mgmt-containerinstance python2.7-azure-mgmt-containerservice
python2.7-azure-mgmt-cosmosdb python2.7-azure-mgmt-datafactory
python2.7-azure-mgmt-datalake-analytics python2.7-azure-mgmt-datalake-store
python2.7-azure-mgmt-datamigration python2.7-azure-mgmt-devspaces
python2.7-azure-mgmt-devtestlabs python2.7-azure-mgmt-dns
python2.7-azure-mgmt-eventgrid python2.7-azure-mgmt-hanaonazure
python2.7-azure-mgmt-iotcentral python2.7-azure-mgmt-iothub
python2.7-azure-mgmt-iothubprovisioningservices
python2.7-azure-mgmt-loganalytics python2.7-azure-mgmt-logic
python2.7-azure-mgmt-machinelearningcompute
python2.7-azure-mgmt-managementgroups python2.7-azure-mgmt-managementpartner
python2.7-azure-mgmt-maps python2.7-azure-mgmt-marketplaceordering
python2.7-azure-mgmt-media python2.7-azure-mgmt-msi
python2.7-azure-mgmt-notificationhubs python2.7-azure-mgmt-policyinsights
python2.7-azure-mgmt-powerbiembedded python2.7-azure-mgmt-rdbms
python2.7-azure-mgmt-recoveryservices
python2.7-azure-mgmt-recoveryservicesbackup python2.7-azure-mgmt-redis
python2.7-azure-mgmt-relay python2.7-azure-mgmt-reservations
python2.7-azure-mgmt-scheduler python2.7-azure-mgmt-search
python2.7-azure-mgmt-servicebus python2.7-azure-mgmt-servicefabric
python2.7-azure-mgmt-signalr python2.7-azure-mgmt-sql
python2.7-azure-mgmt-subscription python2.7-azure-mgmt-trafficmanager
python2.7-azure-mgmt-web python2.7-azure-servicebus
python2.7-azure-servicefabric python2.7-azure-servicemanagement-legacy
python2.7-azure-storage python2.7-azure-storage-common
python2.7-azure-storage-file python2.7-azure-storage-queue python2.7-bap
python2.7-betamax python2.7-betamax-matchers python2.7-betamax-serializers
python2.7-binwalk-full python2.7-bitbucket-api python2.7-bitbucket-cli
python2.7-bitbucket-cli python2.7-bitcoin-price-api python2.7-bkcharts
python2.7-boto python2.7-boto3 python2.7-botocore python2.7-braintree
python2.7-broadlink python2.7-browsermob-proxy python2.7-CacheControl
python2.7-caldav python2.7-carbon python2.7-casttube python2.7-certipy
python2.7-cfn-lint python2.7-chalice python2.7-chart-studio python2.7-clf
python2.7-cliapp python2.7-clize python2.7-cloudflare python2.7-cmdtest
python2.7-codecov python2.7-coinmarketcap python2.7-conda
python2.7-confluent-kafka python2.7-consonance python2.7-cookiecutter
python2.7-credstash python2.7-cryptography python2.7-dash
python2.7-databricks-cli python2.7-datadog python2.7-deap python2.7-debugpy
python2.7-deluge python2.7-denonavr python2.7-descartes python2.7-deskcon
python2.7-devpi-common python2.7-discogs-client python2.7-dissononce
python2.7-docker python2.7-docloud python2.7-docplex python2.7-dopy
python2.7-drms python2.7-dropbox python2.7-duckdb python2.7-dulwich
python2.7-elasticsearch python2.7-elasticsearch-dsl python2.7-elasticsearch-dsl
python2.7-etcd python2.7-fabric python2.7-facebook-sdk python2.7-favicon
python2.7-Fiona python2.7-fipy python2.7-fitbit python2.7-flammkuchen
python2.7-Flask-Elastic python2.7-Flask-JWT-Extended python2.7-flickrapi
python2.7-foolscap python2.7-fs python2.7-fs-s3fs python2.7-github3.py
python2.7-globus-sdk python2.7-gmusicapi python2.7-google-auth
python2.7-google-auth-httplib2 python2.7-google-auth-oauthlib
python2.7-google-cloud-testutils-unstable python2.7-google-i18n-address
python2.7-google-resumable-media python2.7-googletrans python2.7-gpsoauth
python2.7-GPy python2.7-GPyOpt-unstable python2.7-graph-tool
python2.7-grequests python2.7-grip python2.7-gspread python2.7-gtts-token
python2.7-guzzle_sphinx_theme python2.7-hawkauthlib python2.7-hcloud
python2.7-hg-git python2.7-HTSeq python2.7-httmock python2.7-httpsig
python2.7-http_ece python2.7-hvac python2.7-hypchat python2.7-imbalanced-learn
python2.7-influxdb python2.7-internetarchive python2.7-ipdb
python2.7-ipdbplugin python2.7-ipykernel python2.7-ipympl python2.7-ipython
python2.7-ipywidgets python2.7-jenkinsapi python2.7-jinja2-time
python2.7-josepy python2.7-jupyter python2.7-jupyter-c-kernel
python2.7-jupyter_client python2.7-jupyter_console python2.7-jupyter_core
python2.7-jupytext python2.7-jwcrypto python2.7-kaggle python2.7-keyring
python2.7-kubernetes python2.7-labelbox python2.7-larch python2.7-ldaptor
python2.7-ledgerblue python2.7-lektor python2.7-libsoundtouch
python2.7-lightning-python python2.7-line_profiler python2.7-linode
python2.7-linode-api python2.7-livestreamer python2.7-livestreamer-curses
python2.7-localzone python2.7-locustio python2.7-lsi python2.7-m3u8
python2.7-mailchimp python2.7-mapbox python2.7-mapsplotlib
python2.7-marionette-harness python2.7-matplotlib python2.7-matrix_client
python2.7-MechanicalSoup python2.7-memory_profiler python2.7-mocket
python2.7-modeled python2.7-moretools python2.7-moto python2.7-msal
python2.7-msal-extensions python2.7-msrest python2.7-msrestazure
python2.7-mwclient python2.7-mwoauth python2.7-mxnet python2.7-nanoleaf
python2.7-nbconflux python2.7-nbconvert python2.7-nbformat
python2.7-nbmerge-unstable python2.7-nbval python2.7-ncclient
python2.7-ndg-httpsclient python2.7-neuronpy python2.7-nimfa
python2.7-nix-kernel-unstable python2.7-notebook python2.7-notedown
python2.7-ntlm-auth python2.7-numpy-stl python2.7-oauthlib python2.7-ofxclient
python2.7-openidc-client python2.7-packet-python python2.7-pandas
python2.7-paperspace python2.7-paramiko python2.7-paypalrestsdk
python2.7-persim python2.7-pgpy python2.7-plaid-python python2.7-plotly
python2.7-pocket python2.7-portalocker python2.7-pplpy python2.7-prance
python2.7-premailer python2.7-privacyidea-ldap-proxy python2.7-progressbar2
python2.7-publicsuffix2 python2.7-pushbullet.py python2.7-pushover-complete
python2.7-pwntools python2.7-py-vapid python2.7-pyacoustid python2.7-PyBindGen
python2.7-pybotvac python2.7-PyBrowserID python2.7-PyChef python2.7-pyct
python2.7-pydocumentdb python2.7-pyepsg python2.7-pyfcm python2.7-pyftpdlib
python2.7-pyfttt python2.7-PyFxA python2.7-pygccxml python2.7-pyjwkest
python2.7-PyJWT python2.7-pyld python2.7-PyLTI python2.7-PyMVGLive
python2.7-PyMySQL python2.7-pymysql-sa python2.7-pymystem3
python2.7-PyNamecheap python2.7-pynput python2.7-pyOpenSSL python2.7-pyrabbit2
python2.7-PyReadability python2.7-pysftp python2.7-pysolr python2.7-pystray
python2.7-pyTelegramBotAPI python2.7-pytest-ansible python2.7-pytest-mpl
python2.7-pytest-server-fixtures python2.7-pytest-services
python2.7-python-axolotl python2.7-python-consul
python2.7-python-csxcad-unstable python2.7-python-digitalocean
python2.7-python-dotenv python2.7-python-etcd python2.7-python-fedora
python2.7-python-forecastio python2.7-python-jenkins python2.7-python-jose
python2.7-python-nest python2.7-python-nomad python2.7-python-otr
python2.7-python-pushover python2.7-python-twitter python2.7-python-u2flib-host
python2.7-python-utils python2.7-python-vipaccess python2.7-pyunifi
python2.7-pyvmomi python2.7-pywbem python2.7-pywebpush python2.7-pywinrm
python2.7-qtconsole python2.7-rainbowstream python2.7-rainbowstream
python2.7-ramlfications python2.7-rasterio python2.7-readthedocs-sphinx-ext
python2.7-recommonmark python2.7-regional python2.7-repoze.sphinx.autointerface
python2.7-requests python2.7-requests-aws4auth python2.7-requests-cache
python2.7-requests-file python2.7-requests-hawk
python2.7-requests-http-signature python2.7-requests-kerberos
python2.7-requests-mock python2.7-requests-oauthlib python2.7-requests-toolbelt
python2.7-requests-toolbelt python2.7-requests-unixsocket
python2.7-requests_download python2.7-requests_ntlm python2.7-responses
python2.7-robotframework-requests python2.7-robotframework-selenium2library
python2.7-robotframework-seleniumlibrary python2.7-robotframework-sshlibrary
python2.7-robotframework-tools python2.7-rxv python2.7-s3transfer
python2.7-sapi-python-client python2.7-scapy python2.7-scikit-build
python2.7-scp python2.7-seaborn python2.7-secretstorage python2.7-selenium
python2.7-serverlessrepo python2.7-service_identity python2.7-sfepy_2019.4
python2.7-shodan python2.7-showit python2.7-sigtools
python2.7-simple-salesforce python2.7-sipsimple python2.7-sklearn-deap
python2.7-smartdc python2.7-sphinx python2.7-sphinx-argparse
python2.7-sphinx-jinja python2.7-sphinx-navtree python2.7-sphinx-testing
python2.7-sphinxcontrib-httpdomain python2.7-sphinxcontrib-newsfeed
python2.7-sphinxcontrib-openapi python2.7-sphinxcontrib-plantuml
python2.7-sphinxcontrib-tikz python2.7-sphinx_rtd_theme python2.7-splinter
python2.7-spotipy python2.7-sseclient python2.7-sshpubkeys python2.7-sshtunnel
python2.7-stravalib python2.7-stripe python2.7-tadasets python2.7-tenacity
python2.7-tensorflow-tensorboard python2.7-tiros python2.7-tldextract
python2.7-todoist-python python2.7-tokenlib python2.7-tracing python2.7-trackpy
python2.7-treq python2.7-trustme python2.7-ttystatus python2.7-tunigo
python2.7-tvdb_api python2.7-tvnamer python2.7-tweepy python2.7-twilio
python2.7-twill python2.7-txgithub python2.7-txrequests python2.7-txtorcon
python2.7-unifi python2.7-update_checker python2.7-urllib3
python2.7-vega_datasets python2.7-vidstab python2.7-vmprof python2.7-vsts
python2.7-vsts-cd-manager python2.7-vultr python2.7-warrant
python2.7-WazeRouteCalculator python2.7-widgetsnbextension python2.7-word_cloud
python2.7-xapian python2.7-yarg python2.7-yfinance python2.7-yq python2.7-yt
python2.7-yubico-client python2.7-zeep python2.7-zetup python2nix
python3.7-aria2p python3.7-pygccxml python3.7-pyside python3.7-pyside-shiboken
python3.7-pyside-tools python3.8-aria2p python3.8-pygccxml python3.8-pyside
python3.8-pyside-shiboken python3.8-pyside-tools qradiolink rabbitvcs rmlint
sage sage sage smugline trac tsung uget uget-integrator uutils-coreutils wal-e
yle-dl yoda zabbix-cli

Especially cachix and nixops would need to be resolved first.

Not sure how to best proceed here... Help is welcome.
In any case, I hope that we can remove Python 2 support for 21.03 (at least officially).

@jonringer
Copy link
Contributor

@jonringer jonringer commented Oct 28, 2020

nixops needs to be updated to python3, we probably have a very old version on nixpkgs
cachix uses it to generate some docs, that should be able to be converted over to python3 as well

@jonringer
Copy link
Contributor

@jonringer jonringer commented Oct 28, 2020

why are there python3 builds being affected?

@jonringer
Copy link
Contributor

@jonringer jonringer commented Oct 28, 2020

I'm going to create a separate issue to tackle these, and then we can manage the packages individually.

#101964

Filtered out the python2 packages, as there's not much we can do. Left the python3 packages (which shouldn't be affected) and applications.

@FRidh FRidh added this to WIP in Staging via automation Nov 1, 2020
@primeos
Copy link
Member Author

@primeos primeos commented Nov 24, 2020

Closing this failed attempt in favor of #104726 which supersedes this PR.
Huge thanks for your awesome work @jonringer! :)

@primeos primeos closed this Nov 24, 2020
Staging automation moved this from WIP to Done Nov 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Staging
  
Done
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants