Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libgrss: add patch for CVE-2016-20011 #131478

Merged
merged 1 commit into from Jul 28, 2021
Merged

libgrss: add patch for CVE-2016-20011 #131478

merged 1 commit into from Jul 28, 2021

Conversation

risicle
Copy link
Contributor

@risicle risicle commented Jul 25, 2021
edited

Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2016-20011

See also #128393

Unfortunately this fix isn't yet merged upstream (https://gitlab.gnome.org/GNOME/libgrss/-/merge_requests/7) which almost tempts me to bring it in-repo. Thoughts?

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • 21.11 Release Notes (or backporting 21.05 Relase notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@ofborg ofborg bot requested review from hedning, amaxine, dasj19 and jtojnar July 25, 2021 13:44
@amaxine
Copy link
Member

amaxine commented Jul 25, 2021
edited

Can we just mark libgrss as unsafe and drop it as a dependency from tracker-miners (by disabling it with Dminer_rss=false)? As far as I can see, the only app to use RSS as a source is gnome-news which we do not have in nixpkgs, and it's equally unmaintained to libgrss.

I guess let's at least merge and backport this to 21.05 for now, and we can decide on just dropping it completely later.

Also, thanks for opening the PR, I completely forgot about it in the first place!

@risicle risicle marked this pull request as ready for review July 25, 2021 19:41
@amaxine amaxine mentioned this pull request Jul 27, 2021
Merged
11 tasks
@fpletz fpletz merged commit 9234576 into NixOS:master Jul 28, 2021
@github-actions github-actions bot mentioned this pull request Jul 28, 2021
Merged
1 task
@github-actions
Copy link
Contributor

Successfully created backport PR #131847 for release-21.05.

@dasj19 dasj19 mentioned this pull request Aug 22, 2021
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amaxine amaxine amaxine approved these changes

@hedning hedning Awaiting requested review from hedning

@dasj19 dasj19 Awaiting requested review from dasj19

@jtojnar jtojnar Awaiting requested review from jtojnar

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@risicle @amaxine @fpletz