Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

perlPackages.HTTPDaemon: 6.01 -> 6.14, patch for CVE-2022-3108 #181632

Merged
merged 2 commits into from Jul 16, 2022
Merged

perlPackages.HTTPDaemon: 6.01 -> 6.14, patch for CVE-2022-3108 #181632

merged 2 commits into from Jul 16, 2022

Conversation

stigtsp
Copy link
Member

@stigtsp stigtsp commented Jul 15, 2022
edited

Description of changes

Upstream issue: libwww-perl/HTTP-Daemon#56

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.11 Release Notes (or backporting 22.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@stigtsp stigtsp requested a review from zakame as a code owner July 15, 2022 20:05
@stigtsp
Copy link
Member Author

stigtsp commented Jul 15, 2022

@GrahamcOfBorg build perlPackages.HTTPDaemon

@stigtsp stigtsp requested a review from mweinelt July 15, 2022 20:15
@stigtsp stigtsp force-pushed the package/perl-http-daemon-update branch from fd034fb to 0667fff Compare July 15, 2022 20:31
@stigtsp stigtsp changed the base branch from master to staging July 15, 2022 20:33
@stigtsp stigtsp force-pushed the package/perl-http-daemon-update branch from 0667fff to 0749248 Compare July 15, 2022 20:52
@risicle
Copy link
Contributor

risicle commented Jul 16, 2022
edited

If you give the patches a name = that includes the CVE id it usually allows tools like vulnix to automatically consider them as fixed.

@stigtsp stigtsp force-pushed the package/perl-http-daemon-update branch from 0749248 to b47afc3 Compare July 16, 2022 13:25
@SuperSandro2000 SuperSandro2000 merged commit 92518a1 into NixOS:staging Jul 16, 2022
@github-actions github-actions bot mentioned this pull request Jul 16, 2022
Merged
1 task
@github-actions
Copy link
Contributor

Successfully created backport PR #181767 for staging-22.05.

@briandfoy briandfoy mentioned this pull request Jul 17, 2022
Merged
@Artturin
Copy link
Member

Adding ModuleBuildTiny regressed the cross-compilation of a aarch64 iso

perl5.34.1-File-ShareDir> Can't load module IO, dynamic loading not available in this perl.
perl5.34.1-File-ShareDir>   (You may need to build a new perl executable which either supports
perl5.34.1-File-ShareDir>   dynamic loading or has the IO module statically linked into it.)
perl5.34.1-File-ShareDir>  at /nix/store/8i0lwxcrdwdacl9sr3na04mhikcw1q0g-perl-aarch64-unknown-linux-gnu-5.34.1/lib/perl5/5.34.1/aarch64-linux/IO/Handle.pm line 268.
perl5.34.1-File-ShareDir> Compilation failed in require at /nix/store/8i0lwxcrdwdacl9sr3na04mhikcw1q0g-perl-aarch64-unknown-linux-gnu-5.34.1/lib/perl5/5.34.1/aarch64-linux/IO/Handle.pm line 268.
perl5.34.1-File-ShareDir> BEGIN failed--compilation aborted at /nix/store/8i0lwxcrdwdacl9sr3na04mhikcw1q0g-perl-aarch64-unknown-linux-gnu-5.34.1/lib/perl5/5.34.1/aarch64-linux/IO/Handle.pm line 268.
perl5.34.1-File-ShareDir> Compilation failed in require at /nix/store/8i0lwxcrdwdacl9sr3na04mhikcw1q0g-perl-aarch64-unknown-linux-gnu-5.34.1/lib/perl5/5.34.1/aarch64-linux/IO/Seekable.pm line 100.
perl5.34.1-File-ShareDir> BEGIN failed--compilation aborted at /nix/store/8i0lwxcrdwdacl9sr3na04mhikcw1q0g-perl-aarch64-unknown-linux-gnu-5.34.1/lib/perl5/5.34.1/aarch64-linux/IO/Seekable.pm line 100.
perl5.34.1-File-ShareDir> Compilation failed in require at /nix/store/8i0lwxcrdwdacl9sr3na04mhikcw1q0g-perl-aarch64-unknown-linux-gnu-5.34.1/lib/perl5/5.34.1/aarch64-linux/IO/File.pm line 132.
perl5.34.1-File-ShareDir> BEGIN failed--compilation aborted at /nix/store/8i0lwxcrdwdacl9sr3na04mhikcw1q0g-perl-aarch64-unknown-linux-gnu-5.34.1/lib/perl5/5.34.1/aarch64-linux/IO/File.pm line 132.
perl5.34.1-File-ShareDir> Compilation failed in require at inc/latest/private.pm line 10.
perl5.34.1-File-ShareDir> BEGIN failed--compilation aborted at inc/latest/private.pm line 10.
perl5.34.1-File-ShareDir> Compilation failed in require at inc/latest.pm line 5.
perl5.34.1-File-ShareDir> Compilation failed in require at Makefile.PL line 18.
perl5.34.1-File-ShareDir> BEGIN failed--compilation aborted at Makefile.PL line 18.

$ nix why-depends ".#nixosConfigurations.cross-vm.config.system.build.sdImage" "/nix/store/l3hpy9zxgdasynii3n2zi7hcwawd98pd-perl5.34.1-File-ShareDir-1.118-aarch64-unknown-linux-gnu.drv" --derivation
/nix/store/anmi6cx0lbq7g20a082fnkpccywwkigd-nixos-sd-image-22.11.20220721.f09c360-aarch64-linux.img-aarch64-unknown-linux-gnu.drv
└───/nix/store/2zk1f55hbr4f4rgn81lrqs52j0psn290-ext4-fs.img.zst-aarch64-unknown-linux-gnu.drv
    └───/nix/store/dkvg9ikxz1pdklqp4r8xcj8f2a233vhn-nixos-system-nixos-22.11.20220721.f09c360.drv
        └───/nix/store/b0kwn69sswbk3fwf0081fkvq8hq0bvp4-perl-aarch64-unknown-linux-gnu-5.34.1-env.drv
            └───/nix/store/b34582k94bbh4wflb5y1gzm62i2jahma-perl5.34.1-HTTP-Daemon-6.14-aarch64-unknown-linux-gnu.drv
                └───/nix/store/lshjfyw5mn0kzbfqlhiyn20szyrsxjq4-perl5.34.1-Module-Build-Tiny-0.039-aarch64-unknown-linux-gnu.drv
                    └───/nix/store/l3hpy9zxgdasynii3n2zi7hcwawd98pd-perl5.34.1-File-ShareDir-1.118-aarch64-unknown-linux-gnu.drv

{
  description = "cross-compile the sd-image-aarch64 on x86_64-linux to aarch64-multiplatform";
  inputs = {
    #nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    #nixpkgs.url = "/home/artturin/nixgits/my-nixpkgs/.worktree/1";
    nixpkgs.url = "/home/artturin/nixgits/my-nixpkgs";
  };

  outputs = { self, nixpkgs }: {

    nixosConfigurations.cross-vm = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        ({ pkgs, lib, modulesPath, ... }: {
          nixpkgs = {
            crossSystem = lib.systems.examples.aarch64-multiplatform;
          };

          imports = [ (modulesPath + "/installer/sd-card/sd-image-aarch64.nix") ];

          # very heavy to build
          boot.kernelPatches = [
            {
              name = "no-debug-info";
              patch = null;
              extraConfig = ''
                DEBUG_INFO n
              '';
            }
          ];

          users.mutableUsers = false;
          users.users.root = {
            password = "root";
          };
          users.users.user = {
            password = "user";
            isNormalUser = true;
            extraGroups = [ "wheel" ];
          };
          system.stateVersion = "22.05";
        })
      ];
    };

    packages.x86_64-linux.default = self.nixosConfigurations.cross-vm.config.system.build.sdImage;
    packages.x86_64-linux.vm = self.nixosConfigurations.cross-vm.config.system.build.vm;
    apps.x86_64-linux.vm = {
      type = "app";
      program = "${self.defaultPackage.x86_64-linux}/bin/run-nixos-vm-cross";
    };
  };
}

@Artturin Artturin mentioned this pull request Jul 21, 2022
Closed
@stigtsp stigtsp mentioned this pull request Aug 3, 2022
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 approved these changes

@zakame zakame Awaiting requested review from zakame zakame is a code owner

@mweinelt mweinelt Awaiting requested review from mweinelt

@jglukasik jglukasik Awaiting requested review from jglukasik

@xworld21 xworld21 Awaiting requested review from xworld21

@abbradar abbradar Awaiting requested review from abbradar

@limeytexan limeytexan Awaiting requested review from limeytexan

@ztzg ztzg Awaiting requested review from ztzg

@wentasah wentasah Awaiting requested review from wentasah

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@stigtsp @risicle @Artturin @SuperSandro2000