-
-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cnijfilter_2_80: disable fortify hardening #276300
Conversation
This has been successfully tested by @ipoupaille in #276125 (comment), I will merge this in a few days. |
@ipoupaille is 23.11 affected or only nixos-unstable ? |
I produced the problem on nixos-23.11. I have not tested on unstable. I have made the last test pinning the package version |
I added the backport to 23.11 tag, then |
the cups filter crashes with hardening Fixes NixOS#276125
I suggest mentioning this to upstream as it signifies a bug (possibly quite a serious one with security implications). |
@@ -100,6 +100,10 @@ stdenv.mkDerivation { | |||
them, it undoes the --set-rpath. this prevents that. */ | |||
dontPatchELF = true; | |||
|
|||
# fortify hardening makes the filter crash | |||
# https://github.com/NixOS/nixpkgs/issues/276125 | |||
hardeningDisable = [ "fortify" ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apparently we can get away with just disabling fortify3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cool, I did not know about this one.
b326716
to
d4c1c32
Compare
About upstream, this is a half-proprietary printer driver last updated in 2007 (version bumps drop support for old printers so we have to keep old versions). I'm not optimistic enough to spend time over contacting upstream. |
😿 |
Successfully created backport PR for |
the cups filter crashes with hardening
Fixes #276125
Description of changes
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.