Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libtiff: 4.0.10 -> 4.1.0 #72092

Merged
merged 2 commits into from Nov 9, 2019
Merged

Conversation

@JohnAZoidberg
Copy link
Member

JohnAZoidberg commented Oct 27, 2019

Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2019-7663

vulnerable in unstable, 19.03 and 19.09

Fixes #57158

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

No maintainer :(

@@ -23,6 +23,11 @@ stdenv.mkDerivation rec {
name = "CVE-2019-6128.patch";
sha256 = "03yvsfq6dxjd3v8ypfwz6cpz2iymqwcbawqqlmkh40dayi7fgizr";
})
(fetchurl {
url = "https://gitlab.com/libtiff/libtiff/commit/802d3cbf3043be5dce5317e140ccb1c17a6a2d39.patch";
name = "CVE-2019-7663";

This comment has been minimized.

Copy link
@mmahut

mmahut Oct 27, 2019

Member
Suggested change
name = "CVE-2019-7663";
name = "CVE-2019-7663.patch";
@mmahut

This comment has been minimized.

Copy link
Member

mmahut commented Oct 27, 2019

This should probably go into staging for mass rebuild.

@FRidh FRidh added this to Ready in Staging Nov 2, 2019
@FRidh FRidh changed the base branch from master to staging Nov 3, 2019
@FRidh FRidh moved this from Ready to WIP in Staging Nov 3, 2019
@FRidh

This comment has been minimized.

Copy link
Member

FRidh commented Nov 3, 2019

@JohnAZoidberg you may want to enable "Allow edits from maintainers" as that makes it easier for others to pick up your changes, modify them when needed, and submit them. Of course you do not have to if you do not want to!
https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/allowing-changes-to-a-pull-request-branch-created-from-a-fork

@dtzWill

This comment has been minimized.

Copy link
Contributor

dtzWill commented Nov 5, 2019

Perhaps update to 4.1.0 as well (instead?)? Didn't check if contains fix but seems likely :).

@JohnAZoidberg JohnAZoidberg force-pushed the JohnAZoidberg:libtiff-CVE-2019-7663 branch from 8a5b6cc to eca4eae Nov 6, 2019
@JohnAZoidberg JohnAZoidberg force-pushed the JohnAZoidberg:libtiff-CVE-2019-7663 branch from eca4eae to 2223e61 Nov 6, 2019
@JohnAZoidberg

This comment has been minimized.

Copy link
Member Author

JohnAZoidberg commented Nov 6, 2019

"Allow edits from maintainers" is enabled, like always by default. Did you try pushing something to my branch and it didn't work?
Sorry not coming back to this PR.

Yes, 4.1.0 includes all patches. Should we backport the new version?
Skimming through the changelog I don't see any immediately obvious incompatibilities but I'm not sure about some changes.
So I'd suggest to backport just the patching commit.

@vcunat vcunat self-assigned this Nov 9, 2019
vcunat added a commit that referenced this pull request Nov 9, 2019
(cherry picked from commit 5270c3a)
vcunat added a commit that referenced this pull request Nov 9, 2019
(cherry picked from commit 5270c3a)
/cc #57158.
@vcunat
vcunat approved these changes Nov 9, 2019
Staging automation moved this from WIP to Ready Nov 9, 2019
vcunat added a commit that referenced this pull request Nov 9, 2019
into staging.  This fixes CVE-2019-7663 and incorporates other patches.
@vcunat vcunat merged commit 2223e61 into NixOS:staging Nov 9, 2019
15 checks passed
15 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
libtiff on aarch64-linux Success
Details
libtiff on x86_64-linux Success
Details
Staging automation moved this from Ready to Done Nov 9, 2019
@JohnAZoidberg JohnAZoidberg deleted the JohnAZoidberg:libtiff-CVE-2019-7663 branch Nov 9, 2019
hax404 added a commit to hax404/nixpkgs that referenced this pull request Nov 13, 2019
(cherry picked from commit 5270c3a)
@vcunat vcunat changed the title libtiff: Patch CVE-2019-7663 libtiff: 4.0.10 -> 4.1.0 Dec 29, 2019
@vcunat vcunat mentioned this pull request Dec 29, 2019
1 of 1 task complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.