Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qtwebengine: add patch for CVE-2019-13720 #72794

Merged

Conversation

@petabyteboy
Copy link
Contributor

petabyteboy commented Nov 4, 2019

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

CC qt maintainers @qknight @ttuegel @periklis @bkchr
CC security team @grahamc @fpletz @domenkozar

@petabyteboy petabyteboy requested a review from ttuegel as a code owner Nov 4, 2019
@petabyteboy

This comment has been minimized.

Copy link
Contributor Author

petabyteboy commented Nov 4, 2019

Whoops, this patch does not apply to the source as it is

@petabyteboy petabyteboy force-pushed the petabyteboy:feature/qtwebengine-cve-2019-13720 branch from 31b2fd4 to 3eb7e54 Nov 4, 2019
@petabyteboy petabyteboy force-pushed the petabyteboy:feature/qtwebengine-cve-2019-13720 branch from 3eb7e54 to a96b448 Nov 4, 2019
@petabyteboy petabyteboy force-pushed the petabyteboy:feature/qtwebengine-cve-2019-13720 branch 4 times, most recently from c8bc8b1 to 440ca6d Nov 4, 2019
@petabyteboy

This comment has been minimized.

Copy link
Contributor Author

petabyteboy commented Nov 4, 2019

I think it should be okay now, maybe someone else can look into patches for older versions of qtwebengine, but I think this one is most important.

@petabyteboy petabyteboy force-pushed the petabyteboy:feature/qtwebengine-cve-2019-13720 branch from 440ca6d to c459182 Nov 4, 2019
@petabyteboy

This comment has been minimized.

Copy link
Contributor Author

petabyteboy commented Nov 4, 2019

Meh, still broken: Does fetchpatch provide an option to remove the directory prefix (a/b) after adding the extraPrefix?

@veprbl

This comment has been minimized.

Copy link
Member

veprbl commented Nov 4, 2019

Meh, still broken: Does fetchpatch provide an option to remove the directory prefix (a/b) after adding the extraPrefix?

stripLen = 1 should work, just don't forget to update sha256.

@petabyteboy petabyteboy force-pushed the petabyteboy:feature/qtwebengine-cve-2019-13720 branch from c459182 to 00ac18c Nov 4, 2019
@petabyteboy

This comment has been minimized.

Copy link
Contributor Author

petabyteboy commented Nov 4, 2019

Ah, got it. Thanks for the help.

@d-goldin

This comment has been minimized.

Copy link
Contributor

d-goldin commented Nov 8, 2019

nix-review report:

[117 built (3 failed), 1323 copied (9869.6 MiB), 2226.9 MiB DL]
error: build of '/nix/store/dc4v7ah4js6ilsf5xdp9bgqxgl2mj74c-env.drv' failed
https://github.com/NixOS/nixpkgs/pull/72794
1 package are marked as broken and were skipped:
gopherclient

4 package failed to build:
spyder python38Packages.pyside2 python38Packages.pyside2-tools python38Packages.spyder

104 package were build:
akregator amarok anki calamares clipgrab digikam eagle falkon fcitx-engines.libpinyin freecad ghostwriter kaddressbook kde-cli-tools kdeApplications.akonadi-calendar kdeApplications.akonadi-contacts kdeApplications.akonadi-import-wizard kdeApplications.akonadiconsole kdeApplications.calendarsupport kdeApplications.eventviews kdeApplications.incidenceeditor kdeApplications.kalarm kdeApplications.kdepim-addons kdeApplications.kdepim-apps-libs kdeApplications.kdepim-runtime kgpg kmail kdeApplications.kmail-account-wizard kdeApplications.kmailtransport kdeApplications.knotes kdeApplications.konqueror kontact korganizer kdeApplications.libgravatar kdeApplications.libkdepim kdeApplications.libkgapi kdeApplications.libksieve kdeApplications.mailcommon kdeApplications.mailimporter kdeApplications.mbox-importer kdeApplications.messagelib kdeApplications.pim-data-exporter kdeApplications.pim-sieve-editor kdeApplications.pimcommon kdeplasma-addons kdev-php kdev-python kdevelop kdevelop-unwrapped kmenuedit ksysguard kwin-tiling plasma5.khotkeys plasma5.libksysguard luminanceHDR luxcorerender mendeley minizincide monero-gui multibootusb musescore nextcloud-client nmapsi4 otter-browser plasma-desktop plasma-vault plasma-workspace powerdevil systemsettings psi-plus python27Packages.foxdot python27Packages.pyqtwebengine python27Packages.pyside2 python27Packages.pyside2-tools python37Packages.foxdot python37Packages.pyqtwebengine python37Packages.pyside2 python37Packages.pyside2-tools python38Packages.foxdot python38Packages.pyqtwebengine qmapshack qolibri qsyncthingtray qt5Full qt5.qtwebengine qt5.qtwebview qutebrowser radare2-cutter rssguard rstudio rstudioWrapper seafile-client skrooge sonic-pi supercollider supercollider_scel syncthingtray teamspeak_client toggldesktop trojita vnote wacomtablet webmacs zanshin zoom-us

The spyder failure is pre-existing in current master.

Aside from that - is there an alternative link/resource we could provide in the comment? The currently provided one requires a login.

@petabyteboy

This comment has been minimized.

Copy link
Contributor Author

petabyteboy commented Nov 9, 2019

Thanks for running nix-review.
These are some other resources I could find, but I'm not sure which should be linked:
https://www.mail-archive.com/qutebrowser@lists.qutebrowser.org/msg00645.html
https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/qt5-webengine&id=3946bcd53cc07b3c56a9ac0409cc748c5fa0ad4c

I think it is critical that we can ship this soon, since it is a remote arbitrary code execution in browsers that some of us use being exploited in the wild. The maintainers or members of the security team can push changes to my branch as they see fit.

@d-goldin

This comment has been minimized.

Copy link
Contributor

d-goldin commented Nov 9, 2019

Let's ping @globin @andir @worldofpeace additionally.

@globin globin merged commit cdf9b62 into NixOS:master Nov 9, 2019
13 checks passed
13 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
@globin

This comment has been minimized.

Copy link
Member

globin commented Nov 9, 2019

Thanks, also testing backports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.