Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[r19.09] musl: 1.1.2x -> 1.1.24 (security) #73758

Merged
merged 1 commit into from Dec 7, 2019

Conversation

@d-goldin
Copy link
Contributor

d-goldin commented Nov 19, 2019

Motivation for this change

I think it's worth considering to backport this fix for 19.09 too, as it's rated as critical.
Addresses: #73668

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @dtzWill

@ofborg ofborg bot requested a review from thoughtpolice Nov 19, 2019
@d-goldin d-goldin changed the title musl: 1.1.2x -> 1.1.24 [r19.09] musl: 1.1.2x -> 1.1.24 (security) Nov 19, 2019
@fpletz fpletz added this to the 19.09 milestone Nov 21, 2019
@nh2
nh2 approved these changes Nov 21, 2019
Copy link
Contributor

nh2 left a comment

nix-review is happy with this:

[58 built, 1735 copied (9701.9 MiB), 1176.3 MiB DL]
https://github.com/NixOS/nixpkgs/pull/73758
1 package are marked as broken and were skipped:
nix-exec

50 package were build:
bundix busybox-sandbox-shell cabal2nix cachix common-updater-scripts crystal2nix dep2nix discover disnix disnixos fusionInventory gnome3.gnome-packagekit gnome3.gnome-software simple-scan go2nix haskellPackages.cachix haskellPackages.nix-paths hydra lispPackages.quicklisp-to-nix lispPackages.quicklisp-to-nix-system-info lorri musl nix nix-bundle nix-du nix-index nix-pin nix-plugins nix-prefetch nix-prefetch-bzr nix-prefetch-cvs nix-prefetch-docker nix-prefetch-git nix-prefetch-hg nix-prefetch-scripts nix-prefetch-svn nix-review nix-serve nix-update-source nixFlakes nixUnstable nixos-generators nixui packagekit packagekit-qt pypi2nix python37Packages.nixpkgs python37Packages.pythonix vgo2nix vulnix
@fpletz fpletz self-assigned this Nov 21, 2019
https://www.openwall.com/lists/musl/2019/10/13/5

Apparently 1.1.23 never made it to nixpkgs proper (?!), see:
https://git.musl-libc.org/cgit/musl/commit/?id=b07d45eb01e900f0176894fdedab62285f5cb8be

(sorry I apparently dropped the ball here)

(cherry picked from commit 1263a71)
@fpletz fpletz force-pushed the d-goldin:backport_musl_bump branch from 6b92fa3 to 30843ef Nov 21, 2019
@fpletz

This comment has been minimized.

Copy link
Member

fpletz commented Nov 21, 2019

Cherry-picked with -x (see section in the nixpkgs manual) onto recent release-19.09 and force pushed.

@fpletz fpletz requested a review from dtzWill Nov 21, 2019
@fpletz

This comment has been minimized.

Copy link
Member

fpletz commented Nov 21, 2019

Currently checking if some of the pkgsStatic package set still works. @dtzWill should have the final say if we can safely backport this.

@dtzWill
dtzWill approved these changes Dec 3, 2019
Copy link
Contributor

dtzWill left a comment

LGTM, thanks for backporting!

I'm unaware of anything other than fixes and improvements in this set of upgrades, I think it's safe. And well motivated by the security fix.

@d-goldin

This comment has been minimized.

Copy link
Contributor Author

d-goldin commented Dec 3, 2019

@dtzWill: Well, there was pretty much zero effort of "backporting", just noticed that this could be useful for 19.09 too, that's all. Thanks for taking a look!

@fpletz fpletz merged commit 7823b4a into NixOS:release-19.09 Dec 7, 2019
16 checks passed
16 checks passed
musl on x86_64-darwin No attempt
Details
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
musl on aarch64-linux Success
Details
musl on x86_64-linux Success
Details
@d-goldin d-goldin deleted the d-goldin:backport_musl_bump branch Dec 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.