Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[r19.09] libvpx: add patches for CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433 #74751

Merged
merged 1 commit into from Dec 13, 2019

Conversation

@risicle
Copy link
Contributor

@risicle risicle commented Nov 30, 2019

Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2019-9232
https://nvd.nist.gov/vuln/detail/CVE-2019-9325
https://nvd.nist.gov/vuln/detail/CVE-2019-9371
https://nvd.nist.gov/vuln/detail/CVE-2019-9433

Backports sourced from debian package 1.7.0-3+deb10u1, included in-repo as file is not available on sources.debian.org or salsa.debian.org. I'm still running the (long, slow) unit tests, but everything seems ok so far.

For master, see #60826

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

…CVE-2019-9433

backports sourced from debian package 1.7.0-3+deb10u1, included in-repo
as file is not available on sources.debian.org or salsa.debian.org
@risicle risicle force-pushed the risicle:ris-libvpx-CVEs-r19.09 branch from b6937d4 to 9bcc760 Nov 30, 2019
@risicle risicle changed the title libvpx: add patches for CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433 [r19.09] libvpx: add patches for CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433 Nov 30, 2019
@risicle
Copy link
Contributor Author

@risicle risicle commented Nov 30, 2019

Incidentally, I'll just add a note on how I'm running the libvpx unit-tests as it's kinda non-standard. Once enabling unitTestsSupport, it's then just a matter of using nix-shell . -A libvpx and stepping through the phases manually. After buildPhase, I just run LIBVPX_TEST_DATA_PATH=some_dir make test, some_dir being any writeable dir that the test runner will first download a number of test files to before running the tests themselves. Now is a good time to go and do your laundry.

@risicle
Copy link
Contributor Author

@risicle risicle commented Dec 1, 2019

All tests passed.

@nh2
Copy link
Contributor

@nh2 nh2 commented Dec 1, 2019

@risicle I have some questions on whether this already fixes all 4 of the CVEs or only the first two, over at #60826 (comment)

@FRidh FRidh added this to Needs review in Staging (stable) Dec 1, 2019
@nh2
Copy link
Contributor

@nh2 nh2 commented Dec 1, 2019

I have some questions on whether this already fixes all 4 of the CVEs or only the first two, over at #60826 (comment)

OK updated, I have checked that according to Debian all 4 CVEs listed are fixed by those patches.

Remaining is only what's fixed by

webmproject/libvpx@0681cff - vp9: fix OOB read in decoder_peek_si_internal

Is that also one of the CVEs?

@risicle
Copy link
Contributor Author

@risicle risicle commented Dec 1, 2019

That is apparently CVE-2019-9325. See the notes in https://security-tracker.debian.org/tracker/CVE-2019-9325

@nh2
Copy link
Contributor

@nh2 nh2 commented Dec 1, 2019

Backports sourced from debian package 1.7.0-3+deb10u1, included in-repo as file is not available on sources.debian.org or salsa.debian.org.

This seems to come from e.g.

https://release.debian.org/proposed-updates/buster_diffs/libvpx_1.7.0-3+deb10u1.debdiff

which I got linked from https://release.debian.org/proposed-updates/stable.html.

@nh2
Copy link
Contributor

@nh2 nh2 commented Dec 1, 2019

That is apparently CVE-2019-9325. See the notes in https://security-tracker.debian.org/tracker/CVE-2019-9325

OK, I've updated the table, it is all clear now.

@nh2
nh2 approved these changes Dec 1, 2019
Copy link
Contributor

@nh2 nh2 left a comment

I have double-checked that the changes in here are the same as in Debian and that they are intended to fix the 4 CVEs involved.

I have not double-checked whether Debian's changes are sensible or if they are fully equivalent to the upstream (non-backport) commits listed in #60826 (comment)

Staging (stable) automation moved this from Needs review to Ready Dec 1, 2019
@risicle
Copy link
Contributor Author

@risicle risicle commented Dec 1, 2019

Cool thanks ✔️

@andir andir merged commit 36f766f into NixOS:staging-19.09 Dec 13, 2019
15 checks passed
15 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
libvpx on aarch64-linux Success
Details
libvpx on x86_64-linux Success
Details
Staging (stable) automation moved this from Ready to Done Dec 13, 2019
@nh2 nh2 mentioned this pull request Jan 20, 2020
4 of 12 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.