Nixpkgs: Vulnerability Roundup 7

Created on 2 Nov 2016 · 25Comments · Source: NixOS/nixpkgs

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last hunt.

Notes on the list

The reports have been roughly grouped by the package name. This
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already.
Some issues will be duplicated, because it affects multiple packages.
For example, there are sometimes problems that impact thunderbird,
and firefox. LWN might report in one vulnerability "thunderbird
firefox". These names have been split to make sure both packages get
addressed.
By each issue is a link to code search for the package name, and
a Github search by filename. These are to help, but may not return
results when we do in fact package the software. If a search
doesn't turn up, please try altering the search criteria or
looking in nixpkgs manually before asserting we don't have it.

Instructions:

Triage a report: If we don't have the software or our version isn't
vulnerable, tick the box or add a comment with the report number,
stating it isn't vulnerable.
Fix the issue: If we do have the software and it is vulnerable,
either leave a comment on this issue saying so, even open a pull
request with the fix. If you open a PR, make sure to tag this
issue so we can coordinate.
When an entire section is completed, move the section to the
"Triaged and Resolved Issues" details block below.

Upon Completion ...

[x] Update https://github.com/NixOS/nixpkgs/issues/13515 with a
summary.

Without further ado...

Assorted (21 issues)

[x] [#705119](https://lwn.net/Vulnerabilities/705119/) (search, files) cairo: denial of service
[x] [#704699](https://lwn.net/Vulnerabilities/704699/) (search, files) nspr, nss: information disclosure
[x] [#705125](https://lwn.net/Vulnerabilities/705125/) (search, files) imagemagick: multiple vulnerabilities
[ ] [#705216](https://lwn.net/Vulnerabilities/705216/) (search, files) tar: file overwrite
[x] [#705214](https://lwn.net/Vulnerabilities/705214/) (search, files) memcached: code execution
[x] [#704699](https://lwn.net/Vulnerabilities/704699/) (search, files) nspr, nss: information disclosure
[x] [#704698](https://lwn.net/Vulnerabilities/704698/) (search, files) nginx: privilege escalation
[x] [#704922](https://lwn.net/Vulnerabilities/704922/) (search, files) nodejs-tough-cookie: denial of service
[x] [#705213](https://lwn.net/Vulnerabilities/705213/) (search, files) libxml2: code execution
[ ] [#703767](https://lwn.net/Vulnerabilities/703767/) (search, files) chromium-browser: multiple vulnerabilities
[x] [#704924](https://lwn.net/Vulnerabilities/704924/) (search, files) tre: code execution
[x] [#704712](https://lwn.net/Vulnerabilities/704712/) (search, files) mozilla: two vulnerabilities
[x] [#704702](https://lwn.net/Vulnerabilities/704702/) (search, files) perl-Image-Info: information disclosure
[x] [#705124](https://lwn.net/Vulnerabilities/705124/) (search, files) chromium: denial of service
[x] [#704834](https://lwn.net/Vulnerabilities/704834/) (search, files) openstack-manila-ui: cross-site scripting
[x] [#705120](https://lwn.net/Vulnerabilities/705120/) (search, files) qemu-kvm: multiple vulnerabilities
[x] [#668545](https://lwn.net/Vulnerabilities/668545/) (search, files) libpng: read underflow
[x] [#620056](https://lwn.net/Vulnerabilities/620056/) (search, files) sssd: restriction bypass
[x] [#704701](https://lwn.net/Vulnerabilities/704701/) (search, files) qemu: three vulnerabilities
[x] [#704697](https://lwn.net/Vulnerabilities/704697/) (search, files) asterisk: two vulnerabilities
[x] [#704712](https://lwn.net/Vulnerabilities/704712/) (search, files) mozilla: two vulnerabilities

graphicsmagick (3 issues)

[x] [#704703](https://lwn.net/Vulnerabilities/704703/) (search, files) graphicsmagick: three vulnerabilities
[x] [#704711](https://lwn.net/Vulnerabilities/704711/) (search, files) graphicsmagick: multiple vulnerabilities
[x] [#704704](https://lwn.net/Vulnerabilities/704704/) (search, files) graphicsmagick: multiple vulnerabilities

kernel (2 issues)

[x] [#704737](https://lwn.net/Vulnerabilities/704737/) (search, files) kernel: local privilege escalation (Dirty COW)
[x] [#704714](https://lwn.net/Vulnerabilities/704714/) (search, files) kernel: three vulnerabilities

mariadb (2 issues)

[x] [#705212](https://lwn.net/Vulnerabilities/705212/) (search, files) mysql: unspecified vulnerability
[x] [#705211](https://lwn.net/Vulnerabilities/705211/) (search, files) mariadb: multiple unspecified vulnerabilities

mysql (2 issues)

[x] [#705212](https://lwn.net/Vulnerabilities/705212/) (search, files) mysql: unspecified vulnerability
[x] [#705211](https://lwn.net/Vulnerabilities/705211/) (search, files) mariadb: multiple unspecified vulnerabilities

potrace (2 issues)

[x] [#704700](https://lwn.net/Vulnerabilities/704700/) (search, files) potrace: multiple vulnerabilities
[x] [#639578](https://lwn.net/Vulnerabilities/639578/) (search, files) potrace: denial of service

security

Source

grahamc

All 25 comments

cc @FRidh, @fpletz, @NeQuissimus, @vcunat who participated last time.

Also:

[x] Backport 11 curl patch to 16.09: 1e1609da6ad87fe828973f17f1f175b3de841383

PS: I'm unusually busy this morning, and won't be able to participate as much as normal. I'll have some time here and there. Feel free to conscript your friends to help finish this out ;)

grahamc on 2 Nov 2016

The perl-Image-Info package is vulnerable. I will push an updated version shortly.

rycee on 2 Nov 2016

🎉1

@rycee Thank you for the patches and what-not! When you push a commit to a branch, can you add a comment on this issue with the package, and the sha that you fixed it in? that'll help me do the summary at the end.

grahamc on 2 Nov 2016

perl-Image-Info: https://github.com/NixOS/nixpkgs/commit/68f2bc8fb351065fda55c8a7b1ee6d74ba64a9a0 / f33c5f713e1aa7c780134154e8e5072ad2081921

grahamc on 2 Nov 2016

@grahamc Sorry, I missed that. I'll make sure to include the commit hashes in the future.

rycee on 2 Nov 2016

Django (not yet on LWN): 6ad14d42569ffbf214ee301aaa9f47370bc5555d, 58ad105cd43356e3de024fbf7df2d34f10d696df, b806e14a3ced762ec2b0ce162c75d400f312e897

https://www.djangoproject.com/weblog/2016/nov/01/security-releases/

We should remove Django 1.5 and 1.6 as they're not maintained upstream anymore. One of the users of Django 1.6 in nixpks, reviewboard, is maintaining a version with security patches, maybe switch to this: https://www.reviewboard.org/news/2016/11/01/new-django-1-6-11-5-security-releases/

I'm currently investigating and will open a PR shortly if all goes well.

fpletz on 2 Nov 2016

I just took a quick look at gnutar and it needs to be changed to pull from git. But something is wrong with fetchgit, it complains about an issue in cpio of all things. Not really sure what to do.

NeQuissimus on 2 Nov 2016

nginx is up-to-date. I think the vulnerability is Debian-specific

NeQuissimus on 2 Nov 2016

👍1

@NeQuissimus: tar may pose problems due to being involved in bootstrapping.

vcunat on 2 Nov 2016

@vcunat This is how far I got:
https://gist.github.com/NeQuissimus/9a01a2215fffba1ce789ca598486fa46

1) Changed the fetchurl to fetchgit
2) nix-build complains about a chain of things, which lead me back to fetchurl/boot.nix
3) Added a , ... argument to the function there "fixes" the issue
4) C build does not work; and I have no idea about C builds :)

NeQuissimus on 3 Nov 2016

@vcunat can you help me out with fixing the tar issue? I'd love to understand how that process works.

grahamc on 4 Nov 2016

👍1

BTW thank you everyone for help with this roundup. I've had an incredibly busy week, and regret not being more involved. I'll do a summary on this one shortly.

grahamc on 4 Nov 2016

I'm closing out this issue for now, but it is important to note hydra hasn't passed in some time: https://hydra.nixos.org/build/43025591 can someone diagnose this issue and try and get a fix in?

Also, we really need to get this tar issue fixed. @vcunat If not you, who could show me the process here?

grahamc on 5 Nov 2016

@grahamc What's the issue with tar? I can help.

shlevy on 5 Nov 2016

@grahamc fix for the nss issue https://github.com/NixOS/nixpkgs/commit/80cbb8acf17cd128e834d4a11f8270b9a5197166

shlevy on 5 Nov 2016

Thank you for the nss patch, @shlevy! Regarding tar, it is mishandling .. in archives: https://lwn.net/Vulnerabilities/705216/ which @NeQuissimus was trying to patch: https://gist.github.com/NeQuissimus/9a01a2215fffba1ce789ca598486fa46

grahamc on 5 Nov 2016

Testing a fix

shlevy on 5 Nov 2016

👍1

https://github.com/NixOS/nixpkgs/commit/ac59e2f184fe0beeec2920dc9d6d9830813d9212
https://github.com/NixOS/nixpkgs/commit/674ebc241dde3b747e8c47a5ca1b5825cba95c38

shlevy on 5 Nov 2016

Will link to jobsets shortly...

shlevy on 5 Nov 2016

Well, I wanted to link to evals but the loop is taking too long ( @edolstra @rbvermaa everyting good with hydra?) http://hydra.nixos.org/jobset/nixos/staging http://hydra.nixos.org/jobset/nixos/staging-16.09 I'll check back in the morning.

shlevy on 5 Nov 2016

It does compilation during eval! http://hydra.nixos.org/jobset/nixos/staging#tabs-errors

vcunat on 5 Nov 2016

Using git would complicate the bootstrapping process and make it longer, so it's nicer to avoid that like shlevy did.

vcunat on 5 Nov 2016

I can post a few lines about (linux stdenv) bootstrapping here/somewhere, if you're still interested.

vcunat on 5 Nov 2016

Yes please!

grahamc on 5 Nov 2016

The build-during-eval is due to the cjdns test...

shlevy on 5 Nov 2016

Was this page helpful?