Nixpkgs: Vulnerability Roundup 28

Created on 30 Oct 2017  ·  29Comments  ·  Source: NixOS/nixpkgs

Auto-generated from vulnix $( nix-instantiate -I nixpkgs=. '<nixpkgs/nixos/tests/login.nix>' ) on current master.

audiofile-0.3.6 (search, files)

  • [x] [CVE-2017-6827](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6827)
  • [x] [CVE-2017-6828](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6828)
  • [x] [CVE-2017-6829](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6829)
  • [x] [CVE-2017-6830](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6830)
  • [x] [CVE-2017-6831](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6831)
  • [x] [CVE-2017-6832](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6832)
  • [x] [CVE-2017-6833](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6833)
  • [x] [CVE-2017-6834](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6834)
  • [x] [CVE-2017-6835](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6835)
  • [x] [CVE-2017-6836](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6836)
  • [x] [CVE-2017-6837](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6837)
  • [x] [CVE-2017-6838](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6838)
  • [x] [CVE-2017-6839](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6839)

cyrus-sasl-2.1.26 (search, files)

  • [x] [CVE-2013-4122](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4122)

freetype-2.7.1 (search, files)

  • [x] [CVE-2017-8105](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8105)

jquery-ui-1.11.4 (search, files)

  • [x] [CVE-2016-7103](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7103)

libarchive-3.3.2 (search, files)

  • [x] [CVE-2017-14166](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14166)
  • [ ] [CVE-2017-14501](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14501) [no upstream fix]
  • [x] [CVE-2017-14502](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14502)
  • [ ] [CVE-2017-14503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14503) [no upstream fix]

libjpeg-turbo-1.5.2 (search, files)

  • [ ] [CVE-2017-15232](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15232) [[patch](https://github.com/libjpeg-turbo/libjpeg-turbo/commit/5bc43c7821df982f65aa1c738f67fbf7cba8bd69) doesn't apply cleanly to stable version]

libsndfile-1.0.28 (search, files)

  • [x] [CVE-2017-12562](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12562)
  • [ ] [CVE-2017-14245](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14245) [no upstream fix]
  • [ ] [CVE-2017-14246](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14246) [no upstream fix]
  • [x] [CVE-2017-14634](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14634)
  • [x] [CVE-2017-6892](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6892)
  • [x] [CVE-2017-8361](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8361)
  • [x] [CVE-2017-8362](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8362)
  • [x] [CVE-2017-8363](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8363)
  • [x] [CVE-2017-8365](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8365)

libtasn1-4.12 (search, files)

  • [x] [CVE-2017-10790](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10790)

libtiff-4.0.8 (search, files)

  • [x] [CVE-2017-10688](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10688)
  • [x] [CVE-2017-11335](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11335)
  • [ ] [CVE-2017-11613](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11613) [no upstream fix, debian and redhat won't fix this]
  • [x] [CVE-2017-12944](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12944)
  • [x] [CVE-2017-13726](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13726)
  • [x] [CVE-2017-13727](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13727)
  • [ ] [CVE-2017-9935](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9935) [no upstream fix]
  • [x] [CVE-2017-9936](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9936)
  • [x] [CVE-2017-9937](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9937)

libvorbis-1.3.5 (search, files)

  • [ ] [CVE-2017-11333](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11333) [no upstream fix]
  • [ ] [CVE-2017-14160](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14160) [no upstream fix]
  • [ ] [CVE-2017-14632](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14632) [no upstream fix]
  • [ ] [CVE-2017-14633](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14633) [no upstream fix]

libxslt-1.1.29 (search, files)

  • [x] [CVE-2017-5029](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5029)

openjpeg-2.1.2 (search, files)

  • [x] [CVE-2016-10504](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10504)
  • [x] [CVE-2016-10505](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10505)
  • [x] [CVE-2016-10506](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10506)
  • [x] [CVE-2016-10507](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10507)
  • [x] [CVE-2016-9112](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9112)
  • [x] [CVE-2016-9113](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9113)
  • [x] [CVE-2016-9114](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9114)
  • [x] [CVE-2016-9115](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9115)
  • [x] [CVE-2016-9116](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9116)
  • [x] [CVE-2016-9117](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9117)
  • [x] [CVE-2016-9118](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9118)

openldap-2.4.45 (search, files)

  • [x] [CVE-2017-14159](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14159)

pcre-8.40 (search, files)

  • [x] [CVE-2017-7186](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7186)
  • [x] [CVE-2017-7244](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7244)
  • [x] [CVE-2017-7245](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7245)
  • [x] [CVE-2017-7246](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7246)

perl-5.24.2 (search, files)

  • [x] [CVE-2017-12814](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12814)
  • [x] [CVE-2017-12837](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12837)
  • [x] [CVE-2017-12883](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12883)

sqlite-3.20.0 (search, files)

  • [x] [CVE-2017-13685](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13685)

owncloud-7.0.5 (search, files)

  • [x] [CVE-2015-4717](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4717)
  • [x] [CVE-2015-4718](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4718)
  • [x] [CVE-2015-5954](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5954)
  • [x] [CVE-2015-6500](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6500)
  • [x] [CVE-2015-6670](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6670)
  • [x] [CVE-2015-7699](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7699)

jython-2.7.0 (search, files)

  • [x] [CVE-2016-4000](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4000)

zabbix-2.0.11 (search, files)

  • [x] [CVE-2014-9450](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9450)
  • [x] [CVE-2016-4338](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4338)
security
Source
picture ckauhaus
🎉2

Most helpful comment

freetype-2.7.1 (search, files) (CVE-2017-8105) is already patched.

picture disassembler on 30 Oct 2017
🎉2

All 29 comments

🚨 ⚡️ 👍 🔥 🚒 🎆 🙌 📯 😄 😂 😹 :partyparrot:

grahamc picture grahamc on 30 Oct 2017
2

cc: @LnL7 @7c6f434c @fpletz @globin @NeQuissimus @wizeman @FRidh @vcunat @peterhoeg @ndowens @dezgeg @nh2.

Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.

Permanent CC's: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg
@NixOS/security-notifications

If you would like to be CC'd on all roundups, PM me.

grahamc picture grahamc on 30 Oct 2017

This list needs manual cleanup since vulnix does not honour CVE patches already present. Working on this.

ckauhaus picture ckauhaus on 30 Oct 2017

I'm looking at freetype.

disassembler picture disassembler on 30 Oct 2017
👍1

freetype-2.7.1 (search, files) (CVE-2017-8105) is already patched.

disassembler picture disassembler on 30 Oct 2017
🎉2

Sqlite needs merging https://github.com/NixOS/nixpkgs/pull/30927 AFAICT.

dezgeg picture dezgeg on 30 Oct 2017

https://github.com/NixOS/nixpkgs/pull/21161 Should resolved jquery-ui CVE.

disassembler picture disassembler on 30 Oct 2017
👍1

libxslt is already patched in master and 17.09.

disassembler picture disassembler on 30 Oct 2017

I'll take libjpeg-turbo

disassembler picture disassembler on 30 Oct 2017

libvorbis

fpletz picture fpletz on 30 Oct 2017

The openldap CVE-2017-14159 is a minor issue with PID file creation. It is only really applicable if initscripts are used, so NixOS isn't even vulnerable since our openldap service neither uses nor creates a PID file. Ticked off.

fpletz picture fpletz on 30 Oct 2017

All the audiofile stuff seems to be mpruett/audiofile#42

NeQuissimus picture NeQuissimus on 30 Oct 2017

sqlite - staging is already on 3.20.1 but that suffers from CVE-2017-15286, a PR is opened to update to 3.21.0 https://github.com/NixOS/nixpkgs/pull/30927

pbogdan picture pbogdan on 30 Oct 2017

libtiff - we have patches for:

  • CVE-2017-9936
  • CVE-2017-10688
  • CVE-2017-11335
  • CVE-2017-12944
  • CVE-2017-13726
  • CVE-2017-13727

CVE-2017-9937 - appears to be a incorrectly assigned, the bug is in jbigkit package - http://bugzilla.maptools.org/show_bug.cgi?id=2707

pbogdan picture pbogdan on 30 Oct 2017

libtasn1: source reports fixing CVE-2017-9310 with an upstream patch; in reality it seems to be a patch for CVE-2017-10790. It seems that https://nvd.nist.gov/vuln/detail/CVE-2017-9310 is about Qemu anyway… It seems that Debian imported the same patch http://git.savannah.nongnu.org/cgit/libtasn1.git/patch/?id=d8d805e1f2e6799bb2dff4871a8598dc83088a39 as a fix for CVE-2017-10790 in
https://anonscm.debian.org/cgit/pkg-gnutls/libtasn1.git/commit/?id=75d2ac4bcc8c92515d1bbda33103c5f78d353a6e

Could anyone recheck that I am not missing something?

Edited to add: and, of course, renaming the patch will be a gtk-rebuild…

7c6f434c picture 7c6f434c on 30 Oct 2017

CVE-2017-14166 and CVE-2017-14502 (libarchive) fixed in https://github.com/NixOS/nixpkgs/pull/30990.

The other two (CVE-2017-14503 and CVE-2017-14166) has no upstream patches yet.

adisbladis picture adisbladis on 30 Oct 2017

The following openjpeg CVEs are already fixed in master and 17.09 ref 428927ffa6e5c255ef97f62435b0777f8f9481df :

  • CVE-2016-9112
  • CVE-2016-9114
  • CVE-2016-9116
  • CVE-2016-9118

So I'm marking those.

peterhoeg picture peterhoeg on 31 Oct 2017

Actually, CVE-2017-10790 got fixed in 1fb803c3677ad4423a68f1520b266c440d06bb23 (although pretending to have fixed CVE-2017-9310), so this can be checked too.

I added a commit in #31082 fixing the CVE number.

flokli picture flokli on 1 Nov 2017
1

jython fix comes with #31090.

flokli picture flokli on 1 Nov 2017

I've got bad news for nixos-unstable* channels.

-small jobset has succeeded hours ago, but apparently the channel script is stuck. The big jobset is blocked by one test that seems impossible to start, even if I cancel and restart it. /cc @edolstra

EDIT: nixos-unstable updated now and should be OK, whereas -small keeps stuck, paradoxically.

vcunat picture vcunat on 1 Nov 2017

I picked this round of mass rebuilds to 17.09. In case of e.g. sqlite it may have been more suitable to find and apply only specific patches instead of the upgrades; certainly feel free to do so (I don't have that much time to spare).

vcunat picture vcunat on 1 Nov 2017

And speaking of time, I ignored 17.03, at least for now. IIRC we used to leave only a month's overlay, so we might just drop picking to 17.03 except for really critical problems. I really have no idea how fast NixOS users migrate, but one month probably isn't too much. I believe we should at least explicitly announce such plans in advance, saying e.g. that 17.09 shall be maintained (at least) until the end of May 2018.

vcunat picture vcunat on 1 Nov 2017

I was also just about to also push those cherry-picks after having tested a few builds. Thanks! I'm more liberal concerning minor package bumps if they don't break any of our packages.

Regarding the security support: I agree but let's wait until we have the security team and 'on call' figured out. I'll also try to fix the most important ones for 17.03.

fpletz picture fpletz on 1 Nov 2017

All of theowcloud vulnerabilities are fixed after version 8.1.2.

@matejc Is there any reason to keep so many old versions around?

adisbladis picture adisbladis on 2 Nov 2017

We have a libc problem: https://nvd.nist.gov/vuln/detail/CVE-2017-15670

Plan:

  • [x] pick just the patch for 17.09, and verify there aren't more missed security patches; EDIT: 6566d0a1a26
  • [x] on staging update to 2.26+stable directly, and get to nixos-unstable* soon
vcunat picture vcunat on 5 Nov 2017

Sounds good, vcunat. Other distro bug trackers and source repos can prove
helpful to enumerate security patches we may need.
On Sun 5. Nov 2017 at 11:34, Vladimír Čunát notifications@github.com
wrote:

We have a libc problem: https://nvd.nist.gov/vuln/detail/CVE-2017-15670

Plan:

  • pick just the patch for 17.09, and verify there aren't more missed
    security patches
  • on staging update to 2.26+stable directly, and get to
    nixos-unstable* soon


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/NixOS/nixpkgs/issues/30959#issuecomment-341963152,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAErrERBLoO3LiLVuJcyBM19bh7cuhxRks5szY8ZgaJpZM4QLB8y
.

grahamc picture grahamc on 5 Nov 2017

glibc: on 17.09 it's in channels (probably), and we have it on master as well, with some caveats: 6ffafc78fbc.

vcunat picture vcunat on 7 Nov 2017
1

Patched the audiofile issues.

fpletz picture fpletz on 19 Nov 2017

Fixed all remaining fixable CVEs and added comments to the remaining issues. Most can't be fixed because there is no upstream fix yet. I think we can close this issue now and do another roundup soon.

fpletz picture fpletz on 19 Nov 2017
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ThomasMader picture ThomasMader  ·  65Comments
Infinisil picture Infinisil  ·  146Comments
nico202 picture nico202  ·  70Comments
peti picture peti  ·  75Comments
7c6f434c picture 7c6f434c  ·  66Comments