Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability Roundup 30 #32459

Closed
32 of 46 tasks
ckauhaus opened this issue Dec 8, 2017 · 16 comments
Closed
32 of 46 tasks

Vulnerability Roundup 30 #32459

ckauhaus opened this issue Dec 8, 2017 · 16 comments
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: port to stable A PR needs a backport to the stable release.
Milestone
18.03

Comments

@ckauhaus
Copy link
Contributor

ckauhaus commented Dec 8, 2017
edited by adisbladis
Loading

Scanned nixos/release-combined.nix @ 3eccd0b with vulnix-1.4.1pre (improved CVE patch detection). Filtered out previously reported CVEs. May contain false positives.

busybox-1.27.2 (search, files)

exiv2-0.26 (search, files)

ghostscript-9.20 (search, files)

gstreamer-0.10.36 (search, files)

jbig2dec-0.13 (search, files)

ldns-1.7.0 (search, files)

libcroco-0.6.12 (search, files)

openexr-2.2.0 (search, files)

openslp-2.0.0 (search, files)

rsync-3.1.2 (search, files)

vte-0.28.2 (search, files)

x265-2.5 (search, files)
@7c6f434c
Copy link
Member

7c6f434c commented Dec 8, 2017

busybox: ab917a2 (after minimal testing seems that we had the problem and the patch does fix it) and all CVE fixes from master picked to release-17.09 in 5cb8134

@7c6f434c
Copy link
Member

7c6f434c commented Dec 8, 2017

Permanent CC's: @NixOS/security-notifications, @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg, @nh2, @LnL7

@ckauhaus could you edit the Permanent CC's from the previous kind of roundups into the issue template? I guess with some explanation how to get added/removed…

@vcunat vcunat added 1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: port to stable A PR needs a backport to the stable release. labels Dec 8, 2017
vcunat added a commit that referenced this issue Dec 9, 2017
@vcunat
ldns: security patches from upstream, /cc #32459
cd9231a 
Also use sha256 instead of sha1 for the source.
vcunat added a commit that referenced this issue Dec 9, 2017
@vcunat
ldns: security patches from upstream, /cc #32459
89ba203 
Also use sha256 instead of sha1 for the source.

(cherry picked from commit cd9231a)
@vcunat
Copy link
Member

vcunat commented Dec 9, 2017

gstreamer: the -plugins-bad from 0.10 is a really bad package... I would just phase it out, marking it as insecure for now. Any better ideas?

@andir
Copy link
Member

andir commented Dec 9, 2017
edited
Loading

Regarding vte-0.28.2 (CVE-2012-2738) we currently ship a patch

nixpkgs/pkgs/desktops/gnome-2/desktop/vte/default.nix

Lines 17 to 18 in a982b20

# CVE-2012-2738
./vte-0.28.2-limit-arguments.patch
that is marked as CVE-2012-2738. Going through some of the release logs you find multiple commits that are supposed to fix that issue (http://ftp.gnome.org/pub/GNOME/sources/vte/0.32/vte-0.32.2.news).
The bug gnome has assigned internally is https://bugzilla.gnome.org/show_bug.cgi?id=676090 . The changelog (http://ftp.gnome.org/pub/GNOME/sources/vte/0.32/vte-0.32.2.changes) lists both commits that are required.

From what I can see right now we are lacking at least https://git.gnome.org/browse/vte/commit/?id=98ce2f265f986fb88c38d508286bb5e3716b9e74.

I have opened a PR (#32506) that introduces the missing patch.

@andir andir mentioned this issue Dec 9, 2017
Merged
8 tasks
@andir
Copy link
Member

andir commented Dec 9, 2017
edited
Loading

One issue that I missing from the list is

openssl-1.0.2m (https://www.openssl.org/news/secadv/20171207.txt)

both of them are fixed in version 1.0.2n.

PR #32507 has the version bump.

@andir
Copy link
Member

andir commented Dec 9, 2017

the rsync CVE is fixed in #32510

vcunat added a commit that referenced this issue Dec 9, 2017
@vcunat
ghostscript: security 9.20 -> 9.22
ca6952f 
There are also non-security changes in the releases. /cc #32459.
Printing test OK, and I tested work with some postscript files.
I also fixed the license - it was changed in 2013 :-/
@vcunat
Copy link
Member

vcunat commented Dec 9, 2017

ghostscript: I couldn't find a commit or reference explicitly mentioning CVE-2016-10317, so I don't know whether it's fixed.

@vcunat
Copy link
Member

vcunat commented Dec 9, 2017

exiv2: no upstream release yet, and pulling such an amount of patches will be a bit painful, but let me try.

Exiv2 v0.27 RC1 January 2018. GM April 2018.

vcunat added a commit that referenced this issue Dec 9, 2017
@vcunat
exiv2: a batch of security fixes
332a800 
/cc #32459.  I can't see any other CVE patches that are either
backported upstream to the 0.26 branch or applied in some distro.
vcunat added a commit that referenced this issue Dec 9, 2017
@vcunat
jbig2dec: bugfix 0.13 -> 0.14
8f4f9b6 
Many of the fixes seem to have potential to be vulnerabilities,
though most aren't labeled with a CVE number.  /cc #32459
vcunat added a commit that referenced this issue Dec 10, 2017
@vcunat
ghostscript: security 9.20 -> 9.22
dc425d7 
There are also non-security changes in the releases. /cc #32459.
Printing test OK, and I tested work with some postscript files.
I also fixed the license - it was changed in 2013 :-/

(cherry picked from commit ca6952f)
vcunat added a commit that referenced this issue Dec 10, 2017
@vcunat
exiv2: a batch of security fixes
b3ebbbe 
/cc #32459.  I can't see any other CVE patches that are either
backported upstream to the 0.26 branch or applied in some distro.

(cherry picked from commit 332a800)
vcunat added a commit that referenced this issue Dec 10, 2017
@vcunat
jbig2dec: bugfix 0.13 -> 0.14
134b872 
Many of the fixes seem to have potential to be vulnerabilities,
though most aren't labeled with a CVE number.  /cc #32459

(cherry picked from commit 8f4f9b6)
vcunat added a commit that referenced this issue Dec 10, 2017
@vcunat
openexr: upstream security patch
ab84b53 
/cc #32459.

(cherry picked from commit aa9fbd0)
@ckauhaus
Copy link
Contributor Author

@7c6f434c There's not much of an issue template right now. So I guess this is the time to create one. :-)

vcunat added a commit that referenced this issue Dec 11, 2017
@vcunat
openexr: upstream security patch
aa9fbd0 
/cc #32459.
@nh2
Copy link
Contributor

nh2 commented Jan 4, 2018

QtPass needs to be updated 1.1.6 -> 1.2.1 due to a security issue with its password generator.

See IJHack/QtPass#338

@andir
Copy link
Member

andir commented Jan 4, 2018
edited
Loading

@hrdinka should probably have a look at QtPass then

@adisbladis
Copy link
Member

x265 was fixed in ddc309c

@adisbladis
Copy link
Member

CVE-2016-4912 fixed in 1aca02b and backported to 17.09 in ecc8eb6

@adisbladis
Copy link
Member

CVE-2017-7960 & CVE-2017-7961 addressed in #33539

@adisbladis
Copy link
Member

@nh2 @andir The issue in QtPass was already fixed (#33445).

@fpletz fpletz added this to the 18.03 milestone Mar 13, 2018
@ckauhaus
Copy link
Contributor Author

ckauhaus commented Oct 8, 2018

nixos-17.09 EOL

@ckauhaus ckauhaus closed this as completed Oct 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: port to stable A PR needs a backport to the stable release.
Projects
None yet
Milestone
18.03
Development

No branches or pull requests
7 participants
@adisbladis @fpletz @nh2 @andir @ckauhaus @vcunat @7c6f434c