Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

perl: use pkgs.zlib instead of bundled zlib #167084

Merged
merged 1 commit into from
Apr 8, 2022
Merged

perl: use pkgs.zlib instead of bundled zlib #167084

merged 1 commit into from
Apr 8, 2022
+11 −0

Conversation

stigtsp
Copy link
Member

@stigtsp stigtsp commented Apr 3, 2022
edited
Loading

Description of changes

perl currently contains it's own bundled zlib-1.2.11, which is vulnerable to CVE-2018-25032, and is used when building the core module Compress::Raw::Zlib.

It is built by perl and is separate from perlPackages.CompressRawZlib.

This PR patches perl to use pkgs.zlib instead when building this core module.

# To check what zlib version is used
perl -MCompress::Raw::Zlib -E 'say Compress::Raw::Zlib::zlib_version();'

pmqs/Compress-Raw-Zlib#6

Cc: @alyssais

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@stigtsp stigtsp requested review from mweinelt and alyssais April 3, 2022 20:37
@stigtsp
Copy link
Member Author

stigtsp commented Apr 3, 2022

@GrahamcOfBorg build perl

@stigtsp stigtsp marked this pull request as ready for review April 3, 2022 21:56
@stigtsp stigtsp requested a review from zakame as a code owner April 3, 2022 21:56
@stigtsp stigtsp added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Apr 3, 2022
@ofborg ofborg bot added 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild 10.rebuild-linux-stdenv This PR causes stdenv to rebuild labels Apr 3, 2022
@ofborg ofborg bot requested a review from edolstra April 3, 2022 23:33
zakame
zakame approved these changes Apr 4, 2022
View reviewed changes
Copy link
Member

@zakame zakame left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 💯

@stigtsp
Copy link
Member Author

stigtsp commented Apr 4, 2022

@GrahamcOfBorg build pkgsCross.aarch64-multiplatform.perl534
@GrahamcOfBorg build pkgsCross.armv7l-hf-multiplatform.perl534
@GrahamcOfBorg build pkgsMusl.perl534
@GrahamcOfBorg build pkgsi686Linux.perl534
@GrahamcOfBorg build perl534
@GrahamcOfBorg build pkgsCross.aarch64-multiplatform.perlPackages.HTTPDaemon

@stigtsp stigtsp requested a review from vcunat April 4, 2022 12:28
@stigtsp stigtsp mentioned this pull request Apr 4, 2022
Merged
13 tasks
@dasJ dasJ merged commit f4de52a into NixOS:staging Apr 8, 2022
@vcunat
Copy link
Member

vcunat commented Apr 8, 2022

For 21.11 I assume we'll wait for upstream to release versions with updated bundled zlib? I suspect that adding the external runtime dependency on zlib might be a bit intrusive for stable.

@stigtsp
Copy link
Member Author

stigtsp commented Apr 8, 2022

For 21.11 I assume we'll wait for upstream to release versions with updated bundled zlib? I suspect that adding the external runtime dependency on zlib might be a bit intrusive for stable.

Agree 👍

vcunat pushed a commit that referenced this pull request Apr 10, 2022
@stigtsp @vcunat
perl: use pkgs.zlib instead of bundled zlib
836d406 
(cherry picked from commit d1adf50 from PR #167084)
@dguibert dguibert mentioned this pull request Apr 29, 2022
Open
12 tasks
@alyssais
Copy link
Member

alyssais commented May 1, 2022

This appears to have broken pkgsStatic.perl. That's on me for not testing this at the time. I haven't looked into why it broke yet.

@alyssais
Copy link
Member

alyssais commented May 1, 2022

arsv/perl-cross#129

@alyssais alyssais mentioned this pull request May 6, 2022
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zakame zakame zakame approved these changes

@mweinelt mweinelt Awaiting requested review from mweinelt

@alyssais alyssais Awaiting requested review from alyssais

@edolstra edolstra Awaiting requested review from edolstra

@vcunat vcunat Awaiting requested review from vcunat

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ 10.rebuild-linux-stdenv This PR causes stdenv to rebuild
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@stigtsp @vcunat @alyssais @zakame @dasJ