Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[22.11] rustc: 1.64.0 -> 1.66.1 #213287

Closed
wants to merge 15 commits into from
Closed

[22.11] rustc: 1.64.0 -> 1.66.1 #213287

wants to merge 15 commits into from

Conversation

winterqt
Copy link
Member

Description of changes

https://github.com/rust-lang/rust/releases/tag/1.65.0
https://github.com/rust-lang/rust/releases/tag/1.66.0
https://github.com/rust-lang/rust/releases/tag/1.66.1

Fixes CVE-2022-46176.

This is the path of least resistence, sadly; see the discussion in #210139.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin, nix-build -A fd -A synth -A sqlx-cli -A zee -A httplz
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.05 Release Notes (or backporting 22.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@winterqt winterqt requested review from tjni and figsoda January 29, 2023 03:06
@winterqt winterqt added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jan 29, 2023
@winterqt winterqt changed the title rustc: 1.64.0 -> 1.66.1 [22.11] rustc: 1.64.0 -> 1.66.1 Jan 29, 2023
@ofborg ofborg bot requested review from greizgh and booklearner January 29, 2023 04:23
@FRidh
Copy link
Member

FRidh commented Jan 29, 2023

Looking at the CVE it applies when cloning with cargo via SSH. We do not do this for our Nix builds and hence for that use case it is not relevant. Upgrading rustc often causes regressions.

Of course where the CVE does matter is for users using cargo outside of our Nixpkgs builds and outside of Nix builds.

I do not think this is the correct solution, and instead think the correct solution is to simply inform users that 1.64.0 should not be used doing ... because ... instead of forcing an update which can cause regressions both in Nixpkgs and outside.

@tjni
Copy link
Contributor

tjni commented Jan 29, 2023

These changes look good to me! I don't have an opinion on whether backporting is appropriate or not (depends on our position on security issues).

@figsoda
Copy link
Member

figsoda commented Jan 31, 2023

@FRidh I talked to @winterqt about this, and both of us think that the fix should be backported if we can make sure that no regressions happen within nixpkgs, since people do use cargo outside and might be affected by the CVE.

Another possibility I thought about was defaulting buildRustPackage and buildRustCrate (or just rustPlatform?) to 1.64.0, and make 1.66.1 the default rust. This way we can make sure that no regressions (no rebuilds as well) happen in nixpkgs if we change all uses of cargo and rustc to 1.64.0. Though, I am worried that it might be confusing and hard to debug for users since top-level rust and buildRustPackage would have different versions.

Do you have any suggestions how we might fix the vulnerability other than this and applying the patches? Or can you think of an easier way to apply the patches other than the method mentioned in #210139 (comment)? Perhaps it's better to apply the patches instead to avoid the potential regressions, even if the solution is ugly?

@winterqt winterqt marked this pull request as draft February 2, 2023 04:48
@mweinelt
Copy link
Member

mweinelt commented Feb 14, 2023
edited
Loading

Fails to link on aarch64-linux. I think we encountered that on unstable as well. Works after pulling #209113 on top.

rustc-aarch64-linux>    Compiling rustc_smir v0.0.0 (/build/rustc-1.66.1-src/compiler/rustc_smir)
rustc-aarch64-linux> error: linking with `/nix/store/08g2dvyx4i4zdc0s9i51029hlfm6q5ld-gcc-wrapper-9.5.0/bin/cc` failed: exit status: 1
rustc-aarch64-linux>   |
rustc-aarch64-linux>   = note: "/nix/store/08g2dvyx4i4zdc0s9i51029hlfm6q5ld-gcc-wrapper-9.5.0/bin/cc" "/build/rustcK9Xf7c/symbols.o" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/rustc_main-95936b2b75bd5cef.rustc_main.eb2391a0-cgu.0.rcgu.o" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/rustc_main-95936b2b75bd5cef.rustc_main.eb2391a0-cgu.1.rcgu.o" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/rustc_main-95936b2b75bd5cef.rustc_main.eb2391a0-cgu.2.rcgu.o" "-Wl,--as-needed" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/release/deps" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/build/psm-725259a90952840f/out" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/build/rustc_llvm-1fe81efb55ddb6da/out" "-L" "/nix/store/5133rd9ic81ybbf6myhwdrbhnikwpyaf-llvm-14.0.6-lib/lib" "-L" "/nix/store/2hzialg74cbmvqz17qnv9kzjglf8c8f9-gcc-9.5.0/lib/gcc/aarch64-unknown-linux-gnu/9.5.0/../../../../lib64" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps" "-lrustc_driver-c4bd77c3b6122f7a" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib" "-lstd-3c72abc60e605edb" "-Wl,-Bstatic" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib/libcompiler_builtins-a6b1f233b01990e9.rlib" "-Wl,-Bdynamic" "-lLLVM-14" "-ldl" "-lgcc_s" "-lutil" "-lrt" "-lpthread" "-lm" "-ldl" "-lc" "-Wl,--eh-frame-hdr" "-Wl,-znoexecstack" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib" "-o" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/rustc_main-95936b2b75bd5cef" "-Wl,--gc-sections" "-pie" "-Wl,-zrelro,-znow" "-Wl,-O1" "-nodefaultlibs" "-Wl,-z,origin" "-Wl,-rpath,$ORIGIN/../lib"
rustc-aarch64-linux>   = note: /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_swp1_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-3c72abc60e605edb.so: undefined reference to `__aarch64_ldset8_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldset1_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldclr1_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldclr8_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_swp8_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_swp4_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas4_acq'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas8_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldadd8_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-3c72abc60e605edb.so: undefined reference to `__aarch64_swp4_acq'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldset8_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas1_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_swp8_acq'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldset1_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldadd4_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldadd8_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_swp1_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-3c72abc60e605edb.so: undefined reference to `__aarch64_cas4_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_swp1_acq'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-3c72abc60e605edb.so: undefined reference to `__aarch64_ldadd4_acq'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas8_acq'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldclr8_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldadd8_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas1_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas8_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldset8_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas8_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldadd4_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-3c72abc60e605edb.so: undefined reference to `__aarch64_ldadd4_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas1_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas1_acq'
rustc-aarch64-linux>           collect2: error: ld returned 1 exit status
rustc-aarch64-linux>           
rustc-aarch64-linux>   = help: some `extern` functions couldn't be found; some native libraries may need to be installed or have their path specified
rustc-aarch64-linux>   = note: use the `-l` flag to specify native libraries to link
rustc-aarch64-linux>   = note: use the `cargo:rustc-link-lib` directive to specify the native libraries to link with Cargo (see https://doc.rust-lang.org/cargo/reference/build-scripts.html#cargorustc-link-libkindname)
rustc-aarch64-linux> 
rustc-aarch64-linux> error: could not compile `rustc-main` due to previous error
rustc-aarch64-linux> Build completed unsuccessfully in 0:04:04
rustc-aarch64-linux> make: *** [Makefile:12: all] Error 1

@mweinelt
Copy link
Member

mweinelt commented Feb 14, 2023
edited
Loading

On x86_64-linux fd fails a test. Issue on my remote builder using ZFS with formD normalization.

fd> failures:
fd> 
fd> ---- test_exec_invalid_utf8 stdout ----
fd> thread 'test_exec_invalid_utf8' panicked at 'called `Result::unwrap()` on an `Err` value: Os { code: 84, kind: Uncategorized, message: "Invalid or incomplete multibyte or wide character" }', tests/tests.rs:2080:6
fd> note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
fd> 
fd> ---- test_invalid_utf8 stdout ----
fd> thread 'test_invalid_utf8' panicked at 'called `Result::unwrap()` on an `Err` value: Os { code: 84, kind: Uncategorized, message: "Invalid or incomplete multibyte or wide character" }', tests/tests.rs:1756:6
fd> 
fd> 
fd> failures:
fd>     test_exec_invalid_utf8
fd>     test_invalid_utf8
fd> 
fd> test result: FAILED. 79 passed; 2 failed; 0 ignored; 0 measured; 0 filtered out; finished in 6.64s
fd> 
fd> error: test failed, to rerun pass `--test tests`

tjni and others added 3 commits February 14, 2023 19:06
@tjni @winterqt
vector: fix build against rust 1.66
63d00d3 
(cherry picked from commit 108f65b)
@winterqt
rust: fix on aarch64-linux by using GCC 11 and passing -lgcc
4e3c11c 
This change switches to using GCC 11 by default on aarch64-linux, as well as passing `-lgcc` to the linker, per NixOS#201485.

See NixOS#201254 and NixOS#208412 for wider context on the issue.

(cherry picked from commit 8442601)
@winterqt
rustc: 1.66.0 -> 1.66.1
57efa85 
https://github.com/rust-lang/rust/blob/stable/RELEASES.md#version-1661-2023-01-10

Fixes CVE-2022-46176.

(cherry picked from commit 21dbce8)
@winterqt winterqt marked this pull request as ready for review February 15, 2023 00:06
@mweinelt
Copy link
Member

aarch64-linux

/nix/store/9s3k2rci116pzvqmd184w6bdw5xkz9qh-fd-8.5.3
/nix/store/1d7a91ay3h2ypfp1d64zmxb87ypipiqw-synth-0.6.8
/nix/store/q420wcl3y8j2wsps270gjhzbdcxhlzd4-sqlx-cli-0.6.2
/nix/store/915f4g9hqvk6rr5xbyw9l2w0zz8pbixd-zee-0.3.2
/nix/store/691c21xzwp1d09y0hkngq7r89zmvgm8r-httplz-1.12.5

x86_64-linux

/nix/store/jm00bachpanypihhvdpqhw97ch5yd66q-fd-8.5.3
/nix/store/7hxamhhv0w5pkl1wqv2nc812smllh28g-synth-0.6.8
/nix/store/yn3mwf0r4zkvhn6w825lqfvz3zavfrsj-sqlx-cli-0.6.2
/nix/store/a6vn8xd90svbss0wfv9f6kirg59hzmj0-zee-0.3.2
/nix/store/8gb37dy0iji5rvxsvn3sqx5yxk390k45-httplz-1.12.5

@mweinelt
Copy link
Member

mweinelt commented Feb 15, 2023
edited
Loading

The following fixes need to be picked as well

  • firefox-unwrapped: cdf0283
  • spidermonkey: 77a214e
  • rpm-ostree: 97655c9
    • only the NIX_LDDLAGS change, not the version bump
  • zerotierone: ba3db3e

vcunat and others added 4 commits February 14, 2023 22:57
@vcunat @winterqt
spidermonkey: fixup build on aarch64-linux
2e431b8 
All three versions are the same in this respect.
It's the issue with old libgcc_s propagated via our glibc package; e.g.
NixOS#209113

(cherry picked from commit 77a214e)
@vcunat @winterqt
firefox: fixup build on aarch64-linux
e5e8f1d 
It's the issue with old libgcc_s propagated via our glibc package; e.g.
NixOS#209113

(cherry picked from commit cdf0283)
@misuzu @winterqt
zerotierone: add -lgcc to NIX_LDFLAGS
2097723 
This is required to workaround NixOS#201254

(cherry picked from commit ba3db3e)
@winterqt
rpm-ostree: fix on aarch64-linux by using GCC 11 and passing -lgcc
d1d283e 
See NixOS#209113 for context. This has to
be done manually because rpm-ostree doesn't use the Cargo setup hooks (which
automatically set this flag).
@winterqt
Copy link
Member Author

@mweinelt Should be good to go now, thank you for compiling that list/testing. (You need to retire that zpool, though.)

@winterqt
Copy link
Member Author

winterqt commented Feb 15, 2023
edited
Loading

(Oh, and for posterity, I didn't cherrypick the rpm-ostree change because that was done alongside a version bump, and it felt weird cherrypicking only a part of a commit. If any part of that commit isn't ideal, including that fact, let me know.)

@FRidh
Copy link
Member

FRidh commented Feb 15, 2023
edited
Loading

Do you have any suggestions how we might fix the vulnerability other than this and applying the patches? Or can you think of an easier way to apply the patches other than the method mentioned in #210139 (comment)? Perhaps it's better to apply the patches instead to avoid the potential regressions, even if the solution is ugly?

Maybe it is easier to break the ssh clone feature entirely and have a message there that users should use a newer rustc version if they want that version? Again, it really is only in a specific feature which is only applicable outside of Nix builds.

Or, from CVE:

If you can't upgrade to Rust 1.66.1 yet, we recommend configuring Cargo to use the git CLI instead of its built-in git support. That way, all git network operations will be performed by the git CLI, which is not affected by this vulnerability. You can do so by adding this snippet to your [Cargo configuration file](https://doc.rust-lang.org/cargo/reference/config.html):

[net]
git-fetch-with-cli = true

I don't think there is a right config file we can use, but we can wrap these older cargo versions with

cargo --config net.git-fetch-with-cli=true

Of course this also suddenly changes behavior again.

@vcunat
Copy link
Member

vcunat commented Feb 15, 2023

Well, upgrading (default) rustc also changes behavior, as you can see e.g. from all the patches needed across nixpkgs.

@FRidh
Copy link
Member

FRidh commented Feb 15, 2023

Yep, neither solutions are great. But, speaking as an end-user myself, I much rather be aware of the issue and have a choice, than be forced to potentially integrate a change in Rust version. We've had similar situations before, and it is problematic because it essentially means you cannot just upgrade your stable systems.

@vcunat
Copy link
Member

vcunat commented Feb 21, 2023

So, no conclusion for now? I'm just asking because 22.11 rebuilds are likely to start soon.

@mweinelt
Copy link
Member

This is obviously not going to happen. And at this point I'm just sorry about the time wasted.

@mweinelt mweinelt closed this Mar 12, 2023
@mweinelt mweinelt added the 2.status: wontfix We cannot or will not fix this issue label Mar 12, 2023
@winterqt winterqt mentioned this pull request Apr 26, 2023
Open
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjni tjni Awaiting requested review from tjni

@figsoda figsoda Awaiting requested review from figsoda

@Mic92 Mic92 Awaiting requested review from Mic92 Mic92 is a code owner

@LnL7 LnL7 Awaiting requested review from LnL7

@zowoq zowoq Awaiting requested review from zowoq zowoq is a code owner

@greizgh greizgh Awaiting requested review from greizgh

@booklearner booklearner Awaiting requested review from booklearner

@thoughtpolice thoughtpolice Awaiting requested review from thoughtpolice

@happysalada happysalada Awaiting requested review from happysalada

@mweinelt mweinelt Awaiting requested review from mweinelt mweinelt is a code owner

@vcunat vcunat Awaiting requested review from vcunat

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 2.status: wontfix We cannot or will not fix this issue 6.topic: rust 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@winterqt @FRidh @tjni @figsoda @mweinelt @vcunat @misuzu