Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bash-4.3-p46 -> bash-4.3-p48 #21659

Merged
merged 1 commit into from
Jan 4, 2017
Merged

bash-4.3-p46 -> bash-4.3-p48 #21659

merged 1 commit into from
Jan 4, 2017

Conversation

LnL7
Copy link
Member

@LnL7 LnL7 commented Jan 4, 2017
edited
Loading

Motivation for this change

CVE-2016-9401 for #21642

  • ~6958 rebuilds for x86_64-darwin
  • ~12383 rebuilds for x86_64-linux
Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@LnL7 LnL7 added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jan 4, 2017
@mention-bot
Copy link

@LnL7, thanks for your PR! By analyzing the history of the files in this pull request, we identified @vcunat to be a potential reviewer.

@LnL7 LnL7 added the 1.severity: mass-rebuild This PR causes a large number of packages to rebuild label Jan 4, 2017
@vcunat vcunat self-assigned this Jan 4, 2017
@NeQuissimus
Copy link
Member

Should we stage this first?

@vcunat
Copy link
Member

vcunat commented Jan 4, 2017

I'm testing a bit locally first.

@LnL7
Copy link
Member Author

LnL7 commented Jan 4, 2017

I'm also building a bunch of stuff locally, since it's a pretty important package. Looks good so far.

@vcunat
Copy link
Member

vcunat commented Jan 4, 2017

This is the one with big rebuild, but vulnerabilities seem aimed at interactive bash and we default to 4.4 for that, and that branch has no patches for these problems in the upstream list yet.

@vcunat vcunat changed the base branch from master to staging January 4, 2017 22:21
@LnL7
Copy link
Member Author

LnL7 commented Jan 4, 2017

I noticed 4.4, but as far as I can tell my system doesn't use that.

@vcunat
Copy link
Member

vcunat commented Jan 4, 2017

On my nixos (no bash overrides):

$ bash --version
GNU bash, version 4.4.0(1)-release
...

@vcunat
Copy link
Member

vcunat commented Jan 4, 2017

I hope this fixes all the currently known bash vulnerabilities.

@LnL7
Copy link
Member Author

LnL7 commented Jan 4, 2017

I think so, looks like it's only the default on master/unstable for bashInteractive. We might want to backport this then?

/cc @grahamc

@vcunat vcunat added the 9.needs: port to stable A PR needs a backport to the stable release. label Jan 4, 2017
@vcunat
Copy link
Member

vcunat commented Jan 4, 2017

I'm slightly confused. Gentoo seems to have updated to the 4.3-p48 in October and now after several months they make a security alert...

@vcunat
Copy link
Member

vcunat commented Jan 4, 2017
edited
Loading

Oh, I looked wrong... the announcement is for 4.3-p48 -r1 vs. vanilla -p48 – they added more patches that haven't been published on the upstream patch list: https://security.gentoo.org/glsa/201701-02

@vcunat
Copy link
Member

vcunat commented Jan 4, 2017

We can do it like Gentoo, adding their patch on top. They've deployed it so it's probably OK.

@vcunat
Copy link
Member

vcunat commented Jan 4, 2017

Let me just do a bit more testing with that.

@vcunat vcunat merged commit f047838 into NixOS:staging Jan 4, 2017
vcunat added a commit that referenced this pull request Jan 4, 2017
@vcunat
Merge #21659: bash: security 4.3-p46 -> 4.3-p48
fa57b06
@LnL7 LnL7 deleted the bash-4.3-p48 branch January 5, 2017 00:17
@grahamc
Copy link
Member

grahamc commented Jan 5, 2017

Is this going to stable?

@LnL7
Copy link
Member Author

LnL7 commented Jan 5, 2017
edited
Loading

master uses 4.4 for bashInteractive so this is not super important there, but 16.09 does use this version for everything.

@vcunat
Copy link
Member

vcunat commented Jan 5, 2017

I'll do the picking.

@grahamc
Copy link
Member

grahamc commented Jan 5, 2017

OK Sounds good to me. I wouldn't worry about using a staging branch for 16.09, can you update #21642 when you have?

@vcunat
Copy link
Member

vcunat commented Jan 5, 2017

Oh, an equivalent of this PR was on 16.09 already: #19274 but we were missing these security patches on master :-/

@grahamc
Copy link
Member

grahamc commented Jan 5, 2017

Well I'll be...

@vcunat vcunat removed the 9.needs: port to stable A PR needs a backport to the stable release. label Jan 5, 2017
@vcunat
Copy link
Member

vcunat commented Jan 5, 2017
edited
Loading

I picked that new Gentoo patch at least: e924319, which is all that the current CVE message seems to be about.

@LnL7
Copy link
Member Author

LnL7 commented Jan 5, 2017

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@vcunat vcunat

Labels
1.severity: mass-rebuild This PR causes a large number of packages to rebuild 1.severity: security Issues which raise a security issue, or PRs that fix one
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@LnL7 @mention-bot @NeQuissimus @vcunat @grahamc