Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

util-linux: 2.39.3 -> 2.40.1 #309805

Merged
merged 1 commit into from
May 13, 2024
Merged

util-linux: 2.39.3 -> 2.40.1 #309805

merged 1 commit into from
May 13, 2024

Conversation

alyssais
Copy link
Member

@alyssais alyssais commented May 7, 2024

Description of changes

CVE-2024-28085 (low priority since NixOS doesn't make wall setgid by default).

Release notes

Don't see anything looking like a breaking change.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@alyssais alyssais added the 1.severity: security Issues which raise a security issue, or PRs that fix one label May 7, 2024
@alyssais
Copy link
Member Author

alyssais commented May 7, 2024

Security backport for stable: #309808

Copy link
Member

@06kellyjac 06kellyjac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the liblastlog2 and pam_lastlog2 dependency on sqlite always necessary or only for with pamSupport?

LGTM

@alyssais
Copy link
Member Author

alyssais commented May 7, 2024

Is the liblastlog2 and pam_lastlog2 dependency on sqlite always necessary or only for with pamSupport?

If I'm reading correctly, it's possible to build liblastlog2 without building pam_lastlog2. We could add an option to disable it, but I don't know how to decide whether that's worth it.

@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label May 7, 2024
@vcunat vcunat merged commit e45d74e into NixOS:staging May 13, 2024
30 checks passed
@vcunat
Copy link
Member

vcunat commented May 14, 2024

For reference, the parallel build is a bit flaky now:

/nix/store/bgcaxhhxswzvmxjbbgvvaximm5hwghz1-binutils-2.41/bin/ld: cannot find -llastlog2: No such file or directory
collect2: error: ld returned 1 exit status
libtool:   error: error: relink 'pam_lastlog2.la' with the above command before installing it

@alyssais alyssais deleted the util-linux-2.40.1 branch May 14, 2024 09:57
@alyssais
Copy link
Member Author

Time to switch to Meson?

@vcunat
Copy link
Member

vcunat commented May 14, 2024

It feels late for 24.05. But fortunately adding meson+ninja wouldn't create an eval-time cycle here.

@alyssais
Copy link
Member Author

Reported, also.

alyssais added a commit to alyssais/nixpkgs that referenced this pull request May 15, 2024
Difficult to know if these actually fix it, since it only happens
sometimes.

Link: NixOS#309805 (comment)
Link: https://lore.kernel.org/util-linux/[email protected]/
vcunat added a commit that referenced this pull request May 17, 2024
Difficult to know if these actually fix it, since it only happens
sometimes.

Link: #309805 (comment)
Link: https://lore.kernel.org/util-linux/[email protected]/

vcunat edit: only apply on some platforms for now,
balancing fixes and the amount of rebuild work on Hydra.
The rest is picked from PR #311988
@vcunat
Copy link
Member

vcunat commented May 18, 2024

And (aarch64-)darwin build regressed on this update with a different error now: https://hydra.nixos.org/build/260146685

libuuid/src/uuid_time.c:89:87: error: aliases are not supported on darwin

EDIT: util-linux/util-linux#3013

@vcunat
Copy link
Member

vcunat commented May 19, 2024

Oh, that darwin issue would even become a blocker for nixpkgs-unstable channel :-/

@alyssais
Copy link
Member Author

alyssais commented May 19, 2024

There's also a bug report here: util-linux/util-linux#3011.

@vcunat
Copy link
Member

vcunat commented May 19, 2024

Man, x86_64-darwin sports yet another error:

libsmartcols/src/filter.c:194:14: error: call to undeclared function 'fmemopen'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
        fltr->src = fmemopen((void *) str, strlen(str), "r");
                    ^

(IIRC older macOS doesn't provide this function yet)

@vcunat
Copy link
Member

vcunat commented May 19, 2024

Quite a bad luck with this release, and in the last moments before nixpkgs "freeze".

@alyssais
Copy link
Member Author

alyssais commented May 19, 2024

I really wish OfBorg was capable of getting past LLVM on staging for Darwin…

@vcunat
Copy link
Member

vcunat commented May 19, 2024

If it was so easy, we perhaps wouldn't even need staging*.

@alyssais
Copy link
Member Author

It gets most of the way through — we just need to up the timeout a bit, and then I think OfBorg might even be less overloaded, because it wouldn't be wasting so much of its time trying the same futile LLVM builds over and over.

@vcunat
Copy link
Member

vcunat commented May 19, 2024

Maybe we should just roll back to util-linux 2.39.x for now and keep nixpkgs 24.05 that way? (darwin now, linux on the next rebuild)

@alyssais
Copy link
Member Author

Sounds fine.

@alyssais
Copy link
Member Author

We should probably cherry-pick #309808 in that case.

@vcunat
Copy link
Member

vcunat commented May 20, 2024

Perhaps 2.39.4 instead, as it sounds minimal and should contain also that fix
https://github.com/util-linux/util-linux/blob/v2.39.4/Documentation/releases/v2.39.4-ReleaseNotes

vcunat added a commit that referenced this pull request May 20, 2024
We're running into multiple issues, so let's be conservative.
In particular, this commit should fix *-darwin builds.
/cc PR #309805 as this is kind-of reverting it (partially for now)
@alyssais
Copy link
Member Author

Ah yes, that sounds good. I missed that.

@vcunat
Copy link
Member

vcunat commented May 20, 2024

For reference, 2.40.1 also broke its static musl build:
https://hydra.nixos.org/build/259722977

vcunat added a commit that referenced this pull request May 20, 2024
@alyssais
Copy link
Member Author

That's likely easily fixed by just disabling the PAM plugin on static builds. But is there any point fixing that, even on staging, or will we revert this there as well?

@vcunat
Copy link
Member

vcunat commented May 20, 2024

Right, not now. I've given up on fixing 2.40.x for nixpkgs 24.05.

@alyssais
Copy link
Member Author

alyssais commented May 20, 2024

I mean what about staging? i.e. post 24.05

@alyssais
Copy link
Member Author

alyssais commented May 20, 2024

I guess it'd just cause merge conflicts, since the gradual reversion on staging-next will propagate to staging.

So for future reference when we come back to 2.40, here's the diff for static:

diff --git i/pkgs/os-specific/linux/util-linux/default.nix w/pkgs/os-specific/linux/util-linux/default.nix
index 642480b670c7..169f8293ae3e 100644
--- i/pkgs/os-specific/linux/util-linux/default.nix
+++ w/pkgs/os-specific/linux/util-linux/default.nix
@@ -6,6 +6,7 @@
 , ncursesSupport ? true
 , ncurses
 , pamSupport ? true
+, pamLastlogSupport ? pamSupport && !stdenv.hostPlatform.isStatic
 , pam
 , systemdSupport ? lib.meta.availableOn stdenv.hostPlatform systemd
 , systemd
@@ -61,6 +62,7 @@ stdenv.mkDerivation rec {
     "--disable-makeinstall-setuid" "--disable-makeinstall-chown"
     "--disable-su" # provided by shadow
     "--with-tmpfilesdir=${placeholder "out"}/lib/tmpfiles.d"
+    (lib.enableFeature pamLastlogSupport "pam-lastlog2")
     (lib.enableFeature writeSupport "write")
     (lib.enableFeature nlsSupport "nls")
     (lib.withFeature ncursesSupport "ncursesw")

@leona-ya
Copy link
Member

leona-ya commented Jun 6, 2024

For context: This update also caused a regression with detecting the UUID of some special LUKS devices (maybe only if the LUKS device contains a LVM). I haven't reported this upstream yet, will do later.
Some more context is in https://discourse.nixos.org/t/nixos-24-05-upgrade-no-boot-device/46335, which is quite analogous to what I experienced.

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-24-05-upgrade-no-boot-device/46335/3

@YellowOnion
Copy link
Contributor

bcachefs-tools on master needs util-linux/util-linux#3001 to detect my disks correctly, not a huge issue, but worth noting for future potential issues if that makes it in to nixpkgs-unstable before this does.

@alyssais
Copy link
Member Author

We can backport that patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 501-1000 10.rebuild-darwin: 501+ 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ 12.approvals: 1 This PR was reviewed and approved by one reputable person
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants