Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[22.11] rustc: 1.64.0 -> 1.66.1 #213287

Closed
wants to merge 15 commits into from

Conversation

winterqt
Copy link
Member

Description of changes

https://github.com/rust-lang/rust/releases/tag/1.65.0
https://github.com/rust-lang/rust/releases/tag/1.66.0
https://github.com/rust-lang/rust/releases/tag/1.66.1

Fixes CVE-2022-46176.

This is the path of least resistence, sadly; see the discussion in #210139.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin, nix-build -A fd -A synth -A sqlx-cli -A zee -A httplz
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.05 Release Notes (or backporting 22.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@winterqt winterqt requested review from tjni and figsoda January 29, 2023 03:06
@winterqt winterqt added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jan 29, 2023
@winterqt winterqt changed the title rustc: 1.64.0 -> 1.66.1 [22.11] rustc: 1.64.0 -> 1.66.1 Jan 29, 2023
@ofborg ofborg bot requested review from greizgh and booklearner January 29, 2023 04:23
@FRidh
Copy link
Member

FRidh commented Jan 29, 2023

Looking at the CVE it applies when cloning with cargo via SSH. We do not do this for our Nix builds and hence for that use case it is not relevant. Upgrading rustc often causes regressions.

Of course where the CVE does matter is for users using cargo outside of our Nixpkgs builds and outside of Nix builds.

I do not think this is the correct solution, and instead think the correct solution is to simply inform users that 1.64.0 should not be used doing ... because ... instead of forcing an update which can cause regressions both in Nixpkgs and outside.

@tjni
Copy link
Contributor

tjni commented Jan 29, 2023

These changes look good to me! I don't have an opinion on whether backporting is appropriate or not (depends on our position on security issues).

@figsoda
Copy link
Member

figsoda commented Jan 31, 2023

@FRidh I talked to @winterqt about this, and both of us think that the fix should be backported if we can make sure that no regressions happen within nixpkgs, since people do use cargo outside and might be affected by the CVE.

Another possibility I thought about was defaulting buildRustPackage and buildRustCrate (or just rustPlatform?) to 1.64.0, and make 1.66.1 the default rust. This way we can make sure that no regressions (no rebuilds as well) happen in nixpkgs if we change all uses of cargo and rustc to 1.64.0. Though, I am worried that it might be confusing and hard to debug for users since top-level rust and buildRustPackage would have different versions.

Do you have any suggestions how we might fix the vulnerability other than this and applying the patches? Or can you think of an easier way to apply the patches other than the method mentioned in #210139 (comment)? Perhaps it's better to apply the patches instead to avoid the potential regressions, even if the solution is ugly?

@winterqt winterqt marked this pull request as draft February 2, 2023 04:48
@mweinelt
Copy link
Member

mweinelt commented Feb 14, 2023

Fails to link on aarch64-linux. I think we encountered that on unstable as well. Works after pulling #209113 on top.

rustc-aarch64-linux>    Compiling rustc_smir v0.0.0 (/build/rustc-1.66.1-src/compiler/rustc_smir)
rustc-aarch64-linux> error: linking with `/nix/store/08g2dvyx4i4zdc0s9i51029hlfm6q5ld-gcc-wrapper-9.5.0/bin/cc` failed: exit status: 1
rustc-aarch64-linux>   |
rustc-aarch64-linux>   = note: "/nix/store/08g2dvyx4i4zdc0s9i51029hlfm6q5ld-gcc-wrapper-9.5.0/bin/cc" "/build/rustcK9Xf7c/symbols.o" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/rustc_main-95936b2b75bd5cef.rustc_main.eb2391a0-cgu.0.rcgu.o" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/rustc_main-95936b2b75bd5cef.rustc_main.eb2391a0-cgu.1.rcgu.o" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/rustc_main-95936b2b75bd5cef.rustc_main.eb2391a0-cgu.2.rcgu.o" "-Wl,--as-needed" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/release/deps" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/build/psm-725259a90952840f/out" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/build/rustc_llvm-1fe81efb55ddb6da/out" "-L" "/nix/store/5133rd9ic81ybbf6myhwdrbhnikwpyaf-llvm-14.0.6-lib/lib" "-L" "/nix/store/2hzialg74cbmvqz17qnv9kzjglf8c8f9-gcc-9.5.0/lib/gcc/aarch64-unknown-linux-gnu/9.5.0/../../../../lib64" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps" "-lrustc_driver-c4bd77c3b6122f7a" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib" "-lstd-3c72abc60e605edb" "-Wl,-Bstatic" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib/libcompiler_builtins-a6b1f233b01990e9.rlib" "-Wl,-Bdynamic" "-lLLVM-14" "-ldl" "-lgcc_s" "-lutil" "-lrt" "-lpthread" "-lm" "-ldl" "-lc" "-Wl,--eh-frame-hdr" "-Wl,-znoexecstack" "-L" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib" "-o" "/build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/rustc_main-95936b2b75bd5cef" "-Wl,--gc-sections" "-pie" "-Wl,-zrelro,-znow" "-Wl,-O1" "-nodefaultlibs" "-Wl,-z,origin" "-Wl,-rpath,$ORIGIN/../lib"
rustc-aarch64-linux>   = note: /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_swp1_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-3c72abc60e605edb.so: undefined reference to `__aarch64_ldset8_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldset1_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldclr1_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldclr8_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_swp8_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_swp4_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas4_acq'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas8_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldadd8_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-3c72abc60e605edb.so: undefined reference to `__aarch64_swp4_acq'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldset8_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas1_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_swp8_acq'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldset1_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldadd4_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldadd8_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_swp1_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-3c72abc60e605edb.so: undefined reference to `__aarch64_cas4_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_swp1_acq'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-3c72abc60e605edb.so: undefined reference to `__aarch64_ldadd4_acq'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas8_acq'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldclr8_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldadd8_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas1_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas8_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldset8_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas8_acq_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_ldadd4_rel'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-3c72abc60e605edb.so: undefined reference to `__aarch64_ldadd4_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas1_relax'
rustc-aarch64-linux>           /nix/store/gnym1cd0q0aca7a1lidsdkq37jkkb69j-binutils-2.39/bin/ld: /build/rustc-1.66.1-src/build/aarch64-unknown-linux-gnu/stage0-rustc/aarch64-unknown-linux-gnu/release/deps/librustc_driver-c4bd77c3b6122f7a.so: undefined reference to `__aarch64_cas1_acq'
rustc-aarch64-linux>           collect2: error: ld returned 1 exit status
rustc-aarch64-linux>           
rustc-aarch64-linux>   = help: some `extern` functions couldn't be found; some native libraries may need to be installed or have their path specified
rustc-aarch64-linux>   = note: use the `-l` flag to specify native libraries to link
rustc-aarch64-linux>   = note: use the `cargo:rustc-link-lib` directive to specify the native libraries to link with Cargo (see https://doc.rust-lang.org/cargo/reference/build-scripts.html#cargorustc-link-libkindname)
rustc-aarch64-linux> 
rustc-aarch64-linux> error: could not compile `rustc-main` due to previous error
rustc-aarch64-linux> Build completed unsuccessfully in 0:04:04
rustc-aarch64-linux> make: *** [Makefile:12: all] Error 1

@mweinelt
Copy link
Member

mweinelt commented Feb 14, 2023

On x86_64-linux fd fails a test. Issue on my remote builder using ZFS with formD normalization.

fd> failures:
fd> 
fd> ---- test_exec_invalid_utf8 stdout ----
fd> thread 'test_exec_invalid_utf8' panicked at 'called `Result::unwrap()` on an `Err` value: Os { code: 84, kind: Uncategorized, message: "Invalid or incomplete multibyte or wide character" }', tests/tests.rs:2080:6
fd> note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
fd> 
fd> ---- test_invalid_utf8 stdout ----
fd> thread 'test_invalid_utf8' panicked at 'called `Result::unwrap()` on an `Err` value: Os { code: 84, kind: Uncategorized, message: "Invalid or incomplete multibyte or wide character" }', tests/tests.rs:1756:6
fd> 
fd> 
fd> failures:
fd>     test_exec_invalid_utf8
fd>     test_invalid_utf8
fd> 
fd> test result: FAILED. 79 passed; 2 failed; 0 ignored; 0 measured; 0 filtered out; finished in 6.64s
fd> 
fd> error: test failed, to rerun pass `--test tests`

tjni and others added 8 commits February 14, 2023 19:04
tjni and others added 3 commits February 14, 2023 19:06
(cherry picked from commit 108f65b)
This change switches to using GCC 11 by default on aarch64-linux, as well as passing `-lgcc` to the linker, per NixOS#201485.

See NixOS#201254 and NixOS#208412 for wider context on the issue.

(cherry picked from commit 8442601)
@winterqt winterqt marked this pull request as ready for review February 15, 2023 00:06
@mweinelt
Copy link
Member

aarch64-linux

/nix/store/9s3k2rci116pzvqmd184w6bdw5xkz9qh-fd-8.5.3
/nix/store/1d7a91ay3h2ypfp1d64zmxb87ypipiqw-synth-0.6.8
/nix/store/q420wcl3y8j2wsps270gjhzbdcxhlzd4-sqlx-cli-0.6.2
/nix/store/915f4g9hqvk6rr5xbyw9l2w0zz8pbixd-zee-0.3.2
/nix/store/691c21xzwp1d09y0hkngq7r89zmvgm8r-httplz-1.12.5

x86_64-linux

/nix/store/jm00bachpanypihhvdpqhw97ch5yd66q-fd-8.5.3
/nix/store/7hxamhhv0w5pkl1wqv2nc812smllh28g-synth-0.6.8
/nix/store/yn3mwf0r4zkvhn6w825lqfvz3zavfrsj-sqlx-cli-0.6.2
/nix/store/a6vn8xd90svbss0wfv9f6kirg59hzmj0-zee-0.3.2
/nix/store/8gb37dy0iji5rvxsvn3sqx5yxk390k45-httplz-1.12.5

@mweinelt
Copy link
Member

mweinelt commented Feb 15, 2023

The following fixes need to be picked as well

  • firefox-unwrapped: cdf0283
  • spidermonkey: 77a214e
  • rpm-ostree: 97655c9
    • only the NIX_LDDLAGS change, not the version bump
  • zerotierone: ba3db3e

vcunat and others added 4 commits February 14, 2023 22:57
All three versions are the same in this respect.
It's the issue with old libgcc_s propagated via our glibc package; e.g.
NixOS#209113

(cherry picked from commit 77a214e)
It's the issue with old libgcc_s propagated via our glibc package; e.g.
NixOS#209113

(cherry picked from commit cdf0283)
This is required to workaround NixOS#201254

(cherry picked from commit ba3db3e)
See NixOS#209113 for context. This has to
be done manually because rpm-ostree doesn't use the Cargo setup hooks (which
automatically set this flag).
@winterqt
Copy link
Member Author

@mweinelt Should be good to go now, thank you for compiling that list/testing. (You need to retire that zpool, though.)

@winterqt
Copy link
Member Author

winterqt commented Feb 15, 2023

(Oh, and for posterity, I didn't cherrypick the rpm-ostree change because that was done alongside a version bump, and it felt weird cherrypicking only a part of a commit. If any part of that commit isn't ideal, including that fact, let me know.)

@FRidh
Copy link
Member

FRidh commented Feb 15, 2023

Do you have any suggestions how we might fix the vulnerability other than this and applying the patches? Or can you think of an easier way to apply the patches other than the method mentioned in #210139 (comment)? Perhaps it's better to apply the patches instead to avoid the potential regressions, even if the solution is ugly?

Maybe it is easier to break the ssh clone feature entirely and have a message there that users should use a newer rustc version if they want that version? Again, it really is only in a specific feature which is only applicable outside of Nix builds.

Or, from CVE:

If you can't upgrade to Rust 1.66.1 yet, we recommend configuring Cargo to use the git CLI instead of its built-in git support. That way, all git network operations will be performed by the git CLI, which is not affected by this vulnerability. You can do so by adding this snippet to your [Cargo configuration file](https://doc.rust-lang.org/cargo/reference/config.html):

[net]
git-fetch-with-cli = true

I don't think there is a right config file we can use, but we can wrap these older cargo versions with

cargo --config net.git-fetch-with-cli=true

Of course this also suddenly changes behavior again.

@vcunat
Copy link
Member

vcunat commented Feb 15, 2023

Well, upgrading (default) rustc also changes behavior, as you can see e.g. from all the patches needed across nixpkgs.

@FRidh
Copy link
Member

FRidh commented Feb 15, 2023

Yep, neither solutions are great. But, speaking as an end-user myself, I much rather be aware of the issue and have a choice, than be forced to potentially integrate a change in Rust version. We've had similar situations before, and it is problematic because it essentially means you cannot just upgrade your stable systems.

@vcunat
Copy link
Member

vcunat commented Feb 21, 2023

So, no conclusion for now? I'm just asking because 22.11 rebuilds are likely to start soon.

@mweinelt
Copy link
Member

This is obviously not going to happen. And at this point I'm just sorry about the time wasted.

@mweinelt mweinelt closed this Mar 12, 2023
@mweinelt mweinelt added the 2.status: wontfix We cannot or will not fix this issue label Mar 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants