Dummy pr branch 2 part 2 #8
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
(cherry picked from commit 7979a1b)
(cherry picked from commit 2fb034f)
(cherry picked from commit 4230a22)
(cherry picked from commit 7724952)
- The c_rehash script allows command injection (CVE-2022-1292) - OCSP_basic_verify may incorrectly verify the response signing certificate (CVE-2022-1343) - Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434) - Resource leakage when decoding certificates and keys (CVE-2022-1473) https://mta.openssl.org/pipermail/openssl-announce/2022-May/000224.html Fixes: CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473 (cherry picked from commit c62eceb)
(cherry picked from commit 29037ae)
(cherry picked from commit ba276cf)
(cherry picked from commit 16c45bb)
Switches to the PyPi source per the upstream maintainers request in NixOS#163088 (comment) (cherry picked from commit 455f910)
(cherry picked from commit f7eb323)
(cherry picked from commit 235eee5)
(cherry picked from commit adc727d)
So we don't have to backport updates to "scary" packages like tomli and packaging.
(cherry picked from commit 7e49720)
[Backport release-21.11] python3.pkgs.hatchling: init
(cherry picked from commit dd8169d)
(cherry picked from commit 90d9b7c)
(cherry picked from commit f0c2e46)
(cherry picked from commit c9cfbe0)
(cherry picked from commit 641c2d3)
(cherry picked from commit 790c4f1)
(cherry picked from commit 5e04d64)
(cherry picked from commit 7151381)
(cherry picked from commit 209c579)
(cherry picked from commit b531bf4)
(cherry picked from commit cc4c52b)
(cherry picked from commit 75e732b)
* glab: install shell completions * Update pkgs/applications/version-management/git-and-tools/glab/default.nix Co-authored-by: Sandro <sandro.jaeckel@gmail.com> (cherry picked from commit ac83e58)
Without the change `zesarux` fails build on `master` as:
scrcaca.c:51:5: error: unknown type name 'cucul_canvas_t'; did you mean 'caca_canvas_t'?
51 | cucul_canvas_t *cv; caca_display_t *dp; caca_event_t ev;
| ^~~~~~~~~~~~~~
| caca_canvas_t
(cherry picked from commit 77a8b9f)
(cherry picked from commit c611bdf)
(cherry picked from commit 9ada55c)
(cherry picked from commit 081f27f)
(cherry picked from commit 90b55fd)
(cherry picked from commit 10636e5)
This is useful for cross-compilation, where nixpkgs sets PKG_CONFIG. waf decided to use PKGCONFIG instead, so we'll set it when necessary. (cherry picked from commit a2f91d1)
risicle
force-pushed
the
ris-cherry-pick-check-dev
branch
from
8dad60d
to
b33f23b
Compare
risicle
force-pushed
the
ris-cherry-pick-check-dev
branch
from
0b00725
to
9fcc6a6
Compare
risicle
force-pushed
the
ris-cherry-pick-check-dev
branch
from
67dd6b0
to
78a32f3
Compare
risicle
pushed a commit
that referenced
this pull request
Aug 5, 2023
Pull in _FORTIFY_SOURCE=3 stack smashing fix. Without the change on
current `master` `rtorrent` crashes at start as:
*** buffer overflow detected ***: terminated
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
44 pthread_kill.c: No such file or directory.
(gdb) bt
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1 0x00007ffff7880af3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x00007ffff7831c86 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007ffff781b8ba in __GI_abort () at abort.c:79
#4 0x00007ffff781c5f5 in __libc_message (fmt=fmt@entry=0x7ffff7992540 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150
#5 0x00007ffff7910679 in __GI___fortify_fail (msg=msg@entry=0x7ffff79924e6 "buffer overflow detected") at fortify_fail.c:24
#6 0x00007ffff790eea4 in __GI___chk_fail () at chk_fail.c:28
#7 0x00007ffff790ea85 in ___snprintf_chk (s=<optimized out>, maxlen=<optimized out>, flag=<optimized out>, slen=<optimized out>, format=<optimized out>) at snprintf_chk.c:29
#8 0x0000000000472acf in utils::Lockfile::try_lock() ()
#9 0x000000000044b524 in core::DownloadStore::enable(bool) ()
#10 0x00000000004b1f7b in Control::initialize() ()
#11 0x000000000043000b in main ()
risicle
pushed a commit
that referenced
this pull request
Mar 1, 2024
Without the change `unnethack` startup crashes as:
(gdb) bt
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1 0x00007f734250c0e3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x00007f73424bce06 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007f73424a58f5 in __GI_abort () at abort.c:79
#4 0x00007f73424a67a1 in __libc_message (fmt=fmt@entry=0x7f734261e2f8 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150
#5 0x00007f734259b1d9 in __GI___fortify_fail (msg=msg@entry=0x7f734261e2df "buffer overflow detected") at fortify_fail.c:24
#6 0x00007f734259ab94 in __GI___chk_fail () at chk_fail.c:28
#7 0x00000000005b2ac5 in strcpy (__src=0x7ffe68838b00 "Shall I pick a character's race, role, gender and alignment for you? [YNTQ] (y)",
__dest=0x7ffe68838990 "\001") at /nix/store/B0S2LKF593R3585038WS4JD3LYLF2WDX-glibc-2.38-44-dev/include/bits/string_fortified.h:79
#8 curses_break_str (str=str@entry=0x7ffe68838b00 "Shall I pick a character's race, role, gender and alignment for you? [YNTQ] (y)", width=width@entry=163,
line_num=line_num@entry=1) at ../win/curses/cursmisc.c:275
#9 0x00000000005b3f51 in curses_character_input_dialog (prompt=prompt@entry=0x7ffe68838cf0 "Shall I pick a character's race, role, gender and alignment for you?",
choices=choices@entry=0x7ffe68838d70 "YNTQ", def=def@entry=121) at ../win/curses/cursdial.c:211
#10 0x00000000005b9ca0 in curses_choose_character () at ../win/curses/cursinit.c:556
#11 0x0000000000404eb1 in main (argc=<optimized out>, argv=<optimized out>) at ./../sys/unix/unixmain.c:309
which corresponds to `gcc` warning:
../win/curses/cursmisc.c: In function 'curses_break_str':
../win/curses/cursmisc.c:275:5: warning: '__builtin___strcpy_chk' writing one too many bytes into a region of a size that depends on 'strlen' [-Wstringop-overflow=]
275 | strcpy(substr, str);
| ^
I did not find a single small upstream change that fixes it. Let's
disable `fortify3` until next release.
Closes: NixOS#292113
risicle
pushed a commit
that referenced
this pull request
Aug 1, 2024
This adds some extremely helpful and popular encoders in by default: * openjpeg * celt * libwebp * libaom On the `master` branch, closure size for ffmpeg-headless went up 18.5 MiB. ``` $ nix store diff-closures nixpkgs#ffmpeg-headless^bin .#ffmpeg-headless^bin celt: ∅ → 0.11.3, +168.4 KiB ffmpeg-headless: +70.0 KiB giflib: ∅ → 5.2.2, +398.7 KiB lcms2: ∅ → 2.16, +466.2 KiB lerc: ∅ → 4.0.0, +840.2 KiB libaom: ∅ → 3.9.0, +8047.8 KiB libdeflate: ∅ → 1.20, +427.0 KiB libtiff: ∅ → 4.6.0, +655.9 KiB libvmaf: ∅ → 3.0.0, +2665.0 KiB libwebp: ∅ → 1.4.0, +2559.7 KiB openjpeg: ∅ → 2.5.2, +1525.1 KiB zstd: ∅ → 1.5.6, +1158.0 KiB $ nvd diff $(nix build nixpkgs#ffmpeg-headless^bin --print-out-paths --no-link) $(nix build .#ffmpeg-headless^bin --print-out-paths --no-link) <<< /nix/store/4n60lnj3zkjpasd4c56bzhpx2m8lc1sx-ffmpeg-headless-6.1.1-bin >>> /nix/store/884f487w5hac6rs94jq6hq5zqkxdv666-ffmpeg-headless-6.1.1-bin Added packages: [A.] #1 celt 0.11.3 [A.] #2 giflib 5.2.2 [A.] #3 lcms2 2.16 [A.] #4 lerc 4.0.0 [A.] #5 libaom 3.9.0 [A.] #6 libdeflate 1.20 [A.] #7 libtiff 4.6.0 [A.] #8 libvmaf 3.0.0 [A.] #9 libwebp 1.4.0 x2 [A.] #10 openjpeg 2.5.2 [A.] #11 zstd 1.5.6 Closure size: 66 -> 78 (15 paths added, 3 paths removed, delta +12, disk usage +18.5MiB). ```
risicle
pushed a commit
that referenced
this pull request
Aug 25, 2024
Strongly inspired by the forgejo counterpart[1], for the following
reasons:
* The feature is broken with the current module and crashes on
authentication with the following stacktrace (with a PAM service
`gitea` added):
server # Stack trace of thread 1008:
server # #0 0x00007f3116917dfb __nptl_setxid (libc.so.6 + 0x8ddfb)
server # #1 0x00007f3116980ae6 setuid (libc.so.6 + 0xf6ae6)
server # #2 0x00007f30cc80f420 _unix_run_helper_binary (pam_unix.so + 0x5420)
server # #3 0x00007f30cc8108c9 _unix_verify_password (pam_unix.so + 0x68c9)
server # #4 0x00007f30cc80e1b5 pam_sm_authenticate (pam_unix.so + 0x41b5)
server # #5 0x00007f3116a84e5b _pam_dispatch (libpam.so.0 + 0x3e5b)
server # #6 0x00007f3116a846a3 pam_authenticate (libpam.so.0 + 0x36a3)
server # #7 0x00000000029b1e7a n/a (.gitea-wrapped + 0x25b1e7a)
server # #8 0x000000000047c7e4 n/a (.gitea-wrapped + 0x7c7e4)
server # ELF object binary architecture: AMD x86-64
server #
server # [ 42.420827] gitea[897]: pam_unix(gitea:auth): unix_chkpwd abnormal exit: 159
server # [ 42.423142] gitea[897]: pam_unix(gitea:auth): authentication failure; logname= uid=998 euid=998 tty= ruser= rhost= user=snenskek
It only worked after turning off multiple sandbox settings and adding
`shadow` as supplementary group to `gitea.service`.
I'm not willing to maintain additional multiple sandbox settings for
different features, especially given that it was probably not used for
quite a long time:
* There was no PR or bugreport about sandboxing issues related to
PAM.
* Ever since the module exists, it used the user `gitea`, i.e. it had
never read-access to `/etc/shadow`.
* Upstream has it disabled by default[2].
If somebody really needs it, it can still be brought back by an overlay
updating `tags` accordingly and modifying the systemd service config.
[1] 07641a9
[2] https://docs.gitea.com/usage/authentication#pam-pluggable-authentication-module
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes