From 9843fdc532a75f34274fb781d69a2daa97a6a0d2 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Mon, 15 Oct 2018 22:57:08 +0200 Subject: [PATCH 1/7] ligcgroup: fix CVE-2018-14348 When using cgrulesengd it would create a logfile at /var/log/cgred with the permission wide open (0666). --- pkgs/os-specific/linux/libcgroup/default.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/libcgroup/default.nix b/pkgs/os-specific/linux/libcgroup/default.nix index a70ab13db62..1e920247a75 100644 --- a/pkgs/os-specific/linux/libcgroup/default.nix +++ b/pkgs/os-specific/linux/libcgroup/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, pam, yacc, flex }: +{ stdenv, fetchurl, fetchpatch, pam, yacc, flex }: stdenv.mkDerivation rec { name = "libcgroup-${version}"; @@ -11,6 +11,13 @@ stdenv.mkDerivation rec { buildInputs = [ pam yacc flex ]; + patches = [ + (fetchpatch { + url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch?id=33e9f4c81de754bbf76b893ea1133ed023f2a0e5"; + sha256 = "1x0x29ld0cgmfwq4qy13s6d5c8sym1frfh1j2q47d8gfw6qaxka5"; + }) + ]; + postPatch = '' substituteInPlace src/tools/Makefile.in \ --replace 'chmod u+s' 'chmod +x' From c994f40de8e5e632fc71948001a73aaf9d3319cb Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Mon, 15 Oct 2018 23:09:10 +0200 Subject: [PATCH 2/7] taglib: fix CVE-2018-11439 --- pkgs/development/libraries/taglib/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkgs/development/libraries/taglib/default.nix b/pkgs/development/libraries/taglib/default.nix index 67db6e5097d..a2cb103a182 100644 --- a/pkgs/development/libraries/taglib/default.nix +++ b/pkgs/development/libraries/taglib/default.nix @@ -15,6 +15,13 @@ stdenv.mkDerivation rec { url = "https://github.com/taglib/taglib/commit/eb9ded1206f18.patch"; sha256 = "1bvpxsvmlpi3by7myzss9kkpdkv405612n8ff68mw1ambj8h1m90"; }) + + (fetchpatch { + # https://github.com/taglib/taglib/pull/869 + name = "CVE-2018-11439.patch"; + url = "https://github.com/taglib/taglib/commit/272648ccfcccae30e002ccf34a22e075dd477278.patch"; + sha256 = "0p397qq4anvcm0p8xs68mxa8hg6dl07chg260lc6k2929m34xv72"; + }) ]; nativeBuildInputs = [ cmake ]; From 5f75f72497113001bbd464018db233fee13b0ed9 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Mon, 15 Oct 2018 23:27:45 +0200 Subject: [PATCH 3/7] yara: 3.7.1 -> 3.8.1 This fixes issues CVE-2018-12034 & CVE-2018-12035. They are OOB read & write issues of the internal VM. Details can be retrieved at [1] & [2]. [1] https://github.com/VirusTotal/yara/issues/891 [2] https://bnbdr.github.io/posts/swisscheese/ --- pkgs/tools/security/yara/default.nix | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/pkgs/tools/security/yara/default.nix b/pkgs/tools/security/yara/default.nix index e273b2c1909..460474a7bb3 100644 --- a/pkgs/tools/security/yara/default.nix +++ b/pkgs/tools/security/yara/default.nix @@ -5,34 +5,16 @@ }: stdenv.mkDerivation rec { - version = "3.7.1"; + version = "3.8.1"; name = "yara-${version}"; src = fetchFromGitHub { owner = "VirusTotal"; repo = "yara"; rev = "v${version}"; - sha256 = "05smkn4ii8irx6ccnzrhwa39pkmrjyxjmfrwh6mhdd8iz51v5cgz"; + sha256 = "1ys2y5f2cif3g42daq646jcrn2na19zkx7fds2gnavj5c1rk7463"; }; - # FIXME: this is probably not the right way to make it work - # make[2]: *** No rule to make target 'libyara/.libs/libyara.a', needed by 'yara'. Stop. - prePatch = '' - cat >staticlibrary.patch < Date: Mon, 15 Oct 2018 23:55:47 +0200 Subject: [PATCH 4/7] libgxps: fix CVE-2018-10733 --- pkgs/desktops/gnome-3/core/libgxps/default.nix | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/pkgs/desktops/gnome-3/core/libgxps/default.nix b/pkgs/desktops/gnome-3/core/libgxps/default.nix index c9312c22882..68193bad583 100644 --- a/pkgs/desktops/gnome-3/core/libgxps/default.nix +++ b/pkgs/desktops/gnome-3/core/libgxps/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, meson, ninja, pkgconfig, glib, gobjectIntrospection, cairo -, libarchive, freetype, libjpeg, libtiff, gnome3 +, libarchive, freetype, libjpeg, libtiff, gnome3, fetchpatch }: let @@ -13,6 +13,19 @@ in stdenv.mkDerivation rec { sha256 = "412b1343bd31fee41f7204c47514d34c563ae34dafa4cc710897366bd6cd0fae"; }; + patches = [ + (fetchpatch { + name = "CVE-2018-10733-1.patch"; + url = https://gitlab.gnome.org/GNOME/libgxps/commit/b458226e162fe1ffe7acb4230c114a52ada5131b.patch; + sha256 = "0pqg9iwkg69qknj7vkgn26c32fndy55byxivd4km0vjfhfyx69hd"; + }) + (fetchpatch { + name = "CVE-2018-10733-2.patch"; + url = https://gitlab.gnome.org/GNOME/libgxps/commit/133fe2a96e020d4ca65c6f64fb28a404050ebbfd.patch; + sha256 = "19n01x8zs05wf801mkz4mypvapph7h941md3hr3rj0ry6r88pkir"; + }) + ]; + nativeBuildInputs = [ meson ninja pkgconfig gobjectIntrospection ]; buildInputs = [ glib cairo freetype libjpeg libtiff ]; propagatedBuildInputs = [ libarchive ]; From 1103b3fbe6e7349a1f95e7eb2f6f17af8210ab6e Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Tue, 16 Oct 2018 00:16:17 +0200 Subject: [PATCH 5/7] batik: mark as insecure The package hasn't been updated in a long time. There have been several issues with the package. There is no dependant package in the repository so marking it as insecure until someone maintains it sounds reasonable. --- pkgs/applications/graphics/batik/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/applications/graphics/batik/default.nix b/pkgs/applications/graphics/batik/default.nix index 4032e2e3fee..51156dea4a1 100644 --- a/pkgs/applications/graphics/batik/default.nix +++ b/pkgs/applications/graphics/batik/default.nix @@ -15,5 +15,11 @@ stdenv.mkDerivation { homepage = https://xmlgraphics.apache.org/batik; license = licenses.asl20; platforms = platforms.unix; + knownVulnerabilities = [ + # vulnerabilities as of 16th October 2018 from https://xmlgraphics.apache.org/security.html: + "CVE-2018-8013" + "CVE-2017-5662" + "CVE-2015-0250" + ]; }; } From 385e5ac8479f994dd4f2838a552341e009a99083 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Tue, 16 Oct 2018 00:23:02 +0200 Subject: [PATCH 6/7] sddm: 0.17.0 -> 0.18.0 Bumps to the latest stable version while fixing CVE-2018-14345 [1]. Changelog [2]: - Support theme supplied avatars - Compile against Qt 5.11 - Fix platform detection for HighDPI - On close, switch VT to a running session if applicable - Better ConsoleKit support - Fix authentication when non-default hidden option ReuseSession=true is used (CVE-2018-14345) - Hide sessions with NoDisplay=true - Honor PAM's ambient supplemental groups - Cleanup socket destruction - Don't quit on SIGHUP - Updated translations [1] https://nvd.nist.gov/vuln/detail/CVE-2018-14345 [2] https://github.com/sddm/sddm/releases/tag/v0.18.0 --- .../display-managers/sddm/default.nix | 5 ++-- .../display-managers/sddm/qt511.patch | 28 ------------------- 2 files changed, 2 insertions(+), 31 deletions(-) delete mode 100644 pkgs/applications/display-managers/sddm/qt511.patch diff --git a/pkgs/applications/display-managers/sddm/default.nix b/pkgs/applications/display-managers/sddm/default.nix index c9fd4f9c4ab..3de4067f55d 100644 --- a/pkgs/applications/display-managers/sddm/default.nix +++ b/pkgs/applications/display-managers/sddm/default.nix @@ -4,7 +4,7 @@ }: let - version = "0.17.0"; + version = "0.18.0"; in mkDerivation rec { name = "sddm-${version}"; @@ -13,12 +13,11 @@ in mkDerivation rec { owner = "sddm"; repo = "sddm"; rev = "v${version}"; - sha256 = "1m35ly6miwy8ivsln3j1bfv0nxbc4gyqnj7f847zzp53jsqrm3mq"; + sha256 = "16xnm02iqgy4hydzd6my0widq981glbazbhxnihhclgsaczh8mfq"; }; patches = [ ./sddm-ignore-config-mtime.patch - ./qt511.patch ]; postPatch = diff --git a/pkgs/applications/display-managers/sddm/qt511.patch b/pkgs/applications/display-managers/sddm/qt511.patch deleted file mode 100644 index 6430e60ed41..00000000000 --- a/pkgs/applications/display-managers/sddm/qt511.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 005c9ad..71b46d7 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -93,7 +93,7 @@ find_package(XCB REQUIRED) - find_package(XKB REQUIRED) - - # Qt 5 --find_package(Qt5 5.6.0 CONFIG REQUIRED Core DBus Gui Qml Quick LinguistTools) -+find_package(Qt5 5.6.0 CONFIG REQUIRED Core DBus Gui Qml Quick LinguistTools Test) - - # find qt5 imports dir - get_target_property(QMAKE_EXECUTABLE Qt5::qmake LOCATION) -diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt -index c9d935a..bb85ddd 100644 ---- a/test/CMakeLists.txt -+++ b/test/CMakeLists.txt -@@ -2,9 +2,8 @@ set(QT_USE_QTTEST TRUE) - - include_directories(../src/common) - -- - set(ConfigurationTest_SRCS ConfigurationTest.cpp ../src/common/ConfigReader.cpp) - add_executable(ConfigurationTest ${ConfigurationTest_SRCS}) - add_test(NAME Configuration COMMAND ConfigurationTest) - --qt5_use_modules(ConfigurationTest Test) -+target_link_libraries(ConfigurationTest Qt5::Core Qt5::Test) From 289897237763ef6db49af8dc3d00c3568cc2f230 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Tue, 16 Oct 2018 00:35:52 +0200 Subject: [PATCH 7/7] kiwix: mark as insecure There is at least one recorded issue against our kiwix version. Upstream does no longer support this version of the project. They have moved to a different repository & software architecture. --- pkgs/applications/misc/kiwix/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/applications/misc/kiwix/default.nix b/pkgs/applications/misc/kiwix/default.nix index 8d095b78cdb..9ea8210e67e 100644 --- a/pkgs/applications/misc/kiwix/default.nix +++ b/pkgs/applications/misc/kiwix/default.nix @@ -103,5 +103,8 @@ stdenv.mkDerivation rec { license = licenses.gpl3; platforms = platforms.linux; maintainers = with maintainers; [ robbinch ]; + knownVulnerabilities = [ + "CVE-2015-1032" + ]; }; }