diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index 484f9eb4440..ad4ef1a3945 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -11,10 +11,20 @@ let } '' mkdir -p $out/bin - ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: '' + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value: + let + opts = if builtins.isAttrs value + then value + else { executable = value; profile = null; extraArgs = []; }; + args = lib.escapeShellArgs ( + (optional (opts.profile != null) "--profile=${toString opts.profile}") + ++ opts.extraArgs + ); + in + '' cat <<_EOF >$out/bin/${command} #! ${pkgs.runtimeShell} -e - exec /run/wrappers/bin/firejail ${binary} "\$@" + exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@" _EOF chmod 0755 $out/bin/${command} '') cfg.wrappedBinaries)} @@ -25,12 +35,38 @@ in { enable = mkEnableOption "firejail"; wrappedBinaries = mkOption { - type = types.attrsOf types.path; + type = types.attrsOf (types.either types.path (types.submodule { + options = { + executable = mkOption { + type = types.path; + description = "Executable to run sandboxed"; + example = literalExample "''${lib.getBin pkgs.firefox}/bin/firefox"; + }; + profile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Profile to use"; + example = literalExample "''${pkgs.firejail}/etc/firejail/firefox.profile"; + }; + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = "Extra arguments to pass to firejail"; + example = [ "--private=~/.firejail_home" ]; + }; + }; + })); default = {}; example = literalExample '' { - firefox = "''${lib.getBin pkgs.firefox}/bin/firefox"; - mpv = "''${lib.getBin pkgs.mpv}/bin/mpv"; + firefox = { + executable = "''${lib.getBin pkgs.firefox}/bin/firefox"; + profile = "''${pkgs.firejail}/etc/firejail/firefox.profile"; + }; + mpv = { + executable = "''${lib.getBin pkgs.mpv}/bin/mpv"; + profile = "''${pkgs.firejail}/etc/firejail/mpv.profile"; + }; } ''; description = '' diff --git a/nixos/tests/firejail.nix b/nixos/tests/firejail.nix index a723cb01664..5f122c3fa94 100644 --- a/nixos/tests/firejail.nix +++ b/nixos/tests/firejail.nix @@ -11,6 +11,10 @@ import ./make-test-python.nix ({ pkgs, ...} : { enable = true; wrappedBinaries = { bash-jailed = "${pkgs.bash}/bin/bash"; + bash-jailed2 = { + executable = "${pkgs.bash}/bin/bash"; + extraArgs = [ "--private=~/firejail-home" ]; + }; }; }; @@ -53,6 +57,11 @@ import ./make-test-python.nix ({ pkgs, ...} : { ) machine.fail("sudo -u alice bash-jailed -c 'cat ~/my-secrets/secret' | grep -q s3cret") + # Test extraArgs + machine.succeed("sudo -u alice mkdir /home/alice/firejail-home") + machine.succeed("sudo -u alice bash-jailed2 -c 'echo test > /home/alice/foo'") + machine.fail("sudo -u alice cat /home/alice/foo") + machine.succeed("sudo -u alice cat /home/alice/firejail-home/foo | grep test") # Test path acl with firejail executable machine.succeed("sudo -u alice firejail -- bash -c 'cat ~/public' | grep -q publ1c") diff --git a/pkgs/applications/virtualization/dumb-init/default.nix b/pkgs/applications/virtualization/dumb-init/default.nix index c7be90222c2..5e1bc9489d3 100644 --- a/pkgs/applications/virtualization/dumb-init/default.nix +++ b/pkgs/applications/virtualization/dumb-init/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "dumb-init"; - version = "1.2.2"; + version = "1.2.3"; src = fetchFromGitHub { owner = "Yelp"; repo = pname; rev = "v${version}"; - sha256 = "15hgl8rz5dmrl5gx21sq5269l1hq539qn68xghjx0bv9hgbx0g20"; + sha256 = "1ws944y8gch6h7iqvznfwlh9hnmdn36aqh9w6cbc7am8vbyq0ffa"; }; buildInputs = [ glibc.static ]; diff --git a/pkgs/development/libraries/libopenaptx/default.nix b/pkgs/development/libraries/libopenaptx/default.nix index d9ccf77ea92..5b02d70f683 100644 --- a/pkgs/development/libraries/libopenaptx/default.nix +++ b/pkgs/development/libraries/libopenaptx/default.nix @@ -2,16 +2,22 @@ stdenv.mkDerivation rec { pname = "libopenaptx"; - version = "0.1.0"; + version = "0.2.0"; src = fetchFromGitHub { owner = "pali"; repo = "libopenaptx"; rev = version; - sha256 = "0996qmkmbax7ccknxrd3bx8xibs79a1ffms69scsj59f3kgj6854"; + sha256 = "nTpw4vWgJ765FM6Es3SzaaaZr0YDydXglb0RWLbiigI="; }; - makeFlags = [ "PREFIX=$(out)" ]; + makeFlags = [ + "PREFIX=${placeholder "out"}" + # disable static builds + "ANAME=" + "AOBJECTS=" + "STATIC_UTILITIES=" + ]; enableParallelBuilding = true; diff --git a/pkgs/development/python-modules/class-registry/default.nix b/pkgs/development/python-modules/class-registry/default.nix index 9a3650bceb8..93c41cadea6 100644 --- a/pkgs/development/python-modules/class-registry/default.nix +++ b/pkgs/development/python-modules/class-registry/default.nix @@ -4,6 +4,8 @@ lib, nose, six, + typing, + isPy27, }: buildPythonPackage rec { @@ -15,7 +17,7 @@ buildPythonPackage rec { sha256 = "0zjf9nczl1ifzj07bgs6mwxsfd5xck9l0lchv2j0fv2n481xp2v7"; }; - propagatedBuildInputs = [ six ]; + propagatedBuildInputs = [ six ] ++ lib.optional isPy27 typing; checkInputs = [ nose ]; # Tests currently failing. diff --git a/pkgs/development/python-modules/cryptography/2.9.nix b/pkgs/development/python-modules/cryptography/2.9.nix index 3bbb67c5240..3cde5054287 100644 --- a/pkgs/development/python-modules/cryptography/2.9.nix +++ b/pkgs/development/python-modules/cryptography/2.9.nix @@ -29,6 +29,8 @@ buildPythonPackage rec { sha256 = "0af25w5mkd6vwns3r6ai1w5ip9xp0ms9s261zzssbpadzdr05hx0"; }; + patches = [ ./CVE-2020-25659.patch ]; + outputs = [ "out" "dev" ]; buildInputs = [ openssl ] @@ -70,6 +72,5 @@ buildPythonPackage rec { + replaceStrings [ "." ] [ "-" ] version; license = with licenses; [ asl20 bsd3 psfl ]; maintainers = with maintainers; [ primeos ]; - knownVulnerabilities = [ "CVE-2020-25659" "https://github.com/advisories/GHSA-hggm-jpg3-v476" ]; }; } diff --git a/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch b/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch new file mode 100644 index 00000000000..a353757be11 --- /dev/null +++ b/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch @@ -0,0 +1,76 @@ +Backported of: + +From 58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Sun, 25 Oct 2020 21:16:42 -0400 +Subject: [PATCH] Attempt to mitigate Bleichenbacher attacks on RSA decryption + (#5507) + +diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt +index 6e4675d..ce66c28 100644 +--- a/docs/spelling_wordlist.txt ++++ b/docs/spelling_wordlist.txt +@@ -6,6 +6,7 @@ backend + Backends + backends + bcrypt ++Bleichenbacher + Blowfish + boolean + Botan +diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py +index 3e4c2fd..6303f95 100644 +--- a/src/cryptography/hazmat/backends/openssl/rsa.py ++++ b/src/cryptography/hazmat/backends/openssl/rsa.py +@@ -117,40 +117,19 @@ def _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding): + + outlen = backend._ffi.new("size_t *", buf_size) + buf = backend._ffi.new("unsigned char[]", buf_size) ++ # Everything from this line onwards is written with the goal of being as ++ # constant-time as is practical given the constraints of Python and our ++ # API. See Bleichenbacher's '98 attack on RSA, and its many many variants. ++ # As such, you should not attempt to change this (particularly to "clean it ++ # up") without understanding why it was written this way (see ++ # Chesterton's Fence), and without measuring to verify you have not ++ # introduced observable time differences. + res = crypt(pkey_ctx, buf, outlen, data, len(data)) ++ resbuf = backend._ffi.buffer(buf)[: outlen[0]] ++ backend._lib.ERR_clear_error() + if res <= 0: +- _handle_rsa_enc_dec_error(backend, key) +- +- return backend._ffi.buffer(buf)[:outlen[0]] +- +- +-def _handle_rsa_enc_dec_error(backend, key): +- errors = backend._consume_errors() +- backend.openssl_assert(errors) +- backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA) +- if isinstance(key, _RSAPublicKey): +- backend.openssl_assert( +- errors[0].reason == backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE +- ) +- raise ValueError( +- "Data too long for key size. Encrypt less data or use a " +- "larger key size." +- ) +- else: +- decoding_errors = [ +- backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01, +- backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02, +- backend._lib.RSA_R_OAEP_DECODING_ERROR, +- # Though this error looks similar to the +- # RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE, this occurs on decrypts, +- # rather than on encrypts +- backend._lib.RSA_R_DATA_TOO_LARGE_FOR_MODULUS, +- ] +- if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR: +- decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR) +- +- backend.openssl_assert(errors[0].reason in decoding_errors) +- raise ValueError("Decryption failed.") ++ raise ValueError("Encryption/decryption failed.") ++ return resbuf + + + def _rsa_sig_determine_padding(backend, key, padding, algorithm): diff --git a/pkgs/development/tools/apktool/default.nix b/pkgs/development/tools/apktool/default.nix index 529f705e101..2ff9c58fb33 100644 --- a/pkgs/development/tools/apktool/default.nix +++ b/pkgs/development/tools/apktool/default.nix @@ -2,14 +2,14 @@ stdenv.mkDerivation rec { pname = "apktool"; - version = "2.4.1"; + version = "2.5.0"; src = fetchurl { urls = [ "https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_${version}.jar" "https://github.com/iBotPeaches/Apktool/releases/download/v${version}/apktool_${version}.jar" ]; - sha256 = "0ljsh8nx065isnyzzrwddypikkfhyqsww0w02cgwgh8x3lhndsxx"; + sha256 = "1r4z0z2c1drjd4ynpf36dklxs3hq1wdnzh63mk2yk4mmk75xg4mk"; }; phases = [ "installPhase" ]; diff --git a/pkgs/tools/misc/direnv/default.nix b/pkgs/tools/misc/direnv/default.nix index f84a51486d9..050dcf2955f 100644 --- a/pkgs/tools/misc/direnv/default.nix +++ b/pkgs/tools/misc/direnv/default.nix @@ -2,7 +2,7 @@ buildGoModule rec { pname = "direnv"; - version = "2.24.0"; + version = "2.25.0"; vendorSha256 = null; @@ -10,7 +10,7 @@ buildGoModule rec { owner = "direnv"; repo = "direnv"; rev = "v${version}"; - sha256 = "1hgivmz6f5knpchkyi3njj1h81hixm77ad5g2v0m9bid09b97nh8"; + sha256 = "00bvznswmz08s2jqpz5xxmkqggd06h6g8cwk242aaih6qajxfpsn"; }; # we have no bash at the moment for windows diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix index 8ba10f66396..ae29eeafd00 100644 --- a/pkgs/tools/security/sudo/default.nix +++ b/pkgs/tools/security/sudo/default.nix @@ -6,11 +6,11 @@ stdenv.mkDerivation rec { pname = "sudo"; - version = "1.9.3p1"; + version = "1.9.4"; src = fetchurl { url = "https://www.sudo.ws/dist/${pname}-${version}.tar.gz"; - sha256 = "17mldsg5d08s23cskmjxfa81ibnqw3slgf3l4023j72ywi9xxffw"; + sha256 = "1w03257akspgkkl757vmpq3p30sb2n6y61hll038mw9sqwnbv4cb"; }; prePatch = ''