From 94cc94a40c73d3cbf04fa0849abef66c0229e08e Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Tue, 15 Jun 2021 16:49:18 +1000 Subject: [PATCH 1/9] libslirp: 4.5.0 -> 4.6.0 https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.6.0 (cherry picked from commit 8d25d8c55dcdf10a612aac115bd88139d10fc351) --- pkgs/development/libraries/libslirp/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libslirp/default.nix b/pkgs/development/libraries/libslirp/default.nix index 5da6cf6bbbc..7180587e8e6 100644 --- a/pkgs/development/libraries/libslirp/default.nix +++ b/pkgs/development/libraries/libslirp/default.nix @@ -9,14 +9,14 @@ stdenv.mkDerivation rec { pname = "libslirp"; - version = "4.5.0"; + version = "4.6.0"; src = fetchFromGitLab { domain = "gitlab.freedesktop.org"; owner = "slirp"; repo = pname; rev = "v${version}"; - sha256 = "sha256-UdKBED7xR0gDf3aj3+6I62CnAwGP7XxskaFzWeUUkkk="; + sha256 = "sha256-1Zp1+PW0WtNzRYIA87X42CJeSzVFhi5sGi9/rlUP4Vo="; }; nativeBuildInputs = [ meson ninja pkg-config ]; From 1fc88477924496f3a1f99a768c3458430ef3d673 Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Sat, 19 Jun 2021 09:18:22 +1000 Subject: [PATCH 2/9] libslirp: 4.6.0 -> 4.6.1 https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.6.1 (cherry picked from commit 7ce24d4b85077a5f24f83abe81a07bb7d146e9f7) --- pkgs/development/libraries/libslirp/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libslirp/default.nix b/pkgs/development/libraries/libslirp/default.nix index 7180587e8e6..f4eaa9c3199 100644 --- a/pkgs/development/libraries/libslirp/default.nix +++ b/pkgs/development/libraries/libslirp/default.nix @@ -9,14 +9,14 @@ stdenv.mkDerivation rec { pname = "libslirp"; - version = "4.6.0"; + version = "4.6.1"; src = fetchFromGitLab { domain = "gitlab.freedesktop.org"; owner = "slirp"; repo = pname; rev = "v${version}"; - sha256 = "sha256-1Zp1+PW0WtNzRYIA87X42CJeSzVFhi5sGi9/rlUP4Vo="; + sha256 = "sha256-AM6NxO4hjFiUAzRYbXV3fe18xwCBmzdM63n93UOxjKw="; }; nativeBuildInputs = [ meson ninja pkg-config ]; From 88e99266e6cfde2481519380f9bc61a1c65b29af Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 25 Jul 2021 19:40:57 +0100 Subject: [PATCH 3/9] varnish60: 6.0.7 -> 6.0.8 --- pkgs/servers/varnish/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/varnish/default.nix b/pkgs/servers/varnish/default.nix index 1fbb36257d2..56c0a09cb4e 100644 --- a/pkgs/servers/varnish/default.nix +++ b/pkgs/servers/varnish/default.nix @@ -41,8 +41,8 @@ let in { varnish60 = common { - version = "6.0.7"; - sha256 = "0njs6xpc30nc4chjdm4d4g63bigbxhi4dc46f4az3qcz51r8zl2a"; + version = "6.0.8"; + sha256 = "1zk83hfxgjq1d0n4zx86q3f05y9f2zc6a1miz1zcvfa052q4bljx"; }; varnish62 = common { version = "6.2.3"; From 8d894f90d48d36eade5ba32675595f5d915618e2 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 25 Jul 2021 19:41:18 +0100 Subject: [PATCH 4/9] varnish62, varnish63: add patch for CVE-2021-36740 --- .../varnish/6.2-6.3-CVE-2021-36740.patch | 132 ++++++++++++++++++ pkgs/servers/varnish/default.nix | 10 +- 2 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 pkgs/servers/varnish/6.2-6.3-CVE-2021-36740.patch diff --git a/pkgs/servers/varnish/6.2-6.3-CVE-2021-36740.patch b/pkgs/servers/varnish/6.2-6.3-CVE-2021-36740.patch new file mode 100644 index 00000000000..8246f152651 --- /dev/null +++ b/pkgs/servers/varnish/6.2-6.3-CVE-2021-36740.patch @@ -0,0 +1,132 @@ +An interpolation of https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf +and https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be +which applies to both 6.2 and 6.3 + +diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h +index c377d03aac..205b96ccb7 100644 +--- a/bin/varnishd/http2/cache_http2.h ++++ b/bin/varnishd/http2/cache_http2.h +@@ -131,6 +131,8 @@ struct h2_req { + /* Where to wake this stream up */ + struct worker *wrk; + ++ ssize_t reqbody_bytes; ++ + VTAILQ_ENTRY(h2_req) tx_list; + h2_error error; + +diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c +index cb35bb4873..98f5dc4f37 100644 +--- a/bin/varnishd/http2/cache_http2_proto.c ++++ b/bin/varnishd/http2/cache_http2_proto.c +@@ -546,6 +546,7 @@ h2_end_headers(struct worker *wrk, struct h2_sess *h2, + struct req *req, struct h2_req *r2) + { + h2_error h2e; ++ ssize_t cl; + + ASSERT_RXTHR(h2); + assert(r2->state == H2_S_OPEN); +@@ -572,14 +572,24 @@ h2_end_headers(struct worker *wrk, struct h2_sess *h2, + // XXX: Have I mentioned H/2 Is hodge-podge ? + http_CollectHdrSep(req->http, H_Cookie, "; "); // rfc7540,l,3114,3120 + ++ cl = http_GetContentLength(req->http); ++ assert(cl >= -2); ++ if (cl == -2) { ++ VSLb(h2->vsl, SLT_Debug, "Non-parseable Content-Length"); ++ return (H2SE_PROTOCOL_ERROR); ++ } ++ + if (req->req_body_status == REQ_BODY_INIT) { +- if (!http_GetHdr(req->http, H_Content_Length, NULL)) ++ if (cl == -1) + req->req_body_status = REQ_BODY_WITHOUT_LEN; + else + req->req_body_status = REQ_BODY_WITH_LEN; ++ req->htc->content_length = cl; + } else { ++ /* A HEADER frame contained END_STREAM */ + assert (req->req_body_status == REQ_BODY_NONE); +- if (http_GetContentLength(req->http) > 0) ++ r2->state = H2_S_CLOS_REM; ++ if (cl > 0) + return (H2CE_PROTOCOL_ERROR); //rfc7540,l,1838,1840 + } + +@@ -736,6 +746,7 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) + int w1 = 0, w2 = 0; + char buf[4]; + unsigned wi; ++ ssize_t cl; + + CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); + ASSERT_RXTHR(h2); +@@ -754,6 +765,23 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) + } + Lck_Lock(&h2->sess->mtx); + while (h2->mailcall != NULL && h2->error == 0 && r2->error == 0) + AZ(Lck_CondWait(h2->cond, &h2->sess->mtx, 0)); ++ ++ r2->reqbody_bytes += h2->rxf_len; ++ if (h2->rxf_flags & H2FF_DATA_END_STREAM) ++ r2->state = H2_S_CLOS_REM; ++ cl = r2->req->htc->content_length; ++ if (cl >= 0 && (r2->reqbody_bytes > cl || ++ (r2->state >= H2_S_CLOS_REM && r2->reqbody_bytes != cl))) { ++ VSLb(h2->vsl, SLT_Debug, ++ "H2: stream %u: Received data and Content-Length" ++ " mismatch", h2->rxf_stream); ++ r2->error = H2SE_PROTOCOL_ERROR; // rfc7540,l,3150,3163 ++ if (r2->cond) ++ AZ(pthread_cond_signal(r2->cond)); ++ Lck_Unlock(&h2->sess->mtx); ++ return (H2SE_PROTOCOL_ERROR); ++ } ++ + AZ(h2->mailcall); + h2->mailcall = r2; + h2->req0->r_window -= h2->rxf_len; +@@ -772,6 +800,8 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) + r2->r_window += wi; + w2 = 1; + } ++ ++ + Lck_Unlock(&h2->sess->mtx); + + if (w1 || w2) { +@@ -794,7 +824,7 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp) + struct h2_req *r2; + struct h2_sess *h2; + unsigned l; +- enum vfp_status retval = VFP_OK; ++ enum vfp_status retval; + + CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC); + CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC); +@@ -807,7 +837,6 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp) + *lp = 0; + + Lck_Lock(&h2->sess->mtx); +- assert (r2->state == H2_S_OPEN); + r2->cond = &vc->wrk->cond; + while (h2->mailcall != r2 && h2->error == 0 && r2->error == 0) + AZ(Lck_CondWait(r2->cond, &h2->sess->mtx, 0)); +@@ -830,12 +859,10 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp) + Lck_Unlock(&h2->sess->mtx); + return (VFP_OK); + } +- if (h2->rxf_len == 0) { +- if (h2->rxf_flags & H2FF_DATA_END_STREAM) { +- retval = VFP_END; +- r2->state = H2_S_CLOS_REM; +- } +- } ++ if (h2->rxf_len == 0 && r2->state >= H2_S_CLOS_REM) ++ retval = VFP_END; ++ else ++ retval = VFP_OK; + h2->mailcall = NULL; + AZ(pthread_cond_signal(h2->cond)); + } diff --git a/pkgs/servers/varnish/default.nix b/pkgs/servers/varnish/default.nix index 56c0a09cb4e..9a4b62fa237 100644 --- a/pkgs/servers/varnish/default.nix +++ b/pkgs/servers/varnish/default.nix @@ -2,7 +2,7 @@ , python3, makeWrapper }: let - common = { version, sha256, extraNativeBuildInputs ? [] }: + common = { version, sha256, extraNativeBuildInputs ? [], extraPatches ? [] }: stdenv.mkDerivation rec { pname = "varnish"; inherit version; @@ -12,6 +12,8 @@ let inherit sha256; }; + patches = extraPatches; + passthru.python = python3; nativeBuildInputs = with python3.pkgs; [ pkg-config docutils sphinx ]; @@ -47,9 +49,15 @@ in varnish62 = common { version = "6.2.3"; sha256 = "02b6pqh5j1d4n362n42q42bfjzjrngd6x49b13q7wzsy6igd1jsy"; + extraPatches = [ + ./6.2-6.3-CVE-2021-36740.patch + ]; }; varnish63 = common { version = "6.3.2"; sha256 = "1f5ahzdh3am6fij5jhiybv3knwl11rhc5r3ig1ybzw55ai7788q8"; + extraPatches = [ + ./6.2-6.3-CVE-2021-36740.patch + ]; }; } From 6526d0e5c322d6736a484b56198908305618555a Mon Sep 17 00:00:00 2001 From: Michael Francis Date: Mon, 17 May 2021 21:00:57 +0800 Subject: [PATCH 5/9] Only include ipsecTools if using ipsec (cherry picked from commit adc368d2fc7dd74beb8486ff72880ed0212abb0d) --- nixos/modules/virtualisation/openvswitch.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/modules/virtualisation/openvswitch.nix b/nixos/modules/virtualisation/openvswitch.nix index c6a3ceddc3e..a351974b481 100644 --- a/nixos/modules/virtualisation/openvswitch.nix +++ b/nixos/modules/virtualisation/openvswitch.nix @@ -66,9 +66,7 @@ in { }; in (mkMerge [{ - - environment.systemPackages = [ cfg.package pkgs.ipsecTools ]; - + environment.systemPackages = [ cfg.package ]; boot.kernelModules = [ "tun" "openvswitch" ]; boot.extraModulePackages = [ cfg.package ]; @@ -146,6 +144,8 @@ in { } (mkIf (cfg.ipsec && (versionOlder cfg.package.version "2.6.0")) { + environment.systemPackages = [ pkgs.ipsecTools ]; + services.racoon.enable = true; services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf"; From 8f5794cbdaf444b9ecd87cb09013912571069679 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 28 Jul 2021 17:06:03 +0200 Subject: [PATCH 6/9] nixos-rebuild: Set inherit_errexit Without this, failure of nixBuild() and nixFlakeBuild() was ignored (since bash doesn't inherit 'set -e' in subshells by default), so the script would proceed with a bogus ./result link, e.g. ++ readlink -f /tmp/nixos-rebuild.NfHKxx/result + pathToConfig='/nix/store/m7dvk6an18cpr95qn5wnig2600qhv6w7-nix-2.4pre20210727_706777a/bin/nix /tmp/nixos-rebuild.NfHKxx/result' + '[' test = switch -o test = boot ']' + copyToTarget '/nix/store/m7dvk6an18cpr95qn5wnig2600qhv6w7-nix-2.4pre20210727_706777a/bin/nix /tmp/nixos-rebuild.NfHKxx/result' + '[' '' = '' ']' + '[' test = switch -o test = boot -o test = test -o test = dry-activate ']' + targetHostCmd /nix/store/m7dvk6an18cpr95qn5wnig2600qhv6w7-nix-2.4pre20210727_706777a/bin/nix /tmp/nixos-rebuild.NfHKxx/result/bin/switch-to-configuration test + '[' -z '' ']' + sudo -- /nix/store/m7dvk6an18cpr95qn5wnig2600qhv6w7-nix-2.4pre20210727_706777a/bin/nix /tmp/nixos-rebuild.NfHKxx/result/bin/switch-to-configuration test error: '/tmp/nixos-rebuild.NfHKxx/result/bin/switch-to-configuration' is not a recognised command Try '/nix/store/m7dvk6an18cpr95qn5wnig2600qhv6w7-nix-2.4pre20210727_706777a/bin/nix --help' for more information. + echo 'warning: error(s) occurred while switching to the new configuration' warning: error(s) occurred while switching to the new configuration (cherry picked from commit 0ad27c8653daaf59cf0fb2e0b30561a8d86303fa) --- pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh b/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh index 62828de2676..467654d1806 100644 --- a/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh +++ b/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh @@ -4,6 +4,7 @@ if [ -x "@runtimeShell@" ]; then export SHELL="@runtimeShell@"; fi; set -e set -o pipefail +shopt -s inherit_errexit export PATH=@path@:$PATH From e3ebd9cdb7ee73378db5e9398db9c0fa403dbd21 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 25 Jul 2021 14:23:36 +0100 Subject: [PATCH 7/9] libgrss: add patch for CVE-2016-20011 (cherry picked from commit b50d7d0683d61bf00a101ce7b67c7b0f065d7ff6) --- pkgs/development/libraries/libgrss/default.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/libgrss/default.nix b/pkgs/development/libraries/libgrss/default.nix index 8c5ea73af0b..5e1c2b17858 100644 --- a/pkgs/development/libraries/libgrss/default.nix +++ b/pkgs/development/libraries/libgrss/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, pkg-config, vala, gobject-introspection, gtk-doc, docbook_xsl, docbook_xml_dtd_412, glib, libxml2, libsoup, gnome }: +{ lib, stdenv, fetchurl, fetchpatch, pkg-config, vala, gobject-introspection, gtk-doc, docbook_xsl, docbook_xml_dtd_412, glib, libxml2, libsoup, gnome }: let version = "0.7.0"; @@ -14,6 +14,15 @@ stdenv.mkDerivation { sha256 = "1nalslgyglvhpva3px06fj6lv5zgfg0qmj0sbxyyl5d963vc02b7"; }; + patches = [ + (fetchpatch { + name = "CVE-2016-20011.patch"; + # https://gitlab.gnome.org/GNOME/libgrss/-/merge_requests/7, not yet merged! + url = "https://gitlab.gnome.org/GNOME/libgrss/-/commit/2c6ea642663e2a44efc8583fae7c54b7b98f72b3.patch"; + sha256 = "1ijvq2jl97vphcvrbrqxvszdmv6yyjfygdca9vyaijpafwyzzb18"; + }) + ]; + nativeBuildInputs = [ pkg-config vala gobject-introspection gtk-doc docbook_xsl docbook_xml_dtd_412 ]; buildInputs = [ glib libxml2 libsoup ]; From 5d432c24538cba72fafc86e73808668e77d29174 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 28 Jul 2021 15:16:30 +0200 Subject: [PATCH 8/9] linux: 5.13.5 -> 5.13.6 (cherry picked from commit b167e087810dce6f0298f078b0ad621e4bdaaf7f) --- pkgs/os-specific/linux/kernel/linux-5.13.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/linux-5.13.nix b/pkgs/os-specific/linux/kernel/linux-5.13.nix index dd97944de78..bece15821a8 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.13.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.13.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "5.13.5"; + version = "5.13.6"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,9 +13,8 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "0lqh7krxxnbrvr3w1kag92z9r4n9436fr6answjkjfbvw0z7q74m"; + sha256 = "0xjjl8dmilp425b1cp977v26qxlg1147gh54kni949pzxwh1fb56"; }; kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_13 ]; } // (args.argsOverride or { })) - From 33c7f751dc2e0f9f06d1a09628c7bb039377b859 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sat, 12 Jun 2021 17:10:53 +0100 Subject: [PATCH 9/9] exif: add patches for CVE-2021-27815 (cherry picked from commit 764a102f35757e8916039f4ed3e88ba35d7a2195) --- pkgs/tools/graphics/exif/default.nix | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/graphics/exif/default.nix b/pkgs/tools/graphics/exif/default.nix index 130e2d96124..f07f3d05541 100644 --- a/pkgs/tools/graphics/exif/default.nix +++ b/pkgs/tools/graphics/exif/default.nix @@ -1,4 +1,13 @@ -{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, libexif, popt, libintl }: +{ lib +, stdenv +, fetchFromGitHub +, fetchpatch +, autoreconfHook +, pkg-config +, libexif +, popt +, libintl +}: stdenv.mkDerivation rec { pname = "exif"; @@ -11,6 +20,19 @@ stdenv.mkDerivation rec { sha256 = "1xlb1gdwxm3rmw7vlrynhvjp9dkwmvw23mxisdbdmma7ah2nda3i"; }; + patches = [ + (fetchpatch { + name = "CVE-2021-27815.part-1.patch"; + url = "https://github.com/libexif/exif/commit/f6334d9d32437ef13dc902f0a88a2be0063d9d1c.patch"; + sha256 = "0mfx7l8w3w1c2mn5h5d6s7gdfyd91wnml8v0f19v5sdn70hx5aa4"; + }) + (fetchpatch { + name = "CVE-2021-27815.part-2.patch"; + url = "https://github.com/libexif/exif/commit/eb84b0e3c5f2a86013b6fcfb800d187896a648fa.patch"; + sha256 = "11lyvy20maisiyhxgxvm85v5l5ba7p0bpd4m0g4ryli32mrwwy0l"; + }) + ]; + nativeBuildInputs = [ autoreconfHook pkg-config ]; buildInputs = [ libexif popt libintl ];