Merge release-21.05 into staging-next-21.05

nixos/modules/virtualisation/openvswitch.nix

@@ -66,9 +66,7 @@ in {
     };
 
   in (mkMerge [{
-
+    environment.systemPackages = [ cfg.package ];
-    environment.systemPackages = [ cfg.package pkgs.ipsecTools ];
-
     boot.kernelModules = [ "tun" "openvswitch" ];
 
     boot.extraModulePackages = [ cfg.package ];
@@ -146,6 +144,8 @@ in {
 
   }
   (mkIf (cfg.ipsec && (versionOlder cfg.package.version "2.6.0")) {
+    environment.systemPackages = [ pkgs.ipsecTools ];
+  
     services.racoon.enable = true;
     services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf";
 

pkgs/development/libraries/libgrss/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, pkg-config, vala, gobject-introspection, gtk-doc, docbook_xsl, docbook_xml_dtd_412, glib, libxml2, libsoup, gnome }:
+{ lib, stdenv, fetchurl, fetchpatch, pkg-config, vala, gobject-introspection, gtk-doc, docbook_xsl, docbook_xml_dtd_412, glib, libxml2, libsoup, gnome }:
 
 let
   version = "0.7.0";
@@ -14,6 +14,15 @@ stdenv.mkDerivation {
     sha256 = "1nalslgyglvhpva3px06fj6lv5zgfg0qmj0sbxyyl5d963vc02b7";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2016-20011.patch";
+      # https://gitlab.gnome.org/GNOME/libgrss/-/merge_requests/7, not yet merged!
+      url = "https://gitlab.gnome.org/GNOME/libgrss/-/commit/2c6ea642663e2a44efc8583fae7c54b7b98f72b3.patch";
+      sha256 = "1ijvq2jl97vphcvrbrqxvszdmv6yyjfygdca9vyaijpafwyzzb18";
+    })
+  ];
+
   nativeBuildInputs = [ pkg-config vala gobject-introspection gtk-doc docbook_xsl docbook_xml_dtd_412 ];
   buildInputs = [ glib libxml2 libsoup ];
 

pkgs/development/libraries/libslirp/default.nix

@@ -9,14 +9,14 @@
 
 stdenv.mkDerivation rec {
   pname = "libslirp";
-  version = "4.5.0";
+  version = "4.6.1";
 
   src = fetchFromGitLab {
     domain = "gitlab.freedesktop.org";
     owner = "slirp";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-UdKBED7xR0gDf3aj3+6I62CnAwGP7XxskaFzWeUUkkk=";
+    sha256 = "sha256-AM6NxO4hjFiUAzRYbXV3fe18xwCBmzdM63n93UOxjKw=";
   };
 
   nativeBuildInputs = [ meson ninja pkg-config ];

pkgs/os-specific/linux/kernel/linux-5.13.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.13.5";
+  version = "5.13.6";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,9 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "0lqh7krxxnbrvr3w1kag92z9r4n9436fr6answjkjfbvw0z7q74m";
+    sha256 = "0xjjl8dmilp425b1cp977v26qxlg1147gh54kni949pzxwh1fb56";
   };
 
   kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_13 ];
 } // (args.argsOverride or { }))
-

pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh

@@ -4,6 +4,7 @@ if [ -x "@runtimeShell@" ]; then export SHELL="@runtimeShell@"; fi;
 
 set -e
 set -o pipefail
+shopt -s inherit_errexit
 
 export PATH=@path@:$PATH
 

pkgs/servers/varnish/6.2-6.3-CVE-2021-36740.patch

@@ -0,0 +1,132 @@
+An interpolation of https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf
+and https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be
+which applies to both 6.2 and 6.3
+
+diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h
+index c377d03aac..205b96ccb7 100644
+--- a/bin/varnishd/http2/cache_http2.h
++++ b/bin/varnishd/http2/cache_http2.h
+@@ -131,6 +131,8 @@ struct h2_req {
+ 	/* Where to wake this stream up */
+ 	struct worker			*wrk;
+ 
++	ssize_t				reqbody_bytes;
++
+ 	VTAILQ_ENTRY(h2_req)		tx_list;
+ 	h2_error			error;
+ 
+diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
+index cb35bb4873..98f5dc4f37 100644
+--- a/bin/varnishd/http2/cache_http2_proto.c
++++ b/bin/varnishd/http2/cache_http2_proto.c
+@@ -546,6 +546,7 @@ h2_end_headers(struct worker *wrk, struct h2_sess *h2,
+     struct req *req, struct h2_req *r2)
+ {
+ 	h2_error h2e;
++	ssize_t cl;
+ 
+ 	ASSERT_RXTHR(h2);
+ 	assert(r2->state == H2_S_OPEN);
+@@ -572,14 +572,24 @@ h2_end_headers(struct worker *wrk, struct h2_sess *h2,
+ 	// XXX: Have I mentioned H/2 Is hodge-podge ?
+ 	http_CollectHdrSep(req->http, H_Cookie, "; ");	// rfc7540,l,3114,3120
+ 
++	cl = http_GetContentLength(req->http);
++	assert(cl >= -2);
++	if (cl == -2) {
++		VSLb(h2->vsl, SLT_Debug, "Non-parseable Content-Length");
++		return (H2SE_PROTOCOL_ERROR);
++	}
++
+ 	if (req->req_body_status == REQ_BODY_INIT) {
+-		if (!http_GetHdr(req->http, H_Content_Length, NULL))
++		if (cl == -1)
+ 			req->req_body_status = REQ_BODY_WITHOUT_LEN;
+ 		else
+ 			req->req_body_status = REQ_BODY_WITH_LEN;
++		req->htc->content_length = cl;
+ 	} else {
++		/* A HEADER frame contained END_STREAM */
+ 		assert (req->req_body_status == REQ_BODY_NONE);
+-		if (http_GetContentLength(req->http) > 0)
++		r2->state = H2_S_CLOS_REM;
++		if (cl > 0)
+ 			return (H2CE_PROTOCOL_ERROR); //rfc7540,l,1838,1840
+ 	}
+ 
+@@ -736,6 +746,7 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
+ 	int w1 = 0, w2 = 0;
+ 	char buf[4];
+ 	unsigned wi;
++	ssize_t cl;
+ 
+ 	CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
+ 	ASSERT_RXTHR(h2);
+@@ -754,6 +765,23 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
+ 	}
+ 	Lck_Lock(&h2->sess->mtx);
+ 	while (h2->mailcall != NULL && h2->error == 0 && r2->error == 0)
+ 		AZ(Lck_CondWait(h2->cond, &h2->sess->mtx, 0));
++
++	r2->reqbody_bytes += h2->rxf_len;
++	if (h2->rxf_flags & H2FF_DATA_END_STREAM)
++		r2->state = H2_S_CLOS_REM;
++	cl = r2->req->htc->content_length;
++	if (cl >= 0 && (r2->reqbody_bytes > cl ||
++	      (r2->state >= H2_S_CLOS_REM && r2->reqbody_bytes != cl))) {
++		VSLb(h2->vsl, SLT_Debug,
++		    "H2: stream %u: Received data and Content-Length"
++		    " mismatch", h2->rxf_stream);
++		r2->error = H2SE_PROTOCOL_ERROR; // rfc7540,l,3150,3163
++		if (r2->cond)
++			AZ(pthread_cond_signal(r2->cond));
++		Lck_Unlock(&h2->sess->mtx);
++		return (H2SE_PROTOCOL_ERROR);
++	}
++
+ 	AZ(h2->mailcall);
+ 	h2->mailcall = r2;
+ 	h2->req0->r_window -= h2->rxf_len;
+@@ -772,6 +800,8 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
+ 		r2->r_window += wi;
+ 		w2 = 1;
+ 	}
++
++
+ 	Lck_Unlock(&h2->sess->mtx);
+ 
+ 	if (w1 || w2) {
+@@ -794,7 +824,7 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp)
+ 	struct h2_req *r2;
+ 	struct h2_sess *h2;
+ 	unsigned l;
+-	enum vfp_status retval = VFP_OK;
++	enum vfp_status retval;
+ 
+ 	CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
+ 	CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
+@@ -807,7 +837,6 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp)
+ 	*lp = 0;
+ 
+ 	Lck_Lock(&h2->sess->mtx);
+-	assert (r2->state == H2_S_OPEN);
+ 	r2->cond = &vc->wrk->cond;
+ 	while (h2->mailcall != r2 && h2->error == 0 && r2->error == 0)
+ 		AZ(Lck_CondWait(r2->cond, &h2->sess->mtx, 0));
+@@ -830,12 +859,10 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp)
+ 			Lck_Unlock(&h2->sess->mtx);
+ 			return (VFP_OK);
+ 		}
+-		if (h2->rxf_len == 0) {
+-			if (h2->rxf_flags & H2FF_DATA_END_STREAM) {
+-				retval = VFP_END;
+-				r2->state = H2_S_CLOS_REM;
+-			}
+-		}
++		if (h2->rxf_len == 0 && r2->state >= H2_S_CLOS_REM)
++			retval = VFP_END;
++		else
++			retval = VFP_OK;
+ 		h2->mailcall = NULL;
+ 		AZ(pthread_cond_signal(h2->cond));
+ 	}

pkgs/servers/varnish/default.nix

@@ -2,7 +2,7 @@
 , python3, makeWrapper }:
 
 let
-  common = { version, sha256, extraNativeBuildInputs ? [] }:
+  common = { version, sha256, extraNativeBuildInputs ? [], extraPatches ? [] }:
     stdenv.mkDerivation rec {
       pname = "varnish";
       inherit version;
@@ -12,6 +12,8 @@ let
         inherit sha256;
       };
 
+      patches = extraPatches;
+
       passthru.python = python3;
 
       nativeBuildInputs = with python3.pkgs; [ pkg-config docutils sphinx ];
@@ -41,15 +43,21 @@ let
 in
 {
   varnish60 = common {
-    version = "6.0.7";
+    version = "6.0.8";
-    sha256 = "0njs6xpc30nc4chjdm4d4g63bigbxhi4dc46f4az3qcz51r8zl2a";
+    sha256 = "1zk83hfxgjq1d0n4zx86q3f05y9f2zc6a1miz1zcvfa052q4bljx";
   };
   varnish62 = common {
     version = "6.2.3";
     sha256 = "02b6pqh5j1d4n362n42q42bfjzjrngd6x49b13q7wzsy6igd1jsy";
+    extraPatches = [
+      ./6.2-6.3-CVE-2021-36740.patch
+    ];
   };
   varnish63 = common {
     version = "6.3.2";
     sha256 = "1f5ahzdh3am6fij5jhiybv3knwl11rhc5r3ig1ybzw55ai7788q8";
+    extraPatches = [
+      ./6.2-6.3-CVE-2021-36740.patch
+    ];
   };
 }

pkgs/tools/graphics/exif/default.nix

@@ -1,4 +1,13 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, libexif, popt, libintl }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, autoreconfHook
+, pkg-config
+, libexif
+, popt
+, libintl
+}:
 
 stdenv.mkDerivation rec {
   pname = "exif";
@@ -11,6 +20,19 @@ stdenv.mkDerivation rec {
     sha256 = "1xlb1gdwxm3rmw7vlrynhvjp9dkwmvw23mxisdbdmma7ah2nda3i";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2021-27815.part-1.patch";
+      url = "https://github.com/libexif/exif/commit/f6334d9d32437ef13dc902f0a88a2be0063d9d1c.patch";
+      sha256 = "0mfx7l8w3w1c2mn5h5d6s7gdfyd91wnml8v0f19v5sdn70hx5aa4";
+    })
+    (fetchpatch {
+      name = "CVE-2021-27815.part-2.patch";
+      url = "https://github.com/libexif/exif/commit/eb84b0e3c5f2a86013b6fcfb800d187896a648fa.patch";
+      sha256 = "11lyvy20maisiyhxgxvm85v5l5ba7p0bpd4m0g4ryli32mrwwy0l";
+    })
+  ];
+
   nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ libexif popt libintl ];