This tool was initially built specifically for nixcloud to prevent a few
annoying programs from binding to IP sockets.
While initially only accepting a JSON file as input, the tool now has a
proper command line interface and it's also generally usable to turn IP
sockets of any program into Unix sockets.
Another thing that might be even useful for NixOS modules is the
possibility to bend programs into using systemd socket activation.
Signed-off-by: aszlig <aszlig@nix.build>
It's not included implicitly by the frameworks anymore.
Undefined symbols for architecture x86_64:
"_NSDefaultRunLoopMode", referenced from:
_QZ_PumpEvents in SDL_QuartzEvents.o
"_OBJC_CLASS_$_NSArray", referenced from:
objc-class-ref in SDL_QuartzEvents.o
"_OBJC_CLASS_$_NSDate", referenced from:
objc-class-ref in SDL_QuartzEvents.o
ld: symbol(s) not found for architecture x86_64
It's not included implicitly by the frameworks anymore.
Undefined symbols for architecture x86_64:
"_NSDefaultRunLoopMode", referenced from:
_Cocoa_PumpEvents in SDL_cocoaevents.o
"_NSURLIsAliasFileKey", referenced from:
-[SDLWindow performDragOperation:] in SDL_cocoawindow.o
"_OBJC_CLASS_$_NSArray", referenced from:
objc-class-ref in SDL_cocoaclipboard.o
objc-class-ref in SDL_cocoakeyboard.o
objc-class-ref in SDL_cocoawindow.o
"_OBJC_CLASS_$_NSData", referenced from:
objc-class-ref in SDL_cocoamouse.o
"_OBJC_CLASS_$_NSDate", referenced from:
objc-class-ref in SDL_cocoaevents.o
"_OBJC_CLASS_$_NSDictionary", referenced from:
objc-class-ref in SDL_cocoaevents.o
"_OBJC_CLASS_$_NSMutableArray", referenced from:
objc-class-ref in SDL_cocoawindow.o
"_OBJC_CLASS_$_NSURL", referenced from:
objc-class-ref in SDL_cocoawindow.o
"_OBJC_CLASS_$_NSUserDefaults", referenced from:
objc-class-ref in SDL_cocoaevents.o
"_OBJC_EHTYPE_$_NSException", referenced from:
GCC_except_table67 in SDL_cocoawindow.o
ld: symbol(s) not found for architecture x86_64
This reverts commit 6a0b1b13b6. Please don't null
out the entire package just because its build is broken at the moment. If you
want to prevent users from compiling cpython, then haskell.lib.markBroken (or,
even better: markBrokenVersion) are the way to do it.
Python 3.4 will receive it's final patch release in March 2019 and there won't
be any releases anymore after that, so also not during NixOS 2019.03.
Python 3.4 is not used anymore in Nixpkgs. In any case, migrating code from
3.4 to 3.4+ is trivial.
Also reworked dependencies:
* blist and ujson are marked as no longer needed
* pytz has no mention throughout `git log -p` on synapse's repository
* systemd and affinity are optional (but turned on by default)
ee58a5b30d broke the plv8 build because it
upgraded the v8_6_x expression everywhere to the 6.9 branch, which came
with API changes. Notably, it seems plv8 only supports up-to v8 6.4.x at
this time.
This keeps a copy of the plv8_6_x expression inside the same directory
as the other v8 versions (so patches, etc are easy to apply), but it is
not exposed to the top-level of all-packages.nix.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This reverts commit d1de23b8302d02d4699e884533906a3992f370b6.
The changes turned out to be too intrusive, so we'll patch instead.
Discussion: https://github.com/NixOS/systemd/pull/24
(cherry picked from commit 3dc0838450)
Forward-picking from staging-next. The CVE is marked as critical,
and the amount of rebuilds isn't that high (~500 linux, ~100 darwin).
The package is out-of-date and has no maintainer.
I don't own a chromebook device and therefore don't know
if an mainline kernel could be used instead.
cc @lheckemann @zohl
The package is out-of-date and has no maintainer.
It should be now possible to just mainline kernel.
Support for that could be added by copying the right dtb file in our linux_rpi kernel.
I do not have the hardware to test this.
cc @dezgeg @dhess
keyutils breaks with bionic. since it's an optional dependency, it seems safe to just disable it with libkrb5 (which otherwise works fine with bionic libc).
Removes the old UI build tooling; it is no longer necessary
because as of 1.2.0 it's bundled into the server binary.
It doesn't even need to have JS built, because it's bundled into
the release commit's source tree (see #48714).
The UI is enabled by default, so the NixOS service is
updated to directly use `ui = webUi;` now.
Fixes#48714.
Fixes#44192.
Fixes#41243.
Fixes#35602.
Signed-off-by: Niklas Hambüchen <mail@nh2.me>
This update bumps the package to the latest stable version containing a
few security fixes:
- CVE-2018-12392: Crash with nested event loops
When manipulating user events in nested loops while opening a document
through script, it is possible to trigger a potentially exploitable
crash due to poor event handling.
- CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript
A potential vulnerability was found in 32-bit builds where an integer
overflow during the conversion of scripts to an internal UTF-16
representation could result in allocating a buffer too small for the
conversion. This leads to a possible out-of-bounds write.
Note: 64-bit builds are not vulnerable to this issue.
- CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting
By rewriting the Host request headers using the webRequest API, a
WebExtension can bypass domain restrictions through domain fronting.
This would allow access to domains that share a host that are
otherwise restricted.
- CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts
A vulnerability where a WebExtension can run content scripts in
disallowed contexts following navigation or other events. This allows
for potential privilege escalation by the WebExtension on sites where
content scripts should not be run.
- CVE-2018-12397: Missing warning prompt when WebExtension requests local file access
A WebExtension can request access to local files without the warning
prompt stating that the extension will "Access your data for all
websites" being displayed to the user. This allows extensions to run
content scripts in local pages without permission warnings when a
local file is opened.
- CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3
Mozilla developers and community members Daniel Veditz and Philipp
reported memory safety bugs present in Firefox ESR 60.2. Some of these
bugs showed evidence of memory corruption and we presume that with
enough effort that some of these could be exploited to run arbitrary
code.
- CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
Mozilla developers and community members Christian Holler, Bob Owen,
Boris Zbarsky, Calixte Denizet, Jason Kratzer, Jed Davis, Taegeon Lee,
Philipp, Ronald Crane, Raul Gurzau, Gary Kwong, Tyson Smith, Raymond
Forbes, and Bogdan Tara reported memory safety bugs present in Firefox
62 and Firefox ESR 60.2. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort that some of these
could be exploited to run arbitrary code.
Source: https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/
* jq: 1.5 -> 1.6 (!!)
(last release was in 2015! :))
* jq: drop darwin patch, appears resolved by upgrade
commit history isn't that long, and has a few addressing
behavior on osx re:strptime-- and since this patch
doesn't apply it seems likely it's been resolved
but probably can be checked by any interested folks w/darwin.
I originally thought it would just be enough to just check for an INTERP
section in isExecutable, however this would mean that we don't detect
statically linked ELF files, which would break our recent improvement to
gracefully handle those.
In theory, we are only interested in ELF files that have an INTERP
section, so checking for INTERP would be enough. Unfortunately the
isExecutable function is already used outside of autoPatchelfHook, so we
can't easily get rid of it now, so let's actually strive for more
correctness and make isExecutable actually match ELF files that are
executable.
So what we're doing instead now is to check whether either the ELF type
is EXEC *or* we have an INTERP section and if one of them is true we
should have an ELF executable, even if it's statically linked.
Along the way I also set LANG=C for the invocations of readelf, just to
be sure we don't get locale-dependent output.
Tested this with the following command (which contains almost[1] all the
packages using autoPatchelfHook), checking whether we run into any
library-related errors:
nix-build -E 'with import ./. { config.allowUnfree = true; };
runCommand "test-executables" {
drvs = [
anydesk cups-kyodialog3 elasticsearch franz gurobi
masterpdfeditor oracle-instantclient powershell reaper
sourcetrail teamviewer unixODBCDrivers.msodbcsql17 virtlyst
vk-messenger wavebox zoom-us
];
} ("for i in $drvs; do for b in $i/bin/*; do " +
"[ -x \"$b\" ] && timeout 10 \"$b\" || :; done; done")
'
Apart from testing against library-related errors I also compared the
resulting store paths against the ones prior to this commit. Only
anydesk and virtlyst had the same as they didn't have self-references,
everything else differed only because of self-references, except
elasticsearch, which had the following PIE binaries:
* modules/x-pack/x-pack-ml/platform/linux-x86_64/bin/autoconfig
* modules/x-pack/x-pack-ml/platform/linux-x86_64/bin/autodetect
* modules/x-pack/x-pack-ml/platform/linux-x86_64/bin/categorize
* modules/x-pack/x-pack-ml/platform/linux-x86_64/bin/controller
* modules/x-pack/x-pack-ml/platform/linux-x86_64/bin/normalize
These binaries were now patched, which is what this commit is all about.
[1]: I didn't include the "maxx" package (MaXX Interactive Desktop)
because the upstream URLs are no longer existing and I couldn't
find them elsewhere on the web.
Signed-off-by: aszlig <aszlig@nix.build>
Fixes: https://github.com/NixOS/nixpkgs/issues/48330
Cc: @gnidorah (for MaXX Interactive Desktop)
SSRF in Kubernetes integration
The GitLab Kubernetes integration was vulnerable to a SSRF issue which could allow an attacker to make requests to access any internal URLs. The issue is now mitigated in the latest release and is assigned CVE-2018-18843.
aszlig
Jon Banafato
Vincent Laporte
Daiderd Jordan
Peter Simons
Renato Alves
Peter Hoeg
Tim Steinbach
Pascal Wittmann
Matthew Bauer
Robert Helgesson
Jan Tojnar
Robert Hensing
Jörg Thalheim
Silvan Mosberger
Vladyslav M
Frederik Rietdijk
Robert Schütz
Sander Hollaar
Philipp Middendorf
Michael Raskin
volth
André-Patrick Bubel
Falco Peijnenburg
Profpatsch
Joachim F
Frank Doepper
Léo Gaspard
Niklas Thörne
Andreas Rammhold
Meghea Iulian
Austin Seipp
adisbladis
Trolli Schmittlauch
Jonathan Queiroz
Will Dietz
nyanloutre
Renaud
Yegor Timoshenko
Timo Kaufmann
Vladimír Čunát
Timon Stampfli
Uri Baghin
davidak
Théo Zimmermann
Piotr Bogdan
Mario Rodas
Konstantin Nikiforov
Jörg Thalheim
Edmund Wu
worldofpeace
Averell Dalton
Robert Hensing
Niklas Hambüchen
Aaron Andersen
Edward Tjörnhammar
Dmitry Kalinkin
Lysergia
Tristan Helmich
Periklis Tsirakidis
Robert Schütz
markuskowa
Ikarulus
Matthew Harm Bekkema
Florian Klink
Mateusz Kowalczyk
Gabriel Ebner
Will Dietz
Symphorien Gibol
taku0
Daniël de Kok
gnidorah
Wael M. Nasreddine
zimbatm
Arian van Putten
Raphael Borun Das Gupta
Thilo Uttendorfer
Eric Wolf
Kevin Quick