Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[19.09] Revert 1.1.1e update and apply CVE-2019-1551 patch #82928

Closed
wants to merge 2 commits into from
Closed

[19.09] Revert 1.1.1e update and apply CVE-2019-1551 patch #82928

wants to merge 2 commits into from

Conversation

KamilaBorowska
Copy link
Member

@KamilaBorowska KamilaBorowska commented Mar 19, 2020
edited
Loading

Motivation for this change

openssl 1.1.1e introduces breaking changes in its EOF handling. Applying only the security patch and nothing else to avoid risk of breakage.

Submitting to release-19.09 not staging-19.09, because it's broken anyway. Not submitting to other branches because I think the other branches should simply use 1.1.1e instead of bothering with patching process.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS (also built pyopenssl, but I'm not going to rebuild the whole world)
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@KamilaBorowska
Revert "openssl: 1.1.1d -> 1.1.1e"
49eed3a 
This reverts commit 41f1484.

openssl 1.1.1e introduces breaking changes in its EOF handling.
@KamilaBorowska
Copy link
Member Author

@GrahamcOfBorg build python3Packages.pyopenssl

@KamilaBorowska KamilaBorowska force-pushed the apply-cve-2019-1551-patch branch from de4ddcc to ea6f79c Compare March 19, 2020 09:18
@KamilaBorowska
openssl: apply CVE-2019-1551 patch
4e7cded 
Not upgrading to 1.1.1e because this version introduces
breaking changes, in particular changes the error on EOF.
@KamilaBorowska KamilaBorowska force-pushed the apply-cve-2019-1551-patch branch from ea6f79c to 4e7cded Compare March 19, 2020 09:18
@KamilaBorowska KamilaBorowska mentioned this pull request Mar 19, 2020
Merged
10 tasks
@ofborg ofborg bot added the 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild label Mar 19, 2020
@ofborg ofborg bot requested a review from peti March 19, 2020 09:29
@wamserma
Copy link
Member

@ckauhaus this should also get a security-label

@vcunat vcunat added the 1.severity: channel blocker Blocks a channel label Mar 20, 2020
@Mic92 Mic92 requested a review from andir March 20, 2020 10:39
@vcunat
Copy link
Member

vcunat commented Mar 21, 2020

I agree with this PR, except for tiny bits:

  • fetchurl is risky, as the hash may break at some later point, so I just copied the two small patches into nixpkgs repo
  • I used directly the commit hashes reachable from official release, not those in the upstream PR

(and I pushed that)

In any case, this CVE is rather low severity – upstream even didn't bother to release a new 1.1.1 for months after publishing a fix.

vcunat added a commit that referenced this pull request Mar 21, 2020
@vcunat
openssl(_1_1): patch CVE-2019-1551
2071e3b 
fetchpatch can't be used here and fetchurl from GitHub
like in PR #82928 has the risk of breaking the hash later;
fortunately the patches aren't too large.
@vcunat vcunat closed this Mar 21, 2020
@flokli flokli mentioned this pull request Apr 2, 2020
Merged
10 tasks
flokli pushed a commit to flokli/nixpkgs that referenced this pull request Apr 2, 2020
@vcunat @flokli
openssl(_1_1): patch CVE-2019-1551
5e24f4b 
fetchpatch can't be used here and fetchurl from GitHub
like in PR NixOS#82928 has the risk of breaking the hash later;
fortunately the patches aren't too large.

(cherry picked from commit 2071e3b)
@flokli flokli mentioned this pull request Apr 2, 2020
Merged
10 tasks
flokli pushed a commit to flokli/nixpkgs that referenced this pull request Apr 2, 2020
@vcunat @flokli
openssl(_1_1): patch CVE-2019-1551
e48a55d 
fetchpatch can't be used here and fetchurl from GitHub
like in PR NixOS#82928 has the risk of breaking the hash later;
fortunately the patches aren't too large.

(cherry picked from commit 2071e3b)
stigok pushed a commit to stigok/nixpkgs that referenced this pull request Jun 12, 2020
@vcunat @stigok
openssl(_1_1): patch CVE-2019-1551
d792db2 
fetchpatch can't be used here and fetchurl from GitHub
like in PR NixOS#82928 has the risk of breaking the hash later;
fortunately the patches aren't too large.

(cherry picked from commit 2071e3b)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peti peti Awaiting requested review from peti

@andir andir Awaiting requested review from andir

Assignees
No one assigned
Labels
1.severity: channel blocker Blocks a channel 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@KamilaBorowska @wamserma @vcunat