Skip to content

nixpkgs: allow packages to be marked insecure (reverted) #22890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
grahamc merged 2 commits into from
Feb 23, 2017
Merged

nixpkgs: allow packages to be marked insecure (reverted) #22890

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
38771ba
nixpkgs: allow packages to be marked insecure
grahamc Feb 17, 2017
c8859b7
libplist: mark as insecure
grahamc Feb 23, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions pkgs/development/libraries/libplist/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,5 +28,12 @@ in stdenv.mkDerivation rec {
homepage = https://github.com/JonathanBeck/libplist;
platforms = stdenv.lib.platforms.all;
maintainers = [ stdenv.lib.maintainers.urkud ];
knownVulnerabilities = [
"CVE-2017-5209: base64decode function in base64.c allows attackers to obtain sensitive information from process memory or cause a denial of service"
"CVE-2017-5545: attackers to obtain sensitive information from process memory or cause a denial of service"
"CVE-2017-5834: A heap-buffer overflow in parse_dict_node"
"CVE-2017-5835: A memory allocation error leading to DoS"
"CVE-2017-5836: A type inconsistency in bplist.c"
];
};
}
72 changes: 60 additions & 12 deletions pkgs/stdenv/generic/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,14 @@ let
isUnfree (lib.lists.toList attrs.meta.license) &&
!allowUnfreePredicate attrs;

allowInsecureDefaultPredicate = x: builtins.elem x.name (config.permittedInsecurePackages or []);
allowInsecurePredicate = x: (config.allowUnfreePredicate or allowInsecureDefaultPredicate) x;

hasAllowedInsecure = attrs:
(attrs.meta.knownVulnerabilities or []) == [] ||
allowInsecurePredicate attrs ||
builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";

showLicense = license: license.shortName or "unknown";

defaultNativeBuildInputs = extraBuildInputs ++
Expand Down Expand Up @@ -137,24 +145,62 @@ let
builtins.unsafeGetAttrPos "name" attrs;
pos'' = if pos' != null then "‘" + pos'.file + ":" + toString pos'.line + "’" else "«unknown-file»";

throwEvalHelp = { reason, errormsg }:
# uppercase the first character of string s
let up = s: with lib;
(toUpper (substring 0 1 s)) + (substring 1 (stringLength s) s);
in
assert builtins.elem reason ["unfree" "broken" "blacklisted"];

throw ("Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate."
+ (lib.strings.optionalString (reason != "blacklisted") ''

remediation = {
unfree = remediate_whitelist "Unfree";
broken = remediate_whitelist "Broken";
blacklisted = x: "";
insecure = remediate_insecure;
};
remediate_whitelist = allow_attr: attrs:
''
a) For `nixos-rebuild` you can set
{ nixpkgs.config.allow${up reason} = true; }
{ nixpkgs.config.allow${allow_attr} = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
{ allow${up reason} = true; }
{ allow${allow_attr} = true; }
to ~/.config/nixpkgs/config.nix.
''));
'';

remediate_insecure = attrs:
''

Known issues:

'' + (lib.fold (issue: default: "${default} - ${issue}\n") "" attrs.meta.knownVulnerabilities) + ''

You can install it anyway by whitelisting this package, using the
following methods:

a) for `nixos-rebuild` you can add ‘${attrs.name or "«name-missing»"}’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:

{
nixpkgs.config.permittedInsecurePackages = [
"${attrs.name or "«name-missing»"}"
];
}

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘${attrs.name or "«name-missing»"}’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:

{
permittedInsecurePackages = [
"${attrs.name or "«name-missing»"}"
];
}

'';


throwEvalHelp = { reason , errormsg ? "" }:
throw (''
Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate.

'' + ((builtins.getAttr reason remediation) attrs));

# Check if a derivation is valid, that is whether it passes checks for
# e.g brokenness or license.
Expand All @@ -171,6 +217,8 @@ let
{ valid = false; reason = "broken"; errormsg = "is marked as broken"; }
else if !allowBroken && attrs.meta.platforms or null != null && !lib.lists.elem result.system attrs.meta.platforms then
{ valid = false; reason = "broken"; errormsg = "is not supported on ‘${result.system}’"; }
else if !(hasAllowedInsecure attrs) then
{ valid = false; reason = "insecure"; errormsg = "is marked as insecure"; }
else { valid = true; };

outputs' =
Expand Down