Skip to content

Comments

ghostscript: 10.01.1 -> 10.01.2#243316

Merged
SuperSandro2000 merged 1 commit intoNixOS:stagingfrom
jpotier:master
Jul 14, 2023
Merged

ghostscript: 10.01.1 -> 10.01.2#243316
SuperSandro2000 merged 1 commit intoNixOS:stagingfrom
jpotier:master

Conversation

@jpotier
Copy link
Contributor

@jpotier jpotier commented Jul 13, 2023

Minor update to counter CVE-2023-36664

Closes #243250

Description of changes
Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@jpotier
Copy link
Contributor Author

jpotier commented Jul 13, 2023

I have really done the bare minimum here, ie update the version number and the hash, and tested the build locally. I understand this may cause a lot of changes around nixpkgs. Should this PR target staging instead of master?

About testing, what else can I do to help show it's not breaking everything?

@jpotier jpotier requested review from apfelkuchen6 and risicle July 13, 2023 18:32
@ofborg ofborg bot requested a review from viric July 13, 2023 18:51
@ofborg ofborg bot added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 1001-2500 This PR causes many rebuilds on Darwin and should most likely target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 2501-5000 This PR causes many rebuilds on Linux and should target the staging branches. labels Jul 13, 2023
@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Jul 13, 2023

This PR rebuilds a lot of packages which means we must target staging. Please follow the contributing guide to not potentially ping a lot of people.

@jpotier jpotier changed the base branch from master to staging July 13, 2023 20:59
@jpotier
Copy link
Contributor Author

jpotier commented Jul 13, 2023
edited
Loading

There, did a rebase "on the merge base between the current and target branch" (master and staging). I checked with the "new PR UI thingy" from github, from my branch to staging, and it showed only one change, so I think this is good?

@jpotier jpotier assigned jpotier and unassigned jpotier Jul 13, 2023
@jpotier jpotier added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jul 13, 2023
@risicle
Copy link
Contributor

risicle commented Jul 13, 2023

Please fix the typo in the commit message

@risicle risicle changed the title ghostcript: 10.01.1 -> 10.01.2 ghostscript: 10.01.1 -> 10.01.2 Jul 13, 2023
@LeSuisse LeSuisse mentioned this pull request Jul 14, 2023
Closed
12 tasks
@haslersn
Copy link
Contributor

haslersn commented Jul 14, 2023

CVE-2023-36664 is a critical security vulnerability, so this update needs to be merged and backported ASAP.

@SuperSandro2000 SuperSandro2000 merged commit a485416 into NixOS:staging Jul 14, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Jul 14, 2023

Backport failed for staging-23.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin staging-23.05
git worktree add -d .worktree/backport-243316-to-staging-23.05 origin/staging-23.05
cd .worktree/backport-243316-to-staging-23.05
git checkout -b backport-243316-to-staging-23.05
ancref=$(git merge-base 3020304ac52f07e3d314e3a339fc73cc94079b7c cd5749c5b05da7cf1b7053391e8918eaa26a9079)
git cherry-pick -x $ancref..cd5749c5b05da7cf1b7053391e8918eaa26a9079

@jpotier
Copy link
Contributor Author

jpotier commented Jul 14, 2023

A bit confused with the procedure to manually create a backport to 23.05. The docs assume the change is merged to master but in this case it went to staging. Any special considerations to take into account? Or can I simply follow the steps replacing master by staging?

@kirillrdy
Copy link
Member

kirillrdy commented Jul 14, 2023

@jpotier since its just 1 commit you can checkout staging-23.05 apply your commit and create PR that targets staging-23.05

@jpotier jpotier mentioned this pull request Jul 15, 2023
Merged
@jpotier
Copy link
Contributor Author

jpotier commented Jul 15, 2023
edited
Loading

Is it my responsibility to merge this to staging-next, and then master after some time? From
image

(https://nixos.org/manual/nixpkgs/unstable/#submitting-changes-branches)

I can see that the process is manual. And if not me, then who does it?

@kirillrdy
Copy link
Member

kirillrdy commented Jul 15, 2023

Is it my responsibility to merge this to staging-next, and then master after some time? From image

(https://nixos.org/manual/nixpkgs/unstable/#submitting-changes-branches)

I can see that the process is manual. And if not me, then who does it?

your PR is merged into staging

at some point staging will be branched of into staging-next
staging-next once it passes review will be merged into master

current staging-next run is #241951

that will be merged into master at some point

long story short, you don't need to do anything

@kirillrdy
Copy link
Member

kirillrdy commented Jul 15, 2023

sorry I didn't answer your most important question

I can see that the process is manual. And if not me, then who does it?

I personally don't know specific procedure, hopefully someone who knows can link to correct documents/links

in my observations, several people have done it eg @mweinelt @vcunat

@vcunat
Copy link
Member

vcunat commented Jul 15, 2023

Mostly I am coordinating it, in the past few years.

vcunat added a commit that referenced this pull request Jul 15, 2023
@vcunat
Merge #243316: ghostscript: 10.01.1 -> 10.01.2
bc263d9 
..into staging-next.  This is a topologically earlier re-merge,
as it seems fairly important security fix and not that huge rebuild.
@jpotier
Copy link
Contributor Author

jpotier commented Jul 15, 2023

Cheers! Thanks for all the hard work

@vcunat
Copy link
Member

vcunat commented Jul 15, 2023

Likewise 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@risicle risicle Awaiting requested review from risicle

@apfelkuchen6 apfelkuchen6 Awaiting requested review from apfelkuchen6

@viric viric Awaiting requested review from viric

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 1001-2500 This PR causes many rebuilds on Darwin and should most likely target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 2501-5000 This PR causes many rebuilds on Linux and should target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2023-36664 affecting Ghostscript before version 10.01.2

6 participants

@jpotier @SuperSandro2000 @risicle @haslersn @kirillrdy @vcunat