From cd0289a100b55ff0bb04bd43ec4fc525b7c6cf0d Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Thu, 13 Jul 2023 12:32:43 +0200 Subject: [PATCH 1/6] systemd: 253.5 -> 253.6 Allows us to drop a patch Also fixes systemd-repart being able to run in nix-build (cherry picked from commit 9b0ac38252ba7988339371c5fe4f1be8ffdf97d1) --- pkgs/os-specific/linux/systemd/default.nix | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index ab64c9f9c4837..6fdbd899b9ee2 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -145,7 +145,7 @@ assert withUkify -> withEfi; let wantCurl = withRemote || withImportd; wantGcrypt = withResolved || withImportd; - version = "253.5"; + version = "253.6"; # Bump this variable on every (major) version change. See below (in the meson options list) for why. # command: @@ -162,7 +162,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "systemd"; repo = "systemd-stable"; rev = "v${version}"; - hash = "sha256-B3A9AvpfZ8SYsiZvHnWO4RHs1/6EdczWF2NmrSqxQ7c="; + hash = "sha256-LZs6QuBe23W643bTuz+MD2pzHiapsBJBHoFXi/QjzG4="; }; # On major changes, or when otherwise required, you *must* reformat the patches, @@ -190,13 +190,6 @@ stdenv.mkDerivation (finalAttrs: { ./0017-core-don-t-taint-on-unmerged-usr.patch ./0018-tpm2_context_init-fix-driver-name-checking.patch ./0019-bootctl-also-print-efi-files-not-owned-by-systemd-in.patch - - # https://github.com/systemd/systemd/pull/28000 - (fetchpatch { - name = "fix-service-exit"; - url = "https://github.com/systemd/systemd/commit/5f7f82ba625ee48d662c1f0286f44b8b0918d05d.patch"; - sha256 = "sha256-pFRXpZjeVl5ZG/mOjHEuMg9zXq4Orwvdp+/LYTbR09I="; - }) ] ++ lib.optional stdenv.hostPlatform.isMusl ( let oe-core = fetchzip { From 1a46b9a6ee77daa30144e7d8167fee514161086e Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 15 Jul 2023 03:31:42 +0200 Subject: [PATCH 2/6] openssl_3: apply patch for CVE-2023-2975 https://www.openssl.org/news/secadv/20230714.txt (cherry picked from commit 5566720c28a1f039878162ab542d55c5bb3078c3) --- .../libraries/openssl/3.0/CVE-2023-2975.patch | 54 +++++++++++++++++++ .../development/libraries/openssl/default.nix | 3 ++ 2 files changed, 57 insertions(+) create mode 100644 pkgs/development/libraries/openssl/3.0/CVE-2023-2975.patch diff --git a/pkgs/development/libraries/openssl/3.0/CVE-2023-2975.patch b/pkgs/development/libraries/openssl/3.0/CVE-2023-2975.patch new file mode 100644 index 0000000000000..d1622977b64dc --- /dev/null +++ b/pkgs/development/libraries/openssl/3.0/CVE-2023-2975.patch @@ -0,0 +1,54 @@ +From 6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 4 Jul 2023 17:30:35 +0200 +Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode + +The AES-SIV mode allows for multiple associated data items +authenticated separately with any of these being 0 length. + +The provided implementation ignores such empty associated data +which is incorrect in regards to the RFC 5297 and is also +a security issue because such empty associated data then become +unauthenticated if an application expects to authenticate them. + +Fixes CVE-2023-2975 + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/21384) + +(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9) +--- + .../implementations/ciphers/cipher_aes_siv.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c +index 45010b90db2a..b396c8651a32 100644 +--- a/providers/implementations/ciphers/cipher_aes_siv.c ++++ b/providers/implementations/ciphers/cipher_aes_siv.c +@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, + if (!ossl_prov_is_running()) + return 0; + +- if (inl == 0) { +- *outl = 0; +- return 1; +- } ++ /* Ignore just empty encryption/decryption call and not AAD. */ ++ if (out != NULL) { ++ if (inl == 0) { ++ if (outl != NULL) ++ *outl = 0; ++ return 1; ++ } + +- if (outsize < inl) { +- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); +- return 0; ++ if (outsize < inl) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); ++ return 0; ++ } + } + + if (ctx->hw->cipher(ctx, out, in, inl) <= 0) diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 548b5ee1f2c6a..1ab55e5fcaf5f 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -251,6 +251,9 @@ in { # This patch disables build-time detection. ./3.0/openssl-disable-kernel-detection.patch + # https://www.openssl.org/news/secadv/20230714.txt + ./3.0/CVE-2023-2975.patch + (if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch) From eddee0fbde7722dc4e102ccfce36b4e14ff06d9e Mon Sep 17 00:00:00 2001 From: Yaya Date: Thu, 20 Jul 2023 10:37:46 +0000 Subject: [PATCH 3/6] curl: apply patch for CVE-2023-32001 https://curl.se/docs/CVE-2023-32001.html --- .../networking/curl/CVE-2023-32001.patch | 34 +++++++++++++++++++ pkgs/tools/networking/curl/default.nix | 3 ++ 2 files changed, 37 insertions(+) create mode 100644 pkgs/tools/networking/curl/CVE-2023-32001.patch diff --git a/pkgs/tools/networking/curl/CVE-2023-32001.patch b/pkgs/tools/networking/curl/CVE-2023-32001.patch new file mode 100644 index 0000000000000..2c4ebe528d313 --- /dev/null +++ b/pkgs/tools/networking/curl/CVE-2023-32001.patch @@ -0,0 +1,34 @@ +From 0c667188e0c6cda615a036b8a2b4125f2c404dde Mon Sep 17 00:00:00 2001 +From: SaltyMilk +Date: Mon, 10 Jul 2023 21:43:28 +0200 +Subject: [PATCH] fopen: optimize + +Closes #11419 +--- + lib/fopen.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index c9c9e3d6e73a2..b6e3cadddef65 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + int fd = -1; + *tempname = NULL; + +- if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { +- /* a non-regular file, fallback to direct fopen() */ +- *fh = fopen(filename, FOPEN_WRITETEXT); +- if(*fh) +- return CURLE_OK; ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(!*fh) + goto fail; +- } ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ return CURLE_OK; ++ fclose(*fh); ++ *fh = NULL; + + result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); + if(result) diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index 5ff2aef0b8339..d1d80037b5e1d 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -59,6 +59,9 @@ stdenv.mkDerivation (finalAttrs: { patches = [ ./7.79.1-darwin-no-systemconfiguration.patch + + # Affected versions: 7.84.0 to and including 8.1.2 + ./CVE-2023-32001.patch ]; outputs = [ "bin" "dev" "out" "man" "devdoc" ]; From 63735c2eccddb637e7aaf3f04f94e4c540609c11 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Wed, 19 Jul 2023 08:49:00 +0100 Subject: [PATCH 4/6] gnutar: 1.34 -> 1.35 Changes: https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html (cherry picked from commit 19fdb7d4e8a437922eb19ef1b7769399f7981740) --- pkgs/tools/archivers/gnutar/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/archivers/gnutar/default.nix b/pkgs/tools/archivers/gnutar/default.nix index 9be1ea7f4d440..738680a552a0d 100644 --- a/pkgs/tools/archivers/gnutar/default.nix +++ b/pkgs/tools/archivers/gnutar/default.nix @@ -7,11 +7,11 @@ stdenv.mkDerivation rec { pname = "gnutar"; - version = "1.34"; + version = "1.35"; src = fetchurl { url = "mirror://gnu/tar/tar-${version}.tar.xz"; - sha256 = "sha256-Y769JoecXh7qQ1Lw0DyZH5Zq6z3es8dEXJAlaNVBHSg="; + sha256 = "sha256-TWL/NzQux67XSFNTI5MMfPlKz3HDWRiCsmp+pQ8+3BY="; }; # avoid retaining reference to CF during stdenv bootstrap From 34d8335836ceea14d898446bfc019b3356aa852f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sat, 22 Jul 2023 19:25:49 +0200 Subject: [PATCH 5/6] python310Packages.aiohttp: 3.8.4 -> 3.8.5 Changelog: https://github.com/aio-libs/aiohttp/blob/v3.8.5/CHANGES.rst (cherry-picked from f56fdf43e464 from PR #244527 with minor amendment) --- .../python-modules/aiohttp/default.nix | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/pkgs/development/python-modules/aiohttp/default.nix b/pkgs/development/python-modules/aiohttp/default.nix index 75449c9f625c4..e64648eb402d4 100644 --- a/pkgs/development/python-modules/aiohttp/default.nix +++ b/pkgs/development/python-modules/aiohttp/default.nix @@ -2,7 +2,6 @@ , stdenv , buildPythonPackage , fetchPypi -, fetchpatch , pythonOlder # build_requires , setuptools @@ -32,29 +31,18 @@ buildPythonPackage rec { pname = "aiohttp"; - version = "3.8.4"; + version = "3.8.5"; format = "pyproject"; disabled = pythonOlder "3.6"; src = fetchPypi { inherit pname version; - hash = "sha256-vy4akWLB5EG/gFof0WbiSdV0ygTgOzT5fikodp6Rq1w="; + hash = "sha256-uVUuxSzBR9vxlErHrJivdgLlHqLc0HbtGUyjwNHH0Lw="; }; - patches = [ - (fetchpatch { - # https://github.com/aio-libs/aiohttp/pull/7178 - url = "https://github.com/aio-libs/aiohttp/commit/5718879cdb6a98bf48810a994b78bc02abaf3e07.patch"; - hash = "sha256-4UynkTZOzWzusQ2+MPZszhFA8I/PJNLeT/hHF/fASy8="; - }) - ]; - postPatch = '' sed -i '/--cov/d' setup.cfg - - substituteInPlace setup.cfg \ - --replace "charset-normalizer >=2.0, < 3.0" "charset-normalizer >=2.0, < 4.0" ''; nativeBuildInputs = [ From b33410d726f979d23e23e0cf6892592f6635fdca Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sun, 23 Jul 2023 09:24:44 +0100 Subject: [PATCH 6/6] gnutar: pull missing `libintl` dependency on Darwin Without the change `gnutar` fails the build as: "_libintl_setlocale", referenced from: _main in tar.o "_libintl_textdomain", referenced from: _main in tar.o ld: symbol(s) not found for architecture x86_64 https://hydra.nixos.org/build/228724258/nixlog/2/tail https://hydra.nixos.org/build/228711328/nixlog/2/tail Picked from PR #244996 --- pkgs/tools/archivers/gnutar/default.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/archivers/gnutar/default.nix b/pkgs/tools/archivers/gnutar/default.nix index 738680a552a0d..331d977147b2f 100644 --- a/pkgs/tools/archivers/gnutar/default.nix +++ b/pkgs/tools/archivers/gnutar/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, autoreconfHook, acl }: +{ lib, stdenv, fetchurl, autoreconfHook, acl, libintl }: # Note: this package is used for bootstrapping fetchurl, and thus # cannot use fetchpatch! All mutable patches (generated by GitHub or @@ -31,7 +31,12 @@ stdenv.mkDerivation rec { outputs = [ "out" "info" ]; nativeBuildInputs = lib.optional stdenv.isDarwin autoreconfHook; - buildInputs = lib.optional stdenv.isLinux acl; + # Add libintl on Darwin specifically as it fails to link (or skip) + # NLS on it's own: + # "_libintl_textdomain", referenced from: + # _main in tar.o + # ld: symbol(s) not found for architecture x86_64 + buildInputs = lib.optional stdenv.isLinux acl ++ lib.optional stdenv.isDarwin libintl; # May have some issues with root compilation because the bootstrap tool # cannot be used as a login shell for now.