#nixos-security on 2020-05-06

2019-04-23 19:29 gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh

02:23 KeiraT has quit [Ping timeout: 240 seconds]

02:23 ajs124 has quit [Quit: killed]

02:24 ajs124 has joined #nixos-security

02:26 KeiraT has joined #nixos-security

02:40 hmpffff_ has joined #nixos-security

02:44 hmpffff has quit [Ping timeout: 256 seconds]

04:20 anselmolsm has quit [Quit: Konversation terminated!]

04:59 kleisli has quit [Remote host closed the connection]

05:00 kleisli has joined #nixos-security

09:52 {`-`} has joined #nixos-security

12:28 tilpner has quit [Quit: tilpner]

12:50 hexa- has quit [Quit: WeeChat 2.7.1]

12:52 hexa- has joined #nixos-security

15:36 anselmolsm has joined #nixos-security

15:39 hmpffff_ has quit [Read error: Connection reset by peer]

15:40 <andi-> I would +1 on renamning them

15:40 hmpffff has joined #nixos-security

15:40 <andi-> keep the old name put add a suffix or prefix for the CVE number

15:45 justanotheruser has quit [Ping timeout: 272 seconds]

16:00 justanotheruser has joined #nixos-security

16:09 <hexa-> so 10_fix_buffer_overflow_wordole_c.patch => CVE-2014-8123_fix_buffer_overflow_wordole_c.patch

16:09 <hexa-> or just CVE-2014-8123.patch

16:13 <hexa-> debian has it like this ^

16:21 <andi-> I usually like to keep some reference to the original change that we are picking. If the .patch file doesn't contain commit messages etc.. we should at least keep the file name somewhat similar to what the original source did.

16:22 <andi-> It is no fun to figure out which of the 25 patches we apply overlaps with those 26 patches upstream uses for that one CVE if they are all named differently :)

16:41 <hexa-> renamed: 10_fix_buffer_overflow_wordole_c.patch -> CVE-2014-8123_add_check_for_buffer_overflow_with_malformed_input_files.patch

16:41 <hexa-> Description: Add check for buffer overflow with malformed input files

16:41 <hexa-> would that be too long?

16:43 <hexa-> renamed: 10_fix_buffer_overflow_wordole_c.patch -> CVE-2014-8123_fix_buffer_overflow_wordole_c.patch

16:43 <hexa-> probably better like this

16:59 <hexa-> andi-: https://broken.sh/issues/CVE-2011-3868 matches against the wrong package :/

16:59 <hexa-> our ams is an audio package … 2~642: ams = callPackage ../applications/audio/ams {};

16:59 <andi-> I could probably add a blacklist for vendors... does anyone actually care about vmware in our context?

17:09 <flokli> lol

17:10 <hexa-> https://broken.sh/issues/CVE-2019-18899 doesn't affect us … The apt-cacher-ng package of openSUSE Leap 15.1

17:10 <hexa-> how do we annotate that?

17:38 <andi-> we don't do that yet... I have ideas but haven't really finished that part yet

17:39 <andi-> Maybe I'll do that one of these days

17:40 <hexa-> :)

18:47 <hexa-> andi-: any idea why this CVE isn't found? https://github.com/NixOS/nixpkgs/blob/master/pkgs/desktops/gnome-2/desktop/vte/default.nix#L20

18:47 <hexa-> https://broken.sh/issues/CVE-2012-2738

18:47 <hexa-> or … can I open bugs for you somewhere? :)

18:48 <hexa-> lol :) https://github.com/NixOS/nixpkgs/commit/4c6f7ee729d6d8830b7b554c9d8133083e61058b#diff-ba275ae4a817b97dfe98a8b11a12bbbc

19:00 anselmolsm has quit [Remote host closed the connection]

19:04 anselmolsm has joined #nixos-security

19:16 <andi-> hexa-: yes, click on the github link on broken.sh

19:18 <hexa-> ok

21:32 <hexa-> #87139

21:32 <{^_^}> https://github.com/NixOS/nixpkgs/pull/87139 (by mweinelt, 20 seconds ago, open): treewide: add CVE identifiers to patches

21:32 <hexa-> ~12 CVEs annotated

21:44 <aanderse> hexa-: thanks for bump! some packages really need maintainers... :-S

23:19 justanotheruser has quit [Ping timeout: 256 seconds]

23:29 <hexa-> :)

23:36 justanotheruser has joined #nixos-security