andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)
<hexa-> on reddit, neat
<samueldr> hm?
<hexa-> not our usual source for these things
<samueldr> heh
<samueldr> hadn't seen any discussion here, and no PR
<hexa-> yup, I wonder why I didn't see it on, say oss-security
<hexa-> pkgs/top-level/all-packages.nix
<hexa-> 4357: exiftool = perlPackages.ImageExifTool;
<samueldr> sorry for your loss
<hexa-> yeah, that is perl for me :D
<hexa-> newest version on github: 12.25
<hexa-> newest version on cpan: 12.16
<hexa-> yay
<hexa-> 1 version = 1 commit
<hexa-> Note: The most recent production release is Version 12.16. (Other versions are
<hexa-> considered development releases, and are not uploaded to MetaCPAN.)
<hexa-> not today.
<hexa-> wow.
<hexa-> guess we can patch that exact file
<hexa-> tomorrow
<hexa-> > Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
<{^_^}> error: syntax error, unexpected IN, expecting ')', at (string):494:38
<hexa-> 12.00 in release-20.09
<hexa-> 12.16 in unstable
<hexa-> and php-exif can shelv out to exiftool
<hexa-> nice
rajivr has joined #nixos-security
justanotheruser has quit [Ping timeout: 276 seconds]
justanotheruser has joined #nixos-security
justanotheruser has quit [Ping timeout: 260 seconds]
supersandro2000 has quit [Killed (kornbluth.freenode.net (Nickname regained by services))]
supersandro2000 has joined #nixos-security
<stigo> merged #121566
<{^_^}> https://github.com/NixOS/nixpkgs/pull/121566 (by midchildan, 32 minutes ago, merged): perlPackages.ImageExifTool: apply fix for CVE-2021-22204
c4rc4s has joined #nixos-security
<stigo> #121568
<{^_^}> https://github.com/NixOS/nixpkgs/pull/121568 (by midchildan, 2 minutes ago, open): [20.09] perlPackages.ImageExifTool: apply fix for CVE-2021-22204
cole-h has quit [Ping timeout: 240 seconds]
<stigo> also, for 20.03: #121569
<{^_^}> https://github.com/NixOS/nixpkgs/pull/121569 (by midchildan, 2 hours ago, open): [20.03] perlPackages.ImageExifTool: apply fix for CVE-2021-22204
<stigo> ^^ i think its worth patching it for 20.03, since it seems this vuln can easily lead to RCE
asymmetric has joined #nixos-security
zgrep has joined #nixos-security
justanotheruser has joined #nixos-security
cole-h has joined #nixos-security
supersandro2000 has quit [Quit: The Lounge - https://thelounge.chat]
supersandro2000 has joined #nixos-security
rajivr has quit [Quit: Connection closed for inactivity]
<hexa-> if someone more familiar with busybox usage in nixpkgs could answer this
<andi-> a minimal /bin/sh (just the sh part) is used for builds within the sandbox on NixOS systems. The tar and unxz features (and some coreutils-like things) are part of our bootstrap tarball. Not sure what the question in that PR actually is.
cole-h has quit [Quit: Goodbye]
cole-h has joined #nixos-security
justanotheruser has quit [Ping timeout: 260 seconds]
justanotheruser has joined #nixos-security
cole-h has quit [Quit: Goodbye]
cole-h has joined #nixos-security
supersandro2000 has quit [*.net *.split]
aminechikhaoui has joined #nixos-security
julm has joined #nixos-security
dotlambda has joined #nixos-security
supersandro2000 has joined #nixos-security
ajs124 has joined #nixos-security
justanotheruser has quit [Ping timeout: 246 seconds]
hax404 has joined #nixos-security
<{^_^}> #121634 (by WilliButz, 5 minutes ago, open): hedgedoc: 1.7.2 -> 1.8.0 (security)
supersandro2000 is now known as Guest35175
Guest35175 has quit [Killed (card.freenode.net (Nickname regained by services))]
supersandro2000 has joined #nixos-security