andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)
star_cloud has quit [Ping timeout: 240 seconds]
justanotheruser has quit [Ping timeout: 260 seconds]
rajivr has joined #nixos-security
cole-h has quit [Ping timeout: 268 seconds]
cole-h has joined #nixos-security
maljub01 has quit [Ping timeout: 268 seconds]
maljub01 has joined #nixos-security
star_cloud has joined #nixos-security
justanotheruser has joined #nixos-security
<{^_^}> #123435 (by samueldr, 1 hour ago, open): phosh: PIN unlock issue
<samueldr> I talked with graham about it before filing the issue
<hexa-> gchristensen: do we request a CVE for this?
<samueldr> (I'd assume you'll get your answer by tomorrow at this time)
<samueldr> hexa-: do you need help with getting a proper nixos vm config?
<hexa-> (I don't assume we're in a hurry, given the unstable nature of nixpkgs master, nixos-mobile and phosh)
<hexa-> i'm just rebuilding on my desktop to see that the pam.d config looks right
<samueldr> Mobile NixOS composes with NixOS, upstream warts are upstream!
<hexa-> someone else should test on mobile nixos
<samueldr> there is "nothing" to test on Mobile NixOS compared to NixOS
<hexa-> fwiw: the place I linked to is full of warts as well
<samueldr> since the stage-2 system is the same
<hexa-> it just is that way, because we don't have programs.<somelockscreen> for most of these
<hexa-> sp they are available on every system, which is why a replacement such as the one you found works
<hexa-> /sp/so/
<samueldr> yeah, as I shared, I just tried doing what some other package is apparently doing
<hexa-> reasonable
<samueldr> and assumed it wasn't a fix :)
<samueldr> I wanted mainly to see if it was a packaging issue
<hexa-> I quickly browsed the upstream repo and didn't find a pam config
<samueldr> the origin was linked to in the source at least
<hexa-> @include common-auth
<hexa-> that would have been reasonable
<hexa-> although … not on nixos apparently :D
<hexa-> faster than me, my desktop won't rebuild right now
<samueldr> well, I had the config all ready to test already
<hexa-> I'm only rewording the commit message with these force pushes fwiw
<{^_^}> #123448 (by mweinelt, 17 minutes ago, open): nixos/phosh: Fix PAM configuration
<samueldr> given the issues I've had with phosh, and that I saw only two other users talking about phosh, I'm confident there's like not much more than 3 users total
<samueldr> and at least two of them set it up just to test
<hexa-> yeah, that sounds plausible
<samueldr> not sure whether the maintainer is using it right now
<hexa-> most pinephone(?) users are just testing these days ig
<samueldr> hm?
<samueldr> not many pinephone mobile nixos users yet
<samueldr> and it's not ready to daily-drive
<hexa-> yup, that's why
<samueldr> given the obvious issue with the lock screen, I think no one really tried to use it or else it's a bit concerning :)
<hexa-> indeed
cole-h has quit [Ping timeout: 252 seconds]
star_cloud has quit [Ping timeout: 246 seconds]
star_cloud has joined #nixos-security
globin_ has quit [Ping timeout: 250 seconds]
globin_ has joined #nixos-security
globin_ has quit [Ping timeout: 260 seconds]
globin_ has joined #nixos-security
globin_ has quit [Ping timeout: 245 seconds]
globin_ has joined #nixos-security
star_cloud has quit [Ping timeout: 265 seconds]
SushiDude[m] has quit [Ping timeout: 276 seconds]
julianst[m] has quit [Ping timeout: 245 seconds]
cemguresci[m] has quit [Ping timeout: 245 seconds]
ma27[m] has quit [Ping timeout: 245 seconds]
thefloweringash has quit [Ping timeout: 276 seconds]
SushiDude[m] has joined #nixos-security
julianst[m] has joined #nixos-security
thefloweringash has joined #nixos-security
cemguresci[m] has joined #nixos-security
ma27[m] has joined #nixos-security
<gchristensen> I have no strong opinions about a CVE either way
<gchristensen> I wonder if we could somehow note that PAM rules are set / modified in a PR and raise a flag
supersandro2000 has quit [Killed (verne.freenode.net (Nickname regained by services))]
supersandro2000 has joined #nixos-security
ris has quit [Remote host closed the connection]
ris has joined #nixos-security
star_cloud has joined #nixos-security
<pie_> <x> urxvt > is retarded and exposes goatse-wide gaping security holes https://www.openwall.com/lists/oss-security/2021/05/17/1
<pie_> terminals were a mistake
star_cloud has quit [Ping timeout: 265 seconds]
<hexa-> > The issue was quietly fixed in rxvt-unicode upstream in 2017.
<{^_^}> error: syntax error, unexpected IN, expecting ')', at (string):494:29
<hexa-> I'd say we mark rxvt with knownVulnerabilities
<hexa-> I'M updating rxvt-unicode right now
<gchristensen> sgtm
star_cloud has joined #nixos-security
<hexa-> #123531
<{^_^}> https://github.com/NixOS/nixpkgs/pull/123531 (by mweinelt, 7 seconds ago, open): urxvt-unicode: 9.22 -> 9.26; rxvt, mrxvt, eterm: set knownVulerabilities
star_cloud has quit [Excess Flood]
cole-h has joined #nixos-security
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
<gchristensen> hexa-: I'm inclined to merge despite the typo on the pcakage name, sgty? we should also backport right away
<hexa-> gchristensen: I'm here to correct typos, when someone points me towards them. But I also don't mind too much
<gchristensen> ehh go for it, let's correct the typo
<hexa-> so urxvt-unicode -> rxvt-unicode?
<hexa-> anything else?
<gchristensen> I don't see anything
<hexa-> updated
<gchristensen> annoying for it to cause another eval :)
star_cloud has joined #nixos-security
<hexa-> heh, there is one more quote I apparently missed :D
<gchristensen> ;_;
<hexa-> > Stay the fuck away from xterm also.
<{^_^}> error: syntax error, unexpected ')', expecting ID or OR_KW or DOLLAR_CURLY or '"', at (string):495:1
<hexa-> that's a bit wild
<gchristensen> probably should omit that specific wording from the notice
<hexa-> certainly
<hexa-> but that is nothing concrete imo
<hexa-> I tried enabling this in 88.0.1, but it didn't work
<hexa-> maybe with 89.0 )
<gchristensen> oh cool
<gchristensen> > Fission is still in active development, and can only be enabled in Firefox Nightly.
<{^_^}> error: syntax error, unexpected IN, expecting ')', at (string):494:18
<hexa-> according to the blog post also on beta and release now
star_cloud has quit [Ping timeout: 240 seconds]
<MichaelRaskin> Ah cool. I guess it doesn't matter for me, though.
<MichaelRaskin> (Firefox windows already have different underlying UIDs)
<gchristensen> showoff :P :D
<gchristensen> ;)
<MichaelRaskin> Come on, different underlying UIDs are even easy to achieve
<MichaelRaskin> I had this way before my current jailing setup
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
star_cloud has joined #nixos-security
star_cloud has quit [Ping timeout: 268 seconds]
rajivr has quit [Quit: Connection closed for inactivity]
tv1 has joined #nixos-security
tv1 has quit [Client Quit]
<hexa-> so, #123531?
<{^_^}> https://github.com/NixOS/nixpkgs/pull/123531 (by mweinelt, 3 hours ago, open): rxvt-unicode: 9.22 -> 9.26; rxvt, mrxvt, eterm: set knownVulerabilities
star_cloud has joined #nixos-security
star_cloud has quit [Ping timeout: 240 seconds]
star_cloud has joined #nixos-security
star_cloud has quit [Ping timeout: 252 seconds]
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
star_cloud has joined #nixos-security
star_cloud has quit [Ping timeout: 240 seconds]
star_cloud has joined #nixos-security
star_cloud has quit [Ping timeout: 252 seconds]
<{^_^}> #123590 (by mweinelt, 11 seconds ago, open): [20.09] rxvt-unicode: 9.22 -> 9.26; rxvt, mrxvt, eterm: mark with knownVulnerable
star_cloud has joined #nixos-security
star_cloud has quit [Read error: Connection reset by peer]
star_cloud has joined #nixos-security
<hexa-> meh
<andi-> one more vulernability fixed. We should be happy :)
star_cloud has quit [Excess Flood]
star_cloud has joined #nixos-security
star_cloud has quit [Ping timeout: 240 seconds]
supersandro2000 is now known as Guest2135
Guest2135 has quit [Killed (orwell.freenode.net (Nickname regained by services))]
supersandro2000 has joined #nixos-security
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
kalbasit[m] has quit [Ping timeout: 258 seconds]
ma27[m] has quit [Ping timeout: 245 seconds]
aanderse has quit [Ping timeout: 258 seconds]
thefloweringash has quit [Ping timeout: 245 seconds]
star_cloud has joined #nixos-security
<hexa-> As of this writing, yescrypt is the default password hashing scheme on
<hexa-> recent ALT Linux, Debian testing, and Kali Linux 2021.1+. It is also
<hexa-> supported in Fedora 29+ (and is recommended for new passwords in Fedora
<hexa-> CoreOS) and in Ubuntu 20.04+.
<hexa-> how did we miss this? :D
kalbasit[m] has joined #nixos-security
ma27[m] has joined #nixos-security
<hexa-> it is in here apparently https://github.com/NixOS/nixpkgs/pull/114794
<{^_^}> #114794 (by dottedmag, 11 weeks ago, merged): linux-pam: Optionally build with libxcrypt
<gchristensen> wow!
<{^_^}> #112371 (by dottedmag, 14 weeks ago, open): libcrypt.so.1: support newer hash types via libxcrypt
aanderse has joined #nixos-security
<andi-> before we can do any forward migration towards theset hings we probably should have at least one release out with support for it.
<hexa-> yeah, I wasn't aware that the plan is libcrypt xor libxcrypt
thefloweringash has joined #nixos-security
<gchristensen> andi-: tell me about that?
<andi-> gchristensen: well if someone rolls back his machine you want to be able to unlock it.
<gchristensen> I was thinking through ways where it probably isn't an issue, but your'e right and it doesn't matter