Skip to content

zlib: 1.2.11 -> 1.2.12 (security, CVE-2018-25032)#166451

Merged
mweinelt merged 1 commit intoNixOS:staging-nextfrom
wamserma:zlib-1.2.12-staging
Mar 31, 2022
Merged

zlib: 1.2.11 -> 1.2.12 (security, CVE-2018-25032)#166451
mweinelt merged 1 commit intoNixOS:staging-nextfrom
wamserma:zlib-1.2.12-staging

Conversation

@wamserma
Copy link
Member

@wamserma wamserma commented Mar 30, 2022
edited
Loading

This version bump is the official fix for CVE-2018-25032.

Release Notes:
https://zlib.net/

More info on CVE:
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
https://www.openwall.com/lists/oss-security/2022/03/24/1

Description of changes
Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@wamserma
Copy link
Member Author

wamserma commented Mar 30, 2022

ping @twz123 for review

@wamserma wamserma added 1.severity: security Issues which raise a security issue, or PRs that fix one backport staging-21.11 labels Mar 30, 2022
@wamserma wamserma mentioned this pull request Mar 30, 2022
Closed
1 task
numinit
numinit requested changes Mar 30, 2022
View reviewed changes
@wamserma wamserma force-pushed the zlib-1.2.12-staging branch from 5d5b1ca to 9d38202 Compare March 30, 2022 21:34
@wamserma wamserma requested a review from numinit March 30, 2022 21:35
@numinit
Copy link
Contributor

numinit commented Mar 30, 2022

@GrahamcOfBorg eval
@GrahamcOfBorg build zlib

numinit
numinit reviewed Mar 30, 2022
View reviewed changes
@ofborg ofborg bot added 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Mar 31, 2022
@wamserma wamserma force-pushed the zlib-1.2.12-staging branch from 9d38202 to 7d9ecea Compare March 31, 2022 06:05
@wamserma wamserma requested a review from numinit March 31, 2022 06:05
SuperSandro2000
SuperSandro2000 reviewed Mar 31, 2022
View reviewed changes
@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Mar 31, 2022

Please ping me if no one else merges this within a day or two.

@alyssais
Copy link
Member

alyssais commented Mar 31, 2022

Are we sure we want to send this vulnerability through staging instead of sending it straight to master as a critical fix? It's been very widely shared, and is zlib has a huge number of dependents, meanwhile it could take it a month or more to get through staging, since we just started a cycle.

I'm not advocating one way or the other, but want to make sure we make a considered decision.
cc @NixOS/security

@alyssais alyssais requested a review from a team March 31, 2022 16:28
@grahamc
Copy link
Member

grahamc commented Mar 31, 2022

Directly to master please.

@vcunat
Copy link
Member

vcunat commented Mar 31, 2022

It rebuilds all stdenvs, so binaries won't be there so soon either way. We might want to fix stable sooner than unstable?

As for unstable; I wasn't following the current staging-next iteration now (as I'm mostly unavailable this week), so perhaps it might be ready enough to go with this at once (say, merge this to staging-next and then soon to master when a few binaries are there).

@wamserma
Copy link
Member Author

wamserma commented Mar 31, 2022
edited by SuperSandro2000
Loading

Shall I rebase the commit onto staging-next or do you prefer a cherry-pick?
I'd suggest the cherry-pick as #165642 has already been merged to staging.

@mweinelt
Copy link
Member

mweinelt commented Mar 31, 2022
edited
Loading

Going via staging-next is only worth it if staging-next is actually in a good state, we have to look into that first.

For NixOS 21.11 I think release-21.11 would be preferable, since we have no active staging run there right now.

@mweinelt
Copy link
Member

mweinelt commented Mar 31, 2022
edited
Loading

Shall I rebase the commit onto staging-next or do you prefer a cherry-pick? I'd suggest the cherry-pick ashttps://github.com//pull/165642 has already been merged to staging.

Picked that commit into staging-next, please rebase onto staging-next. That's easiest to create the backport.

Backporting will be done by hand as the mentioned PR has already been backported into staging-21.11.

@mweinelt mweinelt force-pushed the zlib-1.2.12-staging branch from b515b17 to c22119d Compare March 31, 2022 18:16
@mweinelt mweinelt changed the base branch from staging to staging-next March 31, 2022 18:16
@mweinelt mweinelt force-pushed the zlib-1.2.12-staging branch from c22119d to 8cd9c04 Compare March 31, 2022 18:18
@mweinelt mweinelt merged commit 8cd9c04 into NixOS:staging-next Mar 31, 2022
@mweinelt mweinelt mentioned this pull request Mar 31, 2022
Merged
13 tasks
@vcunat
Copy link
Member

vcunat commented Apr 5, 2022
edited
Loading

EDIT: split to #167708

@wamserma wamserma deleted the zlib-1.2.12-staging branch April 5, 2022 07:36
@wamserma
Copy link
Member Author

wamserma commented Apr 5, 2022

The Qt-bundled zlib was updated in
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=a0a2bf2d95d4fcd468b6ce3c2e728d95425dd760
which says Pick-to: 6.2 6.3 6.3.0 5.15 but it seems there is no pick to any Qt5 version (least 5.12.10, which is in our stable).

@vcunat
Copy link
Member

vcunat commented Apr 5, 2022

I hope we don't use the bundled one, but the commit (or some around it) might contain other necessary changes for newer zlib in Qt. Darwin defaults to Qt 5.12 even on newest nixpkgs... so perhaps that would better get addressed some time, too.

@mweinelt
Copy link
Member

mweinelt commented Apr 5, 2022
edited by vcunat
Loading

Well the root cause might be similar to PyPy

@Mindavi
Copy link
Contributor

Mindavi commented Apr 5, 2022
edited
Loading

This broke support for cross-compiling zlib, causing everything depending on it to break:

mindavi@nixos:~/nixpkgs$ nix build .#pkgsCross.aarch64-multiplatform.zlib
mindavi@nixos:~/nixpkgs$ tree result
result
└── share
    └── man
        └── man3
            └── zlib.3.gz

3 directories, 1 file
mindavi@nixos:~/nixpkgs$ nix build .#pkgsCross.aarch64-multiplatform.zlib.dev
mindavi@nixos:~/nixpkgs$ tree result-dev
result-dev
├── include
│   ├── zconf.h
│   └── zlib.h
├── lib
│   └── pkgconfig
│       └── zlib.pc
└── nix-support
    └── propagated-build-inputs

4 directories, 4 files

Commit on which I tested this (merge staging-next to master): b4729ba

Maybe this section in the log points to something?

zlib-aarch64-unknown-linux-gnu> Checking for shared library support...
zlib-aarch64-unknown-linux-gnu> No shared library support; try without defining CC and CFLAGS
zlib-aarch64-unknown-linux-gnu> Building static library libz.a version 1.2.12 with aarch64-unknown-linux-gnu-gcc.

(This may well be an upstream issue, but I think it's still valuable to note here)

@Mindavi Mindavi mentioned this pull request Apr 5, 2022
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 approved these changes

@ivan ivan Awaiting requested review from ivan

@numinit numinit Awaiting requested review from numinit

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@wamserma @numinit @SuperSandro2000 @alyssais @grahamc @vcunat @mweinelt @Mindavi