Skip to content

perl: use pkgs.zlib instead of bundled zlib#167084

Merged
dasJ merged 1 commit intoNixOS:stagingfrom
stigtsp:fix/perl-core-zlib
Apr 8, 2022
Merged

perl: use pkgs.zlib instead of bundled zlib#167084
dasJ merged 1 commit intoNixOS:stagingfrom
stigtsp:fix/perl-core-zlib

Conversation

@stigtsp
Copy link
Member

@stigtsp stigtsp commented Apr 3, 2022

Description of changes

perl currently contains it's own bundled zlib-1.2.11, which is vulnerable to CVE-2018-25032, and is used when building the core module Compress::Raw::Zlib.

It is built by perl and is separate from perlPackages.CompressRawZlib.

This PR patches perl to use pkgs.zlib instead when building this core module.

# To check what zlib version is used
perl -MCompress::Raw::Zlib -E 'say Compress::Raw::Zlib::zlib_version();'

pmqs/Compress-Raw-Zlib#6

Cc: @alyssais

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@stigtsp stigtsp requested review from alyssais and mweinelt April 3, 2022 20:37
@stigtsp
Copy link
Member Author

stigtsp commented Apr 3, 2022

@GrahamcOfBorg build perl

@stigtsp stigtsp marked this pull request as ready for review April 3, 2022 21:56
@stigtsp stigtsp requested a review from zakame as a code owner April 3, 2022 21:56
@stigtsp stigtsp added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Apr 3, 2022
@ofborg ofborg bot added 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. labels Apr 3, 2022
@ofborg ofborg bot requested a review from edolstra April 3, 2022 23:33
@ofborg ofborg bot added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Apr 3, 2022
Copy link
Member

@zakame zakame left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 💯

@stigtsp
Copy link
Member Author

stigtsp commented Apr 4, 2022

@GrahamcOfBorg build pkgsCross.aarch64-multiplatform.perl534
@GrahamcOfBorg build pkgsCross.armv7l-hf-multiplatform.perl534
@GrahamcOfBorg build pkgsMusl.perl534
@GrahamcOfBorg build pkgsi686Linux.perl534
@GrahamcOfBorg build perl534
@GrahamcOfBorg build pkgsCross.aarch64-multiplatform.perlPackages.HTTPDaemon

@vcunat
Copy link
Member

vcunat commented Apr 8, 2022

For 21.11 I assume we'll wait for upstream to release versions with updated bundled zlib? I suspect that adding the external runtime dependency on zlib might be a bit intrusive for stable.

@stigtsp
Copy link
Member Author

stigtsp commented Apr 8, 2022

For 21.11 I assume we'll wait for upstream to release versions with updated bundled zlib? I suspect that adding the external runtime dependency on zlib might be a bit intrusive for stable.

Agree 👍

vcunat pushed a commit that referenced this pull request Apr 10, 2022
@alyssais
Copy link
Member

alyssais commented May 1, 2022

This appears to have broken pkgsStatic.perl. That's on me for not testing this at the time. I haven't looked into why it broke yet.

@alyssais
Copy link
Member

alyssais commented May 1, 2022

arsv/perl-cross#129

@alyssais alyssais mentioned this pull request May 6, 2022
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants