Skip to content

libtiff: add patches for many related CVEs#217557

Merged
mweinelt merged 1 commit intoNixOS:stagingfrom
risicle:ris-libtiff-CVE-CVE-2023-0795-CVE-2023-0804
Mar 4, 2023
Merged

libtiff: add patches for many related CVEs#217557
mweinelt merged 1 commit intoNixOS:stagingfrom
risicle:ris-libtiff-CVE-CVE-2023-0795-CVE-2023-0804

Conversation

@risicle
Copy link
Contributor

@risicle risicle commented Feb 21, 2023
edited
Loading

Description of changes

https://nvd.nist.gov/vuln/detail/CVE-2023-0795
https://nvd.nist.gov/vuln/detail/CVE-2023-0796
https://nvd.nist.gov/vuln/detail/CVE-2023-0797
https://nvd.nist.gov/vuln/detail/CVE-2023-0798
https://nvd.nist.gov/vuln/detail/CVE-2023-0799
https://nvd.nist.gov/vuln/detail/CVE-2023-0800
https://nvd.nist.gov/vuln/detail/CVE-2023-0801
https://nvd.nist.gov/vuln/detail/CVE-2023-0802
https://nvd.nist.gov/vuln/detail/CVE-2023-0803
https://nvd.nist.gov/vuln/detail/CVE-2023-0804

Built passthru.tests on indicated platforms.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.05 Release Notes (or backporting 22.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@risicle risicle added 1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: port to stable A PR needs a backport to the stable release. labels Feb 21, 2023
@risicle
Copy link
Contributor Author

risicle commented Feb 21, 2023
edited
Loading

Hmm this set of patches don't appear to totally solve:

for me, but they do reduce its severity to a null pointer dereference. I'll leave a note upstream.

@ofborg ofborg bot requested a review from alyssais February 21, 2023 22:05
@ofborg ofborg bot added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Feb 21, 2023
@risicle
Copy link
Contributor Author

risicle commented Feb 21, 2023

Looks like I just needed to include the tiffcrop portion from https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536

@risicle risicle force-pushed the ris-libtiff-CVE-CVE-2023-0795-CVE-2023-0804 branch from 7478af9 to cea1db4 Compare February 21, 2023 22:07
@risicle risicle marked this pull request as ready for review February 21, 2023 22:08
@risicle risicle force-pushed the ris-libtiff-CVE-CVE-2023-0795-CVE-2023-0804 branch from cea1db4 to 7a8df1f Compare February 21, 2023 22:13
@mweinelt
Copy link
Member

mweinelt commented Mar 4, 2023

Built on aarch64-linux and aarch64-darwin on master.

@mweinelt mweinelt merged commit ac32502 into NixOS:staging Mar 4, 2023
@risicle
Copy link
Contributor Author

risicle commented Apr 8, 2023

Looks like we never backported these.

@risicle risicle mentioned this pull request Apr 8, 2023
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alyssais alyssais Awaiting requested review from alyssais

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: port to stable A PR needs a backport to the stable release. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@risicle @mweinelt