Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl: 7.74.0 -> 7.76.1 #118128

Merged
merged 1 commit into from
Apr 14, 2021
Merged

curl: 7.74.0 -> 7.76.1 #118128

merged 1 commit into from
Apr 14, 2021

Conversation

mweinelt
Copy link
Member

Motivation for this change

https://curl.se/changes.html

https://curl.se/docs/CVE-2021-22876.html
https://curl.se/docs/CVE-2021-22890.html

Fixes: CVE-2021-22876, CVE-22890

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@mweinelt mweinelt added 1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: port to stable A PR needs a backport to the stable release. labels Mar 31, 2021
@mweinelt mweinelt force-pushed the curl branch 2 times, most recently from aad6a71 to 0fd16d1 Compare March 31, 2021 08:22
@mweinelt
Copy link
Member Author

Eval fails a test in nix, I'll check if I can repro this.

running test tests/nix-channel.sh... [FAIL]
    common.sh: line 89: unshare: command not found
    + clearProfiles
    + profiles=/build/nix-test/var/nix/profiles
    + rm -rf /build/nix-test/var/nix/profiles
    + rm -f /build/nix-test/test-home/.nix-channels /build/nix-test/test-home/.nix-profile
    + nix-channel --add http://foo/bar xyzzy
    + nix-channel --list
    + grep -q http://foo/bar
    + nix-channel --remove xyzzy
    building '/build/nix-test/store/b3cfvh7vcfjw6653zd6npy6xx5xz7dnq-user-environment.drv'...
    created 0 symlinks in user environment
    + '[' -e /build/nix-test/test-home/.nix-channels ']'
    ++ cat /build/nix-test/test-home/.nix-channels
    + '[' '' = '' ']'
    + rm -rf /build/nix-test/foo
    + mkdir -p /build/nix-test/foo
    +++ nix-instantiate dependencies.nix
    warning: you did not specify '--add-root'; the result might be removed by the garbage collector
    ++ nix-store -r /build/nix-test/store/cfi0q6hi9l8j39ha1prnlgi29ap7f9r9-dependencies.drv
    these derivations will be built:
      /build/nix-test/store/pfplxfb1nfa318q1bq8xg31cszl85icd-dependencies-input-1.drv
      /build/nix-test/store/s3qkc8nnxrcmgxnnfs6205gnslg3h3d8-dependencies-input-2.drv
      /build/nix-test/store/cfi0q6hi9l8j39ha1prnlgi29ap7f9r9-dependencies.drv
    building '/build/nix-test/store/pfplxfb1nfa318q1bq8xg31cszl85icd-dependencies-input-1.drv'...
    building '/build/nix-test/store/s3qkc8nnxrcmgxnnfs6205gnslg3h3d8-dependencies-input-2.drv'...
    building '/build/nix-test/store/cfi0q6hi9l8j39ha1prnlgi29ap7f9r9-dependencies.drv'...
    FOO
    warning: you did not specify '--add-root'; the result might be removed by the garbage collector
    + nix copy --to 'file:///build/nix-test/foo?compression=bzip2' /build/nix-test/store/4m6nrdsnd0qxaf74yylnxxkk3v0y1rzd-dependencies
    warning: you don't have Internet access; disabling some network-dependent features
    + rm -rf /build/nix-test/nixexprs
    + mkdir -p /build/nix-test/nixexprs
    + cp config.nix dependencies.nix dependencies.builder0.sh dependencies.builder1.sh dependencies.builder2.sh /build/nix-test/nixexprs/
    + ln -s dependencies.nix /build/nix-test/nixexprs/default.nix
    + cd /build/nix-test
    + tar cvf - nixexprs
    + bzip2
    nixexprs/
    nixexprs/dependencies.builder1.sh
    nixexprs/default.nix
    nixexprs/config.nix
    nixexprs/dependencies.builder2.sh
    nixexprs/dependencies.builder0.sh
    nixexprs/dependencies.nix
    + nix-channel --add file:///build/nix-test/foo
    + nix-channel --update
    warning: unable to download 'file:///build/nix-test/foo': Couldn't resume download (36); retrying in 330 ms
    warning: unable to download 'file:///build/nix-test/foo': Couldn't resume download (36); retrying in 508 ms
    warning: unable to download 'file:///build/nix-test/foo': Couldn't resume download (36); retrying in 1364 ms
    warning: unable to download 'file:///build/nix-test/foo': Couldn't resume download (36); retrying in 2795 ms
    error: unable to download 'file:///build/nix-test/foo': Couldn't resume download (36)

@mweinelt
Copy link
Member Author

mweinelt commented Apr 1, 2021

Nix tests already fail with curl 7.75.0.

@roberth roberth mentioned this pull request Apr 2, 2021
10 tasks
@SuperSandro2000
Copy link
Member

@ofborg eval

@Izorkin
Copy link
Contributor

Izorkin commented Apr 2, 2021

Recent changes to nix do not fix the error:

running test tests/nix-channel.sh... [FAIL]
    unshare: unshare failed: Operation not permitted
...
1 out of 56 tests failed
make: *** [mk/tests.mk:12: installcheck] Error 1
builder for '/nix/store/4a0a91f50x1k81sg8nk98ydy60mf0gs5-nix-2.3.10.drv' failed with exit code 2
error: build of '/nix/store/4a0a91f50x1k81sg8nk98ydy60mf0gs5-nix-2.3.10.drv' failed

@mweinelt
Copy link
Member Author

mweinelt commented Apr 2, 2021

The actual error is at the end of the log and happens during the nix-channel --update call.

@FRidh FRidh added this to the 21.05 milestone Apr 3, 2021
@lukegb
Copy link
Contributor

lukegb commented Apr 3, 2021

@mweinelt sent you mweinelt#5 to add a curl patch which fixes the behaviour nix relies upon; I'm preparing an upstream PR as well.

@mweinelt mweinelt force-pushed the curl branch 2 times, most recently from 5ad5afc to 5b8adde Compare April 3, 2021 17:52
@ofborg ofborg bot added 2.status: merge conflict This PR has merge conflicts with the target branch 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild and removed 2.status: merge conflict This PR has merge conflicts with the target branch labels Apr 3, 2021
@ofborg ofborg bot requested a review from lovek323 April 3, 2021 18:34
@mweinelt
Copy link
Member Author

mweinelt commented Apr 4, 2021

Waiting for the result of curl/curl#6846, before we continue here. The security issues have been addressed in #118343 and #118469 for now.

@lukegb
Copy link
Contributor

lukegb commented Apr 4, 2021

Waiting for the result of curl/curl#6846, before we continue here. The security issues have been addressed in #118343 and #118469 for now.

Probably for the best; we can pull the final version of the commit once it's landed.

@mweinelt mweinelt added the 2.status: wait-for-upstream Waiting for upstream fix (or their other action). label Apr 4, 2021
@mweinelt
Copy link
Member Author

mweinelt commented Apr 5, 2021

Updated the patch as it was merged upstream.

@mweinelt mweinelt removed the 2.status: wait-for-upstream Waiting for upstream fix (or their other action). label Apr 5, 2021
@mweinelt mweinelt removed the 9.needs: port to stable A PR needs a backport to the stable release. label Apr 5, 2021
@mweinelt mweinelt requested a review from lukegb April 5, 2021 13:59
@lukegb
Copy link
Contributor

lukegb commented Apr 5, 2021

Since we've already patched against the security vulnerability, it might be worth waiting for 7.76.1, which landing on the 14th; it fixes some HTTP/2 regressions in 7.76.0: https://curl.se/dev/release-notes.html

@SuperSandro2000
Copy link
Member

This is a semi-automatic executed nixpkgs-review with nixpkgs-review-checks extension. It is checked by a human on
a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch).
If you have any questions or problems please reach out to SuperSandro2000 on IRC.

Result of nixpkgs-review pr 118128 run on x86_64-linux 1

1 package built:
  • nix

@lukegb
Copy link
Contributor

lukegb commented Apr 14, 2021

7.76.1 is here: https://curl.se/changes.html

@mweinelt
Copy link
Member Author

Updated.

@mweinelt mweinelt changed the title curl: 7.74.0 -> 7.76.0 curl: 7.74.0 -> 7.76.1 Apr 14, 2021
@lukegb
Copy link
Contributor

lukegb commented Apr 14, 2021

@ofborg build nix nixUnstable
@ofborg test simple

Good luck, ofborg.

@lukegb
Copy link
Contributor

lukegb commented Apr 14, 2021

Well, I built b101b0b and that worked, so LG.

@lukegb
Copy link
Contributor

lukegb commented Apr 14, 2021

I built, specifically, tests.simple.x86_64-linux, tests.nixos-generate-config.x86_64-linux; and nix/nixUnstable

@lukegb
Copy link
Contributor

lukegb commented Apr 14, 2021

Built 61c9c78, that worked too.

@mweinelt mweinelt merged commit b20fd5e into NixOS:staging Apr 14, 2021
@mweinelt mweinelt deleted the curl branch April 14, 2021 16:31
@mweinelt
Copy link
Member Author

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants