[Nix-dev] Security updates for libpng (CVE-2015-7981 and CVE-2015-8126)
roconnor at theorem.ca
roconnor at theorem.ca
Tue Nov 17 04:22:06 CET 2015
libpng has recently patched a few buffer-overflows in it, so I thought I
would try exercising the system.replaceRuntimeDependencies functionality
of nixos.
For nixos managed programs, you can tell if you are affected by running
nix-store -qR /run/current-system | grep libpng
If it lists libpng 1.6.18 or older and/or libpng 1.2.53 or older then you
could be subject to this buffer-overflow.
I've attached a security_updates.nix nixos module that I have installed to
update dynamically linked libpng libraries on my system. I thought I
would share it with the rest of you.
Unfortunately, you currently need to comment out any clauses for versions
of libpng that are not on your system. For example if you don't depend on
libpng 1.2.*, then you must comment out the libpng12 line.
Fortunately, I have a pull request 11041 under review to fix this which
should allow entities to more easily share this sort of security update.
Please be aware that this will not patch any program that statically links
to libpng, nor will it patch software installed by nix-env, or software
not managed by Nix.
After running nixos-rebuild switch or nixos-rebuild test, you can run
nix-store -qR /run/current-system | grep libpng
again to check if all the (dynamic) references to libpng have been
updated.
I welcome any comments. Clearly there is room to make
security_updates.nix a little more sophisticated.
--
Russell O'Connor <http://r6.ca/>
``All talk about `theft,''' the general counsel of the American Graphophone
Company wrote, ``is the merest claptrap, for there exists no property in
ideas musical, literary or artistic, except as defined by statute.''
-------------- next part --------------
{ pkgs, ... }:
let libpng-1_8_19 =
{ stdenv, fetchurl, zlib, apngSupport ? true }:
assert zlib != null;
let
version = "1.6.19";
sha256 = "1s1mmkl79ghiczi2x2rbnp6y70v4c5pr8g3icxn9h5imymbmc71i";
patch_src = fetchurl {
url = "mirror://sourceforge/libpng-apng/libpng-${version}-apng.patch.gz";
sha256 = "0bgqkac16yhl0zwjzq2zwkixg2l2x3a6blbk3k0wqz0lza2a6jrh";
};
whenPatched = stdenv.lib.optionalString apngSupport;
in stdenv.mkDerivation rec {
name = "libpng" + whenPatched "-apng" + "-${version}";
src = fetchurl {
url = "mirror://sourceforge/libpng/libpng-${version}.tar.xz";
inherit sha256;
};
postPatch = whenPatched "gunzip < ${patch_src} | patch -Np1";
propagatedBuildInputs = [ zlib ];
doCheck = true;
passthru = { inherit zlib; };
meta = with stdenv.lib; {
description = "The official reference implementation for the PNG file format" + whenPatched " with animation patch";
homepage = http://www.libpng.org/pub/png/libpng.html;
license = licenses.libpng;
platforms = platforms.all;
maintainers = [ maintainers.vcunat maintainers.fuuzetsu ];
};
};
libpng-1_2_54 =
{ stdenv, fetchurl, zlib }:
assert !(stdenv ? cross) -> zlib != null;
stdenv.mkDerivation rec {
name = "libpng-1.2.54";
src = fetchurl {
url = "mirror://sourceforge/libpng/${name}.tar.xz";
sha256 = "0wnjy7gqn0f24qrlggs7kl0ij59by413j1xmqp12n3vqh9j531fg";
};
propagatedBuildInputs = [ zlib ];
passthru = { inherit zlib; };
crossAttrs = stdenv.lib.optionalAttrs (stdenv.cross.libc == "libSystem") {
propagatedBuildInputs = [];
passthru = {};
};
configureFlags = "--enable-static";
meta = {
description = "The official reference implementation for the PNG file format";
homepage = http://www.libpng.org/pub/png/libpng.html;
license = stdenv.lib.licenses.libpng;
maintainers = with stdenv.lib.maintainers; [ fuuzetsu ];
branch = "1.2";
};
};
in {
system.replaceRuntimeDependencies = with pkgs.lib;
filter ({original, replacement} : versionOlder (getVersion original) (getVersion replacement))
[ ({original = pkgs.libpng; replacement = pkgs.callPackage libpng-1_8_19 {};})
({original = pkgs.libpng12; replacement = pkgs.callPackage libpng-1_2_54 {};})
# below is needed if you have a 32-bit skype running on an x86_64 machine
({original = pkgs.pkgsi686Linux.libpng; replacement = pkgs.pkgsi686Linux.callPackage libpng-1_8_19 {};})
];
}
More information about the nix-dev
mailing list