[Nix-dev] CVE-2015-7547 stdenv-changing fix merged on master and 15.09

Shea Levy shea at shealevy.com
Tue Feb 16 17:55:54 CET 2016 

Hi all,

Nathan Zadoks has offered to allow users to download the new glibc from 
his hydra while we wait for hydra.nixos.org to catch up. To fetch it, as 
root run:

# nix-store -r /nix/store/5fbwy40pa4pqr97jdgbyaal1y1ns6hb1-glibc-2.21 
--option binary-caches https://code.nathan7.eu/hydra --option 
binary-cache-public-keys 
colossus.nathan7.eu:4iYLGVtL9WTE0OXgPQgQex0BIYopHxFuIYTERQ0dhCc=

Obviously this assumes you trust his hydra to be providing a real 
result!

You can then add this line to your configuration.nix:

> system.replaceRuntimeDependencies = [ ({ original = pkgs.glibc; 
> replacement = builtins.storePath 
> /nix/store/5fbwy40pa4pqr97jdgbyaal1y1ns6hb1-glibc-2.21; }) ];

and do a nixos-rebuild against the channel to get a secured system 
until the channel is updated.

Regards,
Shea

On 2016-02-16 11:36, Shea Levy wrote:
> Fixed patch pushed to master, 15.09, and 14.12.
>
> On 2016-02-16 10:58, Shea Levy wrote:
>> There was an error with the patch, we're cooking up a fix now.
>>
>> On 2016-02-16 10:37, Shea Levy wrote:
>>> Hi all,
>>>
>>> I've just merged the patch to fix CVE-2015-7547, a buffer overrun 
>>> in
>>> glibc with working POC exploit, into master and 15.09. It will take
>>> some
>>> time for the channel to update, so please use your judgment as to
>>> whether you want to wait for that or switch to building from git
>>> until
>>> it catches up. Please check out pkgs.replaceDependency
>>>
>>>
>>> 
>>> (https://github.com/NixOS/nixpkgs/blob/15aa139a1a131b3e34a0b49425d87cffbf93d905/pkgs/build-support/replace-dependency.nix)
>>>
>>> for an alternative that won't require a full rebuild in the mean
>>> time.
>>>
>>> Eelco, Rob, can we do anything to ensure hydra capacity for the
>>> rebuild?
>>>
>>> ~Shea
>>> _______________________________________________
>>> nix-dev mailing list
>>> nix-dev at lists.science.uu.nl
>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>> _______________________________________________
>> nix-dev mailing list
>> nix-dev at lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev

More information about the nix-dev mailing list