[Nix-dev] CVE-2015-7547 stdenv-changing fix merged on master and 15.09

roconnor at theorem.ca roconnor at theorem.ca
Tue Feb 16 18:34:39 CET 2016


I am using the following expression which I believe will build a patched 
version of glibc locally, and then build a patched NixOS derivation.

system.replaceRuntimeDependencies = with pkgs.lib;
      [{original = pkgs.glibc; replacement = pkgs.stdenv.lib.overrideDerivation pkgs.glibc (oldAttr: { patches = oldAttr.patches ++
        [(pkgs.fetchurl { url = "https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/glibc/cve-2015-7547.patch";
                          sha256 = "0awpc4rp2x27rjpj83ps0rclmn73hsgfv2xxk18k82w4hdxqpp5r";})];
       });}
      ];

I didin't time it, but I think it took around 25 minutes to update my 
desktop machine this way.  Good luck everyone.

On Tue, 16 Feb 2016, Shea Levy wrote:

> Hi all,
>
> Nathan Zadoks has offered to allow users to download the new glibc from
> his hydra while we wait for hydra.nixos.org to catch up. To fetch it, as
> root run:
>
> # nix-store -r /nix/store/5fbwy40pa4pqr97jdgbyaal1y1ns6hb1-glibc-2.21
> --option binary-caches https://code.nathan7.eu/hydra --option
> binary-cache-public-keys
> colossus.nathan7.eu:4iYLGVtL9WTE0OXgPQgQex0BIYopHxFuIYTERQ0dhCc=
>
> Obviously this assumes you trust his hydra to be providing a real
> result!
>
> You can then add this line to your configuration.nix:
>
>> system.replaceRuntimeDependencies = [ ({ original = pkgs.glibc;
>> replacement = builtins.storePath
>> /nix/store/5fbwy40pa4pqr97jdgbyaal1y1ns6hb1-glibc-2.21; }) ];
>
> and do a nixos-rebuild against the channel to get a secured system
> until the channel is updated.
>
> Regards,
> Shea
>
> On 2016-02-16 11:36, Shea Levy wrote:
>> Fixed patch pushed to master, 15.09, and 14.12.
>>
>> On 2016-02-16 10:58, Shea Levy wrote:
>>> There was an error with the patch, we're cooking up a fix now.
>>>
>>> On 2016-02-16 10:37, Shea Levy wrote:
>>>> Hi all,
>>>>
>>>> I've just merged the patch to fix CVE-2015-7547, a buffer overrun
>>>> in
>>>> glibc with working POC exploit, into master and 15.09. It will take
>>>> some
>>>> time for the channel to update, so please use your judgment as to
>>>> whether you want to wait for that or switch to building from git
>>>> until
>>>> it catches up. Please check out pkgs.replaceDependency
>>>>
>>>>
>>>>
>>>> (https://github.com/NixOS/nixpkgs/blob/15aa139a1a131b3e34a0b49425d87cffbf93d905/pkgs/build-support/replace-dependency.nix)
>>>>
>>>> for an alternative that won't require a full rebuild in the mean
>>>> time.
>>>>
>>>> Eelco, Rob, can we do anything to ensure hydra capacity for the
>>>> rebuild?
>>>>
>>>> ~Shea
>>>> _______________________________________________
>>>> nix-dev mailing list
>>>> nix-dev at lists.science.uu.nl
>>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>
>>> _______________________________________________
>>> nix-dev mailing list
>>> nix-dev at lists.science.uu.nl
>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>> _______________________________________________
>> nix-dev mailing list
>> nix-dev at lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>

-- 
Russell O'Connor                                      <http://r6.ca/>
``All talk about `theft,''' the general counsel of the American Graphophone
Company wrote, ``is the merest claptrap, for there exists no property in
ideas musical, literary or artistic, except as defined by statute.''


More information about the nix-dev mailing list