[Nix-dev] CVE-2015-7547 stdenv-changing fix merged on master and 15.09

Kosyrev Serge skosyrev at ptsecurity.com
Tue Feb 16 20:25:46 CET 2016


roconnor at theorem.ca writes:
> I am using the following expression which I believe will build a patched 
> version of glibc locally, and then build a patched NixOS derivation.
>
> system.replaceRuntimeDependencies = with pkgs.lib;
>       [{original = pkgs.glibc; replacement = pkgs.stdenv.lib.overrideDerivation pkgs.glibc (oldAttr: { patches = oldAttr.patches ++
>         [(pkgs.fetchurl { url = "https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/glibc/cve-2015-7547.patch";
>                           sha256 = "0awpc4rp2x27rjpj83ps0rclmn73hsgfv2xxk18k82w4hdxqpp5r";})];
>        });}
>       ];
>
> I didin't time it, but I think it took around 25 minutes to update my 
> desktop machine this way.  Good luck everyone.

For those of us who aren't that fluent in Nix idioms -- could you
provide a quick summary of how you manage to achieve the seemingly
impossible?

Normally, one would expect that updating glibc would cause a full system
rebuild, but in your case it's obviously not the case.

And lastly -- is this somehow related to the techniques proposed for
providing NixOS with security updates?

-- 
с уважениeм / respectfully,
Косырев Сергей


More information about the nix-dev mailing list