!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

331 Members
Coordination and triage of security issues in nixpkgs | Discussions in #security-discuss:nixos.org | Open PRs: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc+label%3A%221.severity%3A+security%22103 Servers

Load older messages


SenderMessageTime
7 Aug 2022
@winterqt:nixos.devWinter (she/her)testing on aarch64-linux22:45:22
@pennae:matrix.eno.spacepennaegoing to skip the nginx test, might be used only there22:46:33
@winterqt:nixos.devWinter (she/her) ris_: fails 22:47:26
@winterqt:nixos.devWinter (she/her)
test 0224...core dumped
22:47:31
@winterqt:nixos.devWinter (she/her)at least it's reproducible...22:47:36
@winterqt:nixos.devWinter (she/her)
test 0224...[HTTP GET gzip compressed content with huge comment and extra field]

 224: data FAILED:
--- log/check-expected	2022-08-07 23:04:20.706430933 +0000
+++ log/check-generated	2022-08-07 23:04:20.706430933 +0000
@@ -1,9 +0,0 @@
-HTTP/1.1 200 OK[CR][LF]
-Date: Mon, 29 Nov 2004 21:56:53 GMT[CR][LF]
-Server: Apache/1.3.31 (Debian GNU/Linux) mod_gzip/1.3.26.1a PHP/4.3.9-1 mod_ssl/2.8.20 OpenSSL/0.9.7d mod_perl/1.29[CR][LF]
-Vary: Accept-Encoding[CR][LF]
-Content-Type: text/html; charset=ISO-8859-1[CR][LF]
-Content-Encoding: gzip[CR][LF]
-Content-Length: 2186[CR][LF]
-[CR][LF]
-uncompressed gzip data with long gzip header[LF]
23:04:58
@winterqt:nixos.devWinter (she/her)can't get it to core dump here23:05:12
@winterqt:nixos.devWinter (she/her)maybe a sandbox issue?23:05:15
@winterqt:nixos.devWinter (she/her)(it does fail though)23:05:22
@pennae:matrix.eno.spacepennaeoh great, second attempt failed because the ssd firmware crashed (again) and a test timed out. no failures from tests, though it seems the withCheck test is still going23:06:50
@winterqt:nixos.devWinter (she/her)for what it's worth... the test is "uncompressed gzip data with long gzip header" , and the patch fixes "a bug when getting a gzip header extra field with inflate()."23:12:21
@pennae:matrix.eno.spacepennaeconfirmed. same test fails here23:17:56
@winterqt:nixos.devWinter (she/her)i'm considering filing a bug with curl...23:18:21
@winterqt:nixos.devWinter (she/her)objections? i don't see why we shouldn't, idk, might get it fixed faster23:18:33
@winterqt:nixos.devWinter (she/her)they definitely look like they get dealt with quickly23:19:24
@winterqt:nixos.devWinter (she/her)not sure why i asked that tbh (almost done writing)23:27:28
@r_i_s:matrix.orgris_i suspect it's a zlib issue if anything23:49:07
@r_i_s:matrix.orgris_won't know until i do some investigation tomorrow23:49:26
@raitobezarius:matrix.orgraitobezarius
In reply to @r_i_s:matrix.org
i suspect it's a zlib issue if anything
would not be the first time (see the keycloak thing)
23:49:30
@r_i_s:matrix.orgris_after all it's a patch that was authored 8 days ago, hasn't made it into a proper release yet23:49:50
@r_i_s:matrix.orgris_https://github.com/NixOS/nixpkgs/pull/18561323:52:14
@r_i_s:matrix.orgris_the test description sounds very related to what the zlib patch was doing23:53:40
@hexa:lossy.networkhexa
In reply to @raitobezarius:matrix.org
would not be the first time (see the keycloak thing)
please, not again 😓
23:54:30
@r_i_s:matrix.orgris_it's all good - we caught it before it made it out of staging23:55:05
@r_i_s:matrix.orgris_and we might be able to prevent it getting into a zlib release23:55:35
@winterqt:nixos.devWinter (she/her)what keycloak thing? no recent keycloak PRs stand out to me23:57:58
8 Aug 2022
@ar:hackerspace.pl@ar:hackerspace.pl left the room.07:23:59
@ma27:nicht-so.sexyma27gnutls fix for cve-2022-2509: https://github.com/NixOS/nixpkgs/pull/18564509:04:17
@life-the-user:matrix.org@life-the-user:matrix.org removed their display name life-the-user.15:18:44
@life-the-user:matrix.org@life-the-user:matrix.org left the room.15:19:31

There are no newer messages yet.


Back to Room ListRoom Version: 6