diff options
author | Robin Gloster <mail@glob.in> | 2017-02-24 13:44:28 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-02-24 13:44:28 +0100 |
commit | 8f60b43d9c46ac59722262d545025f23bfb8bb68 (patch) | |
tree | 1823f02bd9441ed3909e3266d02425946062f3be /pkgs | |
parent | 8e1fa01f3a727aa496353a0a0bf505a68678af99 (diff) | |
parent | 30cea5f02245a20022ea93f8eec2f4fe053ad97a (diff) | |
download | nixpkgs-8f60b43d9c46ac59722262d545025f23bfb8bb68.tar nixpkgs-8f60b43d9c46ac59722262d545025f23bfb8bb68.tar.gz nixpkgs-8f60b43d9c46ac59722262d545025f23bfb8bb68.tar.bz2 nixpkgs-8f60b43d9c46ac59722262d545025f23bfb8bb68.tar.lz nixpkgs-8f60b43d9c46ac59722262d545025f23bfb8bb68.tar.xz nixpkgs-8f60b43d9c46ac59722262d545025f23bfb8bb68.tar.zst nixpkgs-8f60b43d9c46ac59722262d545025f23bfb8bb68.zip |
Merge pull request #23130 from grahamc/insecure-packages-with-docs
nixpkgs: allow packages to be marked insecure (this time with docs)
Diffstat (limited to 'pkgs')
-rw-r--r-- | pkgs/development/libraries/libplist/default.nix | 7 | ||||
-rw-r--r-- | pkgs/stdenv/generic/default.nix | 72 |
2 files changed, 67 insertions, 12 deletions
diff --git a/pkgs/development/libraries/libplist/default.nix b/pkgs/development/libraries/libplist/default.nix index 4de5a23569e..b98fdbdb470 100644 --- a/pkgs/development/libraries/libplist/default.nix +++ b/pkgs/development/libraries/libplist/default.nix @@ -28,5 +28,12 @@ in stdenv.mkDerivation rec { homepage = http://github.com/JonathanBeck/libplist; platforms = stdenv.lib.platforms.all; maintainers = [ stdenv.lib.maintainers.urkud ]; + knownVulnerabilities = [ + "CVE-2017-5209: base64decode function in base64.c allows attackers to obtain sensitive information from process memory or cause a denial of service" + "CVE-2017-5545: attackers to obtain sensitive information from process memory or cause a denial of service" + "CVE-2017-5834: A heap-buffer overflow in parse_dict_node" + "CVE-2017-5835: A memory allocation error leading to DoS" + "CVE-2017-5836: A type inconsistency in bplist.c" + ]; }; } diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 34ba2fd8dd9..cb94db48f4b 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -75,6 +75,14 @@ let isUnfree (lib.lists.toList attrs.meta.license) && !allowUnfreePredicate attrs; + allowInsecureDefaultPredicate = x: builtins.elem x.name (config.permittedInsecurePackages or []); + allowInsecurePredicate = x: (config.allowUnfreePredicate or allowInsecureDefaultPredicate) x; + + hasAllowedInsecure = attrs: + (attrs.meta.knownVulnerabilities or []) == [] || + allowInsecurePredicate attrs || + builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1"; + showLicense = license: license.shortName or "unknown"; defaultNativeBuildInputs = extraBuildInputs ++ @@ -137,24 +145,62 @@ let builtins.unsafeGetAttrPos "name" attrs; pos'' = if pos' != null then "‘" + pos'.file + ":" + toString pos'.line + "’" else "«unknown-file»"; - throwEvalHelp = { reason, errormsg }: - # uppercase the first character of string s - let up = s: with lib; - (toUpper (substring 0 1 s)) + (substring 1 (stringLength s) s); - in - assert builtins.elem reason ["unfree" "broken" "blacklisted"]; - - throw ("Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate." - + (lib.strings.optionalString (reason != "blacklisted") '' + remediation = { + unfree = remediate_whitelist "Unfree"; + broken = remediate_whitelist "Broken"; + blacklisted = x: ""; + insecure = remediate_insecure; + }; + remediate_whitelist = allow_attr: attrs: + '' a) For `nixos-rebuild` you can set - { nixpkgs.config.allow${up reason} = true; } + { nixpkgs.config.allow${allow_attr} = true; } in configuration.nix to override this. b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add - { allow${up reason} = true; } + { allow${allow_attr} = true; } to ~/.config/nixpkgs/config.nix. - '')); + ''; + + remediate_insecure = attrs: + '' + + Known issues: + + '' + (lib.fold (issue: default: "${default} - ${issue}\n") "" attrs.meta.knownVulnerabilities) + '' + + You can install it anyway by whitelisting this package, using the + following methods: + + a) for `nixos-rebuild` you can add ‘${attrs.name or "«name-missing»"}’ to + `nixpkgs.config.permittedInsecurePackages` in the configuration.nix, + like so: + + { + nixpkgs.config.permittedInsecurePackages = [ + "${attrs.name or "«name-missing»"}" + ]; + } + + b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add + ‘${attrs.name or "«name-missing»"}’ to `permittedInsecurePackages` in + ~/.config/nixpkgs/config.nix, like so: + + { + permittedInsecurePackages = [ + "${attrs.name or "«name-missing»"}" + ]; + } + + ''; + + + throwEvalHelp = { reason , errormsg ? "" }: + throw ('' + Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate. + + '' + ((builtins.getAttr reason remediation) attrs)); # Check if a derivation is valid, that is whether it passes checks for # e.g brokenness or license. @@ -171,6 +217,8 @@ let { valid = false; reason = "broken"; errormsg = "is marked as broken"; } else if !allowBroken && attrs.meta.platforms or null != null && !lib.lists.elem result.system attrs.meta.platforms then { valid = false; reason = "broken"; errormsg = "is not supported on ‘${result.system}’"; } + else if !(hasAllowedInsecure attrs) then + { valid = false; reason = "insecure"; errormsg = "is marked as insecure"; } else { valid = true; }; outputs' = |