Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[22.05] liblouis: apply patch for CVE-2022-26981 #178230

Merged
merged 1 commit into from
Jun 19, 2022
Merged

[22.05] liblouis: apply patch for CVE-2022-26981 #178230

merged 1 commit into from
Jun 19, 2022

Conversation

lheckemann
Copy link
Member

Fixes: CVE-2022-26981

Refs:
liblouis/liblouis#1185
GHSA-xrp8-mw8v-p6mq
https://nvd.nist.gov/vuln/detail/CVE-2022-26981

Things done
  • Built on x86_64-linux
  • Tested that the reproducer works
  • TODO: verify that this really fixes the issue, since it didn't actually crash before the patch
  • Fits CONTRIBUTING.md.

@risicle
Copy link
Contributor

risicle commented Jun 19, 2022

For reference, fixed in master here #177570

@risicle risicle mentioned this pull request Jun 19, 2022
Merged
13 tasks
@risicle
Copy link
Contributor

risicle commented Jun 19, 2022

Confirmed this fixes the poc for me on linux x86_64.

risicle
risicle approved these changes Jun 19, 2022
View reviewed changes
Copy link
Contributor

@risicle risicle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nixpkgs-review happy, macos 10.15 & nixos x86_64. Builds, linux aarch64.

@risicle risicle merged commit cc0322f into NixOS:release-22.05 Jun 19, 2022
@github-actions
Copy link
Contributor

Backport failed for release-21.11, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-21.11
git worktree add -d .worktree/backport-178230-to-release-21.11 origin/release-21.11
cd .worktree/backport-178230-to-release-21.11
git checkout -b backport-178230-to-release-21.11
ancref=$(git merge-base 3b0a83ac96ea540a857197e5d7f933ffda909a16 a4f5b169f1e40aba9fd2eedcc6ebba3e9f90645e)
git cherry-pick -x $ancref..a4f5b169f1e40aba9fd2eedcc6ebba3e9f90645e

@risicle
Copy link
Contributor

risicle commented Jun 20, 2022

Expected. I'll do it.

@risicle
Copy link
Contributor

risicle commented Jun 20, 2022

Hmmmmmm the commit right after it looks pretty critical too TBH liblouis/liblouis@2e4772b

@risicle
Copy link
Contributor

risicle commented Jun 20, 2022

Also liblouis/liblouis#1184

I wish people were consistent in declaring CVEs.

@risicle risicle mentioned this pull request Jun 20, 2022
Merged
13 tasks
@yorickvP yorickvP mentioned this pull request Oct 9, 2022
Closed
1 task
@lheckemann lheckemann deleted the liblouis-backport branch December 13, 2022 13:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@risicle risicle risicle approved these changes

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lheckemann @risicle