From 0e59e7b7d81cc5c8e878eed4c520b68728cd7368 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 10 Dec 2024 06:33:10 +0100 Subject: [PATCH 1/2] nix: simplify version checks --- pkgs/tools/package-management/nix/common.nix | 59 ++++++++------------ 1 file changed, 24 insertions(+), 35 deletions(-) diff --git a/pkgs/tools/package-management/nix/common.nix b/pkgs/tools/package-management/nix/common.nix index a4d233b2b128c..2e2b4ba94e2ff 100644 --- a/pkgs/tools/package-management/nix/common.nix +++ b/pkgs/tools/package-management/nix/common.nix @@ -10,16 +10,6 @@ }@args: assert (hash == null) -> (src != null); let - atLeast24 = lib.versionAtLeast version "2.4pre"; - atLeast25 = lib.versionAtLeast version "2.5pre"; - atLeast27 = lib.versionAtLeast version "2.7pre"; - atLeast210 = lib.versionAtLeast version "2.10pre"; - atLeast213 = lib.versionAtLeast version "2.13pre"; - atLeast214 = lib.versionAtLeast version "2.14pre"; - atLeast218 = lib.versionAtLeast version "2.18pre"; - atLeast219 = lib.versionAtLeast version "2.19pre"; - atLeast220 = lib.versionAtLeast version "2.20pre"; - atLeast221 = lib.versionAtLeast version "2.21pre"; atLeast224 = lib.versionAtLeast version "2.24pre"; atLeast225 = lib.versionAtLeast version "2.25pre"; # Major.minor versions unaffected by CVE-2024-27297 @@ -112,7 +102,7 @@ self = stdenv.mkDerivation { "shadowstack" ] ++ lib.optional stdenv.hostPlatform.isMusl "fortify"; - nativeInstallCheckInputs = lib.optional atLeast221 git ++ lib.optional atLeast219 man; + nativeInstallCheckInputs = lib.optional atLeast224 [ git man ]; nativeBuildInputs = [ pkg-config @@ -121,17 +111,18 @@ self = stdenv.mkDerivation { bison flex jq - ] ++ lib.optionals (enableDocumentation && !atLeast24) [ - libxslt - libxml2 - docbook_xsl_ns - docbook5 - ] ++ lib.optionals (enableDocumentation && atLeast24) [ - (lib.getBin lowdown-unsandboxed) - mdbook - ] ++ lib.optionals (atLeast213 && enableDocumentation) [ - mdbook-linkcheck - ] ++ lib.optionals stdenv.hostPlatform.isLinux [ + ] ++ lib.optionals enableDocumentation + (if atLeast224 then [ + (lib.getBin lowdown-unsandboxed) + mdbook + mdbook-linkcheck + ] else [ + libxslt + libxml2 + docbook_xsl_ns + docbook5 + ]) + ++ lib.optionals stdenv.hostPlatform.isLinux [ util-linuxMinimal ]; @@ -148,23 +139,21 @@ self = stdenv.mkDerivation { gtest libarchive lowdown - ] ++ lib.optionals atLeast220 [ + ] ++ lib.optionals atLeast224 [ libgit2 - ] ++ lib.optionals (atLeast224 || lib.versionAtLeast version "pre20240626") [ toml11 + rapidcheck ] ++ lib.optionals (atLeast225 && enableDocumentation) [ python3 ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ Security ] ++ lib.optionals (stdenv.hostPlatform.isx86_64) [ libcpuid - ] ++ lib.optionals atLeast214 [ - rapidcheck ] ++ lib.optionals withLibseccomp [ libseccomp ] ++ lib.optionals withAWS [ aws-sdk-cpp - ] ++ lib.optional (atLeast218 && stdenv.hostPlatform.isDarwin) [ + ] ++ lib.optional (atLeast224 && stdenv.hostPlatform.isDarwin) [ darwin.apple_sdk.libs.sandbox ] ++ lib.optional (atLeast224 && stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isx86_64) [ # Fix the following error with the default x86_64-darwin SDK: @@ -179,7 +168,7 @@ self = stdenv.mkDerivation { propagatedBuildInputs = [ boehmgc - ] ++ lib.optionals atLeast27 [ + ] ++ lib.optionals atLeast224 [ nlohmann_json ]; @@ -203,7 +192,7 @@ self = stdenv.mkDerivation { # removes config.nix entirely and is not present in 2.3.x, we need to # patch around an issue where the Nix configure step pulls in the build # system's bash and other utilities when cross-compiling. - lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform && !atLeast24) '' + lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform && !atLeast224) '' mkdir tmp/ substitute corepkgs/config.nix.in tmp/config.nix.in \ --subst-var-by bash ${bash}/bin/bash \ @@ -225,14 +214,14 @@ self = stdenv.mkDerivation { "--disable-doc-gen" ] ++ lib.optionals stdenv.hostPlatform.isLinux [ "--with-sandbox-shell=${busybox-sandbox-shell}/bin/busybox" - ] ++ lib.optionals (atLeast210 && stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isStatic) [ + ] ++ lib.optionals (atLeast224 && stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isStatic) [ "--enable-embedded-sandbox-shell" ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform && stdenv.hostPlatform ? nix && stdenv.hostPlatform.nix ? system) [ "--with-system=${stdenv.hostPlatform.nix.system}" ] ++ lib.optionals (!withLibseccomp) [ # RISC-V support in progress https://github.com/seccomp/libseccomp/pull/50 "--disable-seccomp-sandboxing" - ] ++ lib.optionals (atLeast210 && stdenv.cc.isGNU && !enableStatic) [ + ] ++ lib.optionals (atLeast224 && stdenv.cc.isGNU && !enableStatic) [ "--enable-lto" ]; @@ -248,7 +237,7 @@ self = stdenv.mkDerivation { installFlags = [ "sysconfdir=$(out)/etc" ]; doInstallCheck = true; - installCheckTarget = if atLeast210 then "installcheck" else null; + installCheckTarget = if atLeast224 then "installcheck" else null; # socket path becomes too long otherwise preInstallCheck = lib.optionalString stdenv.hostPlatform.isDarwin '' @@ -260,17 +249,17 @@ self = stdenv.mkDerivation { export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES '' # See https://github.com/NixOS/nix/issues/5687 - + lib.optionalString (atLeast25 && stdenv.hostPlatform.isDarwin) '' + + lib.optionalString (atLeast224 && stdenv.hostPlatform.isDarwin) '' echo "exit 99" > tests/gc-non-blocking.sh '' # TODO: investigate why this broken - + lib.optionalString (atLeast25 && stdenv.hostPlatform.system == "aarch64-linux") '' + + lib.optionalString (atLeast224 && stdenv.hostPlatform.system == "aarch64-linux") '' echo "exit 0" > tests/functional/flakes/show.sh '' + '' # nixStatic otherwise does not find its man pages in tests. export MANPATH=$man/share/man:$MANPATH ''; - separateDebugInfo = stdenv.hostPlatform.isLinux && (atLeast24 -> !enableStatic); + separateDebugInfo = stdenv.hostPlatform.isLinux && (atLeast224 -> !enableStatic); enableParallelBuilding = true; From 90f44b313c7a9b616bd6afc6ce38b11adf522e72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 10 Dec 2024 06:33:46 +0100 Subject: [PATCH 2/2] nix: remove fixed CVE-2024-27297 check --- pkgs/tools/package-management/nix/common.nix | 9 --------- 1 file changed, 9 deletions(-) diff --git a/pkgs/tools/package-management/nix/common.nix b/pkgs/tools/package-management/nix/common.nix index 2e2b4ba94e2ff..91622b64ebd10 100644 --- a/pkgs/tools/package-management/nix/common.nix +++ b/pkgs/tools/package-management/nix/common.nix @@ -12,14 +12,6 @@ assert (hash == null) -> (src != null); let atLeast224 = lib.versionAtLeast version "2.24pre"; atLeast225 = lib.versionAtLeast version "2.25pre"; - # Major.minor versions unaffected by CVE-2024-27297 - unaffectedByFodSandboxEscape = [ - "2.3" - "2.16" - "2.18" - "2.19" - "2.20" - ]; in { stdenv , autoconf-archive @@ -320,7 +312,6 @@ self = stdenv.mkDerivation { platforms = platforms.unix; outputsToInstall = [ "out" ] ++ optional enableDocumentation "man"; mainProgram = "nix"; - knownVulnerabilities = lib.optional (!builtins.elem (lib.versions.majorMinor version) unaffectedByFodSandboxEscape && !atLeast221) "CVE-2024-27297"; }; }; in self