Branch: refs/heads/staging
Home: https://github.com/NixOS/nixpkgs
Commit: 4150f5e8ba650416dcb8956c9835885cc6a2a80d
https://github.com/NixOS/nixpkgs/commit/4150f5e8ba650416dcb8956c9835885cc6a2a80d
Author: Franz Pletz <fpl...@fnordicwalking.de>
Date: 2017-06-22 (Thu, 22 Jun 2017)
Changed paths:
M pkgs/build-support/cc-wrapper/add-hardening.sh
Log Message:
-----------
cc-wrapper: add stackcheck hardening (stack clash)
This fixes the Stack Clash issue rediscovered by Qualys. See
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
for more information on the topic, specifically section III.
We don't have the kernel mitigation available because it is a Grsecurity
feature which we don't support anymore. Other distributions like Gentoo
Hardened and Arch already have `-fstack-check` enabled by default.
See the Gentoo page on Stack Clash for more information on this solution:
https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash
This unfortunately doesn't apply to clang because `-fstack-check` is a
noop there. Note that the GCC implementation also has problems that could
be exploited to circumvent these checks but it is still better than
keeping it disabled.
Commit: 6a850d2b11f22a22729b49f012fc26ff3c602f3f
https://github.com/NixOS/nixpkgs/commit/6a850d2b11f22a22729b49f012fc26ff3c602f3f
Author: Franz Pletz <fpl...@fnordicwalking.de>
Date: 2017-06-22 (Thu, 22 Jun 2017)
Changed paths:
M pkgs/tools/misc/coreutils/default.nix
Log Message:
-----------
coreutils: fix tests depending on setuid/setgid bits
Commit: 16aa92305bf8141c71cd44bc9af688e246df84df
https://github.com/NixOS/nixpkgs/commit/16aa92305bf8141c71cd44bc9af688e246df84df
Author: Franz Pletz <fpl...@fnordicwalking.de>
Date: 2017-06-22 (Thu, 22 Jun 2017)
Changed paths:
M pkgs/servers/mail/exim/default.nix
Log Message:
-----------
exim: patch CVE-2017-1000369 (stack clash)
Commit: aab71b31d5030bea94804d3677a3ffbc60e1876a
https://github.com/NixOS/nixpkgs/commit/aab71b31d5030bea94804d3677a3ffbc60e1876a
Author: Franz Pletz <fpl...@fnordicwalking.de>
Date: 2017-06-22 (Thu, 22 Jun 2017)
Changed paths:
M pkgs/os-specific/linux/kernel/patches.nix
M pkgs/top-level/all-packages.nix
Log Message:
-----------
linux: patch CVE-2017-1000364 (stack clash)
Commit: 2296bf394ec419e111fd0ca80e9000fb819980da
https://github.com/NixOS/nixpkgs/commit/2296bf394ec419e111fd0ca80e9000fb819980da
Author: Franz Pletz <fpl...@fnordicwalking.de>
Date: 2017-06-22 (Thu, 22 Jun 2017)
Changed paths:
A pkgs/development/libraries/glibc/CVE-2017-1000366-rtld-LD_AUDIT.patch
A
pkgs/development/libraries/glibc/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch
A pkgs/development/libraries/glibc/CVE-2017-1000366-rtld-LD_PRELOAD.patch
M pkgs/development/libraries/glibc/common.nix
Log Message:
-----------
glibc: patch CVE-2017-1000366 (stack clash)
Commit: 196bf8b0c735240aabe119b08d81dfface493b88
https://github.com/NixOS/nixpkgs/commit/196bf8b0c735240aabe119b08d81dfface493b88
Author: Franz Pletz <fpl...@fnordicwalking.de>
Date: 2017-06-22 (Thu, 22 Jun 2017)
Changed paths:
M pkgs/build-support/cc-wrapper/add-hardening.sh
A pkgs/development/libraries/glibc/CVE-2017-1000366-rtld-LD_AUDIT.patch
A
pkgs/development/libraries/glibc/CVE-2017-1000366-rtld-LD_LIBRARY_PATH.patch
A pkgs/development/libraries/glibc/CVE-2017-1000366-rtld-LD_PRELOAD.patch
M pkgs/development/libraries/glibc/common.nix
M pkgs/os-specific/linux/kernel/patches.nix
M pkgs/servers/mail/exim/default.nix
M pkgs/tools/misc/coreutils/default.nix
M pkgs/top-level/all-packages.nix
Log Message:
-----------
Merge pull request #26750 from mayflower/fix/stack-clash-hardening
Mitigate Stack Clash
Compare: https://github.com/NixOS/nixpkgs/compare/5e2df7039dda...196bf8b0c735
_______________________________________________
nix-commits mailing list
nix-comm...@lists.science.uu.nl
https://mailman.science.uu.nl/mailman/listinfo/nix-commits