From 13797ff5224817abcb05926de842eb4e0fb41382 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 4 Dec 2017 09:33:39 +0100 Subject: [PATCH] linux-4.13: mark as insecure (+required generic changes) extraMeta was being fed as passthru without being processed by stdenv, so without those changes, adding the security attribute would be useless. --- pkgs/os-specific/linux/kernel/generic.nix | 7 ++----- pkgs/os-specific/linux/kernel/linux-4.13.nix | 6 ++++++ pkgs/os-specific/linux/kernel/manual-config.nix | 4 +++- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix index c2f4e6843f59..0d2b7655edb9 100644 --- a/pkgs/os-specific/linux/kernel/generic.nix +++ b/pkgs/os-specific/linux/kernel/generic.nix @@ -118,7 +118,7 @@ let }; kernel = buildLinux { - inherit version modDirVersion src kernelPatches stdenv; + inherit version modDirVersion src kernelPatches stdenv extraMeta; configfile = configfile.nativeDrv or configfile; @@ -131,10 +131,7 @@ let passthru = { features = kernelFeatures; - - meta = kernel.meta // extraMeta; - - passthru = kernel.passthru // (removeAttrs passthru [ "passthru" "meta" ]); + passthru = kernel.passthru // (removeAttrs passthru [ "passthru" ]); }; nativeDrv = lib.addPassthru kernel.nativeDrv passthru; diff --git a/pkgs/os-specific/linux/kernel/linux-4.13.nix b/pkgs/os-specific/linux/kernel/linux-4.13.nix index 72ae02bbecde..767f7e35422a 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.13.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.13.nix @@ -4,6 +4,12 @@ import ./generic.nix (args // rec { version = "4.13.16"; extraMeta.branch = "4.13"; + # TODO: perhaps try being more concrete (ideally CVE numbers). + extraMeta.knownVulnerabilities = [ + "ALSA: usb-audio: Fix potential out-of-bound access at parsing SU" + "eCryptfs: use after free in ecryptfs_release_messaging()" + ]; + src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; sha256 = "0cf7prqzl1ajbgl98w0symdyn0k5wl5xaf1l5ldgy6l083yg69dh"; diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index b4ee23079d93..9124559ef7a0 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -39,6 +39,8 @@ in { config ? stdenv.lib.optionalAttrs allowImportFromDerivation (readConfig configfile), # Cross-compiling config crossConfig ? if allowImportFromDerivation then (readConfig crossConfigfile) else config, + # Use defaultMeta // extraMeta + extraMeta ? {}, # Whether to utilize the controversial import-from-derivation feature to parse the config allowImportFromDerivation ? false }: @@ -228,7 +230,7 @@ let maintainers.thoughtpolice ]; platforms = platforms.linux; - }; + } // extraMeta; }; in