[PATCH] nix 2.16.2 -> 2.16.3 for CVE-2024-27297

Birdee · March 17, 2024, 1:12pm

I have a particular question. When making a pr to nixpkgs, what is common practice? Do I fork master and then PR straight to it? Is there a branch to submit to first? In addition, I’m a noob who would love to know what a .patch file is. Is it just a documentation of the patch? Is it actually code? It looks like a git diff. I understand the patch was to nix, and not nixpkgs, so is it just a diff of that change?

Edit: ok so my first question has been answered very thoroughly thank you I somehow forgot to check contributing.md

So yeah, what is a .patch file?

context:

github.com

NixOS/nixpkgs/blob/d691274a972b3165335d261cc4671335f5c67de9/pkgs/tools/package-management/nix/patches/2_18/CVE-2024-27297.patch

From f8d20e91a45f71b60402f5916d2475751c089c84 Mon Sep 17 00:00:00 2001
From: Tom Bereknyei <tomberek@gmail.com>
Date: Fri, 1 Mar 2024 03:42:26 -0500
Subject: [PATCH 1/3] Add a NixOS test for the sandbox escape

Test that we can't leverage abstract unix domain sockets to leak file
descriptors out of the sandbox and modify the path after it has been
registered.

Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io>
---
 flake.nix                          |  2 +
 tests/nixos/ca-fd-leak/default.nix | 90 ++++++++++++++++++++++++++++++
 tests/nixos/ca-fd-leak/sender.c    | 65 +++++++++++++++++++++
 tests/nixos/ca-fd-leak/smuggler.c  | 66 ++++++++++++++++++++++
 4 files changed, 223 insertions(+)
 create mode 100644 tests/nixos/ca-fd-leak/default.nix
 create mode 100644 tests/nixos/ca-fd-leak/sender.c
 create mode 100644 tests/nixos/ca-fd-leak/smuggler.c

This file has been truncated. show original

Mic92 · March 17, 2024, 1:16pm

You would fork from master, create a feature branch and than open a pull request from this feature branch targeting master. The whole workflow should be documented here: https://github.com/NixOS/nixpkgs/blob/ebaf43d1633e9783c4681e9632841153dc0335b0/CONTRIBUTING.md#how-to-create-pull-requests

SebTM · March 17, 2024, 1:17pm

Hey, welcome to the discourse

I can recommend you the following resources for a better understanding of how to contribute and the nixpkgs-flow:

Nixpkgs/Contributing - NixOS Wiki
https://github.com/NixOS/nixpkgs/blob/ebaf43d1633e9783c4681e9632841153dc0335b0/CONTRIBUTING.md#how-to-create-pull-requests
Nix channels - NixOS Wiki (channels is just different names for different branches of nixpkgs)

perchun · March 17, 2024, 1:25pm

Git has powerful functionality for sending your changes (PRs) as files. For example, you can do git diff > my_changes.patch, send it to someone, and someone could apply all your changes by git apply my_changes.patch

You can also send commits as files, see How can I generate a Git patch for a specific commit? - Stack Overflow.

This is because Linus Torvalds (the creator of Linux) created git specifically for Linux kernel needs. And they still use email to send changes. Don’t know anything more about it, but I am sure you can google it.

Birdee · March 17, 2024, 1:27pm

Whoa so thats not even a nix thing thats a git thing? git is so cool lol no wonder it looks like a diff

So nix takes the diff and patches itself with git? or well, not itself but its past version?

perchun · March 17, 2024, 1:31pm

Yes, you can actually patch any package in nixpkgs (even patching nixpkgs itself (e.g. internals or .lib), though it is kind of hard with flakes)

https://nixos.wiki/wiki/Overlays
https://ertt.ca/nix/patch-nixpkgs/

Birdee · March 17, 2024, 1:36pm

Ok so I knew about overlays, but this is new to me completely

https://ertt.ca/nix/patch-nixpkgs/

I have 1 more question. nix plugins like this

Where do I find documentation on the nix C++ headers things like this imports to define things like new primops which im assuming means builtins? Is there docs or is it just source code in the nix package manager’s repo? Theres only like 1 short paragraph on it in the manual that I couldnt make heads or tails of.

perchun · March 17, 2024, 1:38pm

Can’t help with this, didn’t fall into rabbit hole so deep

Birdee · March 17, 2024, 1:40pm

Ah. All good. Well if anyone knows, I am all ears, I wanna make a builtin and learn how all this REALLY works. But yeah thank you so much you just answered questions I didnt know I had

wamserma · March 17, 2024, 7:36pm

For those landing in this thread based on the title, the PRs are on their way into the channels:

unstable: https://nixpk.gs/pr-tracker.html?pr=296670
23.11: Nixpkgs PR #296728 ("[Backport release-23.11] nixVersions.nix_2_16: 2.16.2 -> 2.16.3") progress