Merge pull request #22890 from grahamc/mark-as-insecure

nixpkgs: allow packages to be marked insecure
This commit is contained in:
Graham Christensen 2017-02-23 07:12:18 -05:00 committed by GitHub
commit 037c489b10
2 changed files with 67 additions and 12 deletions

@ -28,5 +28,12 @@ in stdenv.mkDerivation rec {
homepage = http://github.com/JonathanBeck/libplist;
platforms = stdenv.lib.platforms.all;
maintainers = [ stdenv.lib.maintainers.urkud ];
knownVulnerabilities = [
"CVE-2017-5209: base64decode function in base64.c allows attackers to obtain sensitive information from process memory or cause a denial of service"
"CVE-2017-5545: attackers to obtain sensitive information from process memory or cause a denial of service"
"CVE-2017-5834: A heap-buffer overflow in parse_dict_node"
"CVE-2017-5835: A memory allocation error leading to DoS"
"CVE-2017-5836: A type inconsistency in bplist.c"
];
};
}

@ -75,6 +75,14 @@ let
isUnfree (lib.lists.toList attrs.meta.license) &&
!allowUnfreePredicate attrs;
allowInsecureDefaultPredicate = x: builtins.elem x.name (config.permittedInsecurePackages or []);
allowInsecurePredicate = x: (config.allowUnfreePredicate or allowInsecureDefaultPredicate) x;
hasAllowedInsecure = attrs:
(attrs.meta.knownVulnerabilities or []) == [] ||
allowInsecurePredicate attrs ||
builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";
showLicense = license: license.shortName or "unknown";
defaultNativeBuildInputs = extraBuildInputs ++
@ -137,24 +145,62 @@ let
builtins.unsafeGetAttrPos "name" attrs;
pos'' = if pos' != null then "" + pos'.file + ":" + toString pos'.line + "" else "«unknown-file»";
throwEvalHelp = { reason, errormsg }:
# uppercase the first character of string s
let up = s: with lib;
(toUpper (substring 0 1 s)) + (substring 1 (stringLength s) s);
in
assert builtins.elem reason ["unfree" "broken" "blacklisted"];
throw ("Package ${attrs.name or "«name-missing»"} in ${pos''} ${errormsg}, refusing to evaluate."
+ (lib.strings.optionalString (reason != "blacklisted") ''
remediation = {
unfree = remediate_whitelist "Unfree";
broken = remediate_whitelist "Broken";
blacklisted = x: "";
insecure = remediate_insecure;
};
remediate_whitelist = allow_attr: attrs:
''
a) For `nixos-rebuild` you can set
{ nixpkgs.config.allow${up reason} = true; }
{ nixpkgs.config.allow${allow_attr} = true; }
in configuration.nix to override this.
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
{ allow${up reason} = true; }
{ allow${allow_attr} = true; }
to ~/.config/nixpkgs/config.nix.
''));
'';
remediate_insecure = attrs:
''
Known issues:
'' + (lib.fold (issue: default: "${default} - ${issue}\n") "" attrs.meta.knownVulnerabilities) + ''
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ${attrs.name or "«name-missing»"} to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"${attrs.name or "«name-missing»"}"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
${attrs.name or "«name-missing»"} to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"${attrs.name or "«name-missing»"}"
];
}
'';
throwEvalHelp = { reason , errormsg ? "" }:
throw (''
Package ${attrs.name or "«name-missing»"} in ${pos''} ${errormsg}, refusing to evaluate.
'' + ((builtins.getAttr reason remediation) attrs));
# Check if a derivation is valid, that is whether it passes checks for
# e.g brokenness or license.
@ -171,6 +217,8 @@ let
{ valid = false; reason = "broken"; errormsg = "is marked as broken"; }
else if !allowBroken && attrs.meta.platforms or null != null && !lib.lists.elem result.system attrs.meta.platforms then
{ valid = false; reason = "broken"; errormsg = "is not supported on ${result.system}"; }
else if !(hasAllowedInsecure attrs) then
{ valid = false; reason = "insecure"; errormsg = "is marked as insecure"; }
else { valid = true; };
outputs' =