-
-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openexr_2: fix CVE-2021-3933, enable tests #234754
Conversation
e6d6adc
to
a4f206e
Compare
Are we still unable to kill |
@riscle:
The current default is In a very quick test I see at least |
|
I think most of the ~recent openexr CVEs have been fixed in openexr 2.5.x with PRs AcademySoftwareFoundation/openexr@4212416 and AcademySoftwareFoundation/openexr#1040. The only fixes I found missing from openexr 2.5.x are CVE-2021-3933 and CVE-2021-26945. This PR is an attempt to patch CVE-2021-3933 in nixpkgs. As you wrote, CVE-2021-3933 has not been patched upstream in 2.5.x branch, so we might also not want to backport this fix in nixpkgs The upstream fix for CVE-2021-26945 is in PR AcademySoftwareFoundation/openexr#930, which I think, does not apply to |
@ofborg build pkgsi686Linux.openexr Fails too. |
Signed-off-by: Henri Rosten <henri.rosten@unikie.com>
a4f206e
to
7b78245
Compare
Thanks, I somehow managed to not notice that earlier. I see that test fails also without the CVE-2021-3933 patch from this PR. In testing the sse enforcement from 3.x I see it would fix the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Built opencv
, openimageio
, gegl
on macos 10.15 & nixos x86_64. Built pkgsStatic
& pkgsCross.aarch64-multiplatform
variants, x86_64.
For 22.11 & 23.05 we probably want the patch without the test additions. |
The tests seem to fail most of the time, with a timeout in OpenEXR.IlmImf. When the package does successfully build for me, it still takes a long time, so maybe the timeout for that test just needs to be increased? |
Below is an example test run from OfBorg / openexr_2, openexr_2.passthru.tests on x86_64-linux:
Do you have example logs you could point me to from when the tests fail with a timeout? |
Sure. OfBorg on #240296 has failed three times on x86_64-linux so far due to openexr. Here's an example:
I suspect the difference is that, in your example, OfBorg has been told to build openexr, so once it gets to that point, that's the only thing that machine is building. Whereas in my example, it's building other things at the same time, so there'll be more load over all. That matches my experience on my personal machine too, where every build of dependent packages I've done recently has failed due to openexr, but when I build it on its own, the problem goes away, and I can then finish the rest of my build with no probelm. |
Here's an attempt to fix the problem by splitting the OpenEXR.IlmImf test into smaller parts: #240660. Alternatively, we could simply disable the openexr_2 tests again, the same way they were disabled before this PR. |
The default timeout is 1500. We've been seeing consistent timeouts on builders under high load. Let's see if this helps. Link: #234754 (comment) Fixes: #240660
Description of changes
Apply a patch for CVE-2021-3933 on openexr 2.x. Also, enable tests the same way they have been enabled in openexr 3.x.
Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)