libsoup_2_4: mark vulnerable #427813
libsoup_2_4: mark vulnerable #427813
Conversation
|
webkitgtk_4_0 also depends on libsoup_2_4. Can we remove that dependency? Otherwise gnucash would be no longer usable which would be a shame. Also I think we need to touch nixpkgs/pkgs/top-level/release-small.nix Line 171 in a421ac6 |
|
The whole thing of the |
|
fair enough about the release thing. The alternative to dropping is building |
|
To fix List of packages affected I think:{
x86_64-linux = [
"airwin2rack"
"alexandria"
"alfis"
"am2rlauncher"
"ansel"
"ario"
"balsa"
"bambu-studio"
"bambu-studio.debug"
"bitcomet"
"bookworm"
"cargo-tauri_1"
"catppuccinifier-gui"
"chickenPackages_5.chickenEggs.webview"
"chow-kick"
"chow-tape-model"
"cinnamon-common"
"cinnamon-gsettings-overrides"
"cinnamon-screensaver"
"cinny-desktop"
"citrix_workspace"
"citrix_workspace_23_11_0"
"citrix_workspace_24_02_0"
"citrix_workspace_24_05_0"
"citrix_workspace_24_08_0"
"citrix_workspace_24_11_0"
"citrix_workspace_25_03_0"
"cog"
"darktable"
"desktop-postflop"
"en-croissant"
"fondo"
"gamehub"
"geeqie"
"glom"
"glom.dev"
"glom.devdoc"
"glom.doc"
"glom.lib"
"gnome-inform7"
"gnome-notes"
"gnome-recipes"
"gnucash"
"gpx-viewer"
"gramps"
"gramps.dist"
"gssdp"
"gssdp.dev"
"gssdp.devdoc"
"gthumb"
"gui-for-clash"
"gui-for-singbox"
"gupnp"
"gupnp.dev"
"gupnp.devdoc"
"heroic"
"holochain-launcher"
"hqplayerd"
"insulator2"
"komorebi"
"libchamplain"
"libchamplain.dev"
"libchamplain.devdoc"
"libepc"
"libepc.dev"
"libepc.devdoc"
"libgdata"
"libgdata.dev"
"libgdata.installedTests"
"librest"
"librest.dev"
"librest.devdoc"
"libsoup_2_4"
"libsoup_2_4.debug"
"libsoup_2_4.dev"
"lifeograph"
"mate.caja-extensions"
"mate.caja-with-extensions"
"meteo"
"mouse-actions-gui"
"nasc"
"notes-up"
"oidc-agent"
"orca-slicer"
"orca-slicer.debug"
"osm-gps-map"
"osm-gps-map.dev"
"osm-gps-map.doc"
"photoprism"
"pot"
"python312Packages.gnucash"
"pytrainer"
"pytrainer.dist"
"restic-browser"
"rquickshare-legacy"
"rymcast"
"satisfactorymodmanager"
"shotwell"
"skytemple"
"skytemple.dist"
"snippetexpandergui"
"sonobus"
"sparkle"
"spice-up"
"squirreldisk"
"surf"
"surf-display"
"themechanger"
"timezonemap"
"tiny-rdm"
"tonelib-zoom"
"trillian-im"
"tunefish"
"uhttpmock"
"uhttpmock.dev"
"uhttpmock.devdoc"
"ulauncher"
"ulauncher.dist"
"wails"
"webkit2-sharp"
"webkitgtk_4_0"
"webkitgtk_4_0.debug"
"webkitgtk_4_0.dev"
"webkitgtk_4_0.devdoc"
"xplorer"
];
} |
|
it seems our Good catch about both of those two, personally i am not sure how to best go through that list and make sure nothing actually important breaks beyond looking at the packages, checking for updates/patches, and migrating them away. Feel free to push to my branch or make an additional PR, both is fine to me. |
|
Yes, i just confirmed: The diff for fixing this is trivial, i'll just push that to here. |
|
That was the last user of |
|
It is probably a good idea to do it in another PR as we probably want to rename gupnp_1_6 to just gupnp and there are maybe some other clean ups we could do. |
|
regarding gnucash I opened #428027 but still need to test it properly |
c2a140b to
953050e
Compare
This change was proposed upstream for the default build [1], but deferred to gnome 49. However, looking at the pile of CVEs in old libsoup, this is irresponsible. [1] https://gitlab.gnome.org/GNOME/gvfs/-/merge_requests/266
953050e to
881c2de
Compare
|
👍 for disabling gdrive support in gvfs |
|
What is the blocker on this? More of the remaining relevant things have been migrated, and the security issues don't go away by just ignoring them. |
I think what you're really asking is this:
I'll take a look. |
|
Thanks, and fair enough. Though real blockers even to a security PR could exist, particularly if channel blockers have unmitigated dependencies on this. E.g. the mate and cinnamon tests would have qualified, and i am not super sure how to find those, short of trying to replicate and build all channel blockers locally. And i don't know how i would even do that. But, yes, phrasing could have been better... |
|
|
|
Should this get a backport? #428043 should get a backport first then, i guess. Not sure what the usual procedure is here. |
|
Also the gnucash PR and probably some more. If we only could build things on Hydra despite having know vulnerabilities than this would be a no brainer. |
|
I got unexpectedly hit by this today on nixos unstable on rebuilding the config (no flakes, no home manager): I don't include any of the above mentioned packages directly, so I guess its a dependency of something. Is there an easy way to find out which of my included packages depends on it? |
Probably not a discussion to be had in this issue (at least for prolonged amounts of time), but passing |
libsoup 2 is EOL, with many known unfixed CVEs.
The last release happened 2023-10-11,
with few security backports since and no stable release.
Vulnerabilities likely include (incomplete list):
These vulnerabilities were fixed in libsoup 3,
with the vulnerable code present in libsoup 2 versions.
Part of #360897
I confirmed the graphical ISO installer does no longer depend on
libsoup_2_4, this should not cause issues.gvfsused old libsoup for google support. Seeing as our test suite and various other popular things still use gvfs in places, i split google support into an additional option (default false) to remove thelibsoup_2_4dependency.Things done
passthru.tests.nixpkgs-reviewon this PR. See nixpkgs-review usage../result/bin/.Add a 👍 reaction to pull requests you find important.