New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:
* CVE-2016-7907
* CVE-2016-9602
* CVE-2016-10155
* CVE-2017-2620
* CVE-2017-2630
* CVE-2017-5525
* CVE-2017-5526
* CVE-2017-5579
* CVE-2017-5856
* CVE-2017-5857
* CVE-2017-5987
* CVE-2017-6058
Fixes:
* CVE-2017-2615
* CVE-2017-5667
* CVE-2017-5898
* CVE-2017-5931
* CVE-2017-5973
We are vulnerable to even more CVEs but those are either not severe like
memory leaks in obscure situations or upstream hasn't acknowledged the
patch yet.
cc #23072
The "misc" NixOS test is using Nix to query the store and it tries to
change the ownership of it while doing so.
This fails if Nix is not in a seccomp-sandboxed userid namespace, so
let's make chown() a no-op when applied to store paths.
Fixes the misc test (and possibly future tests) on older Nix versions.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Enables support for accessing files over HTTP:
qemu-system-x86_64 -drive media=cdrom,file=http://host/path.iso,readonly
Increases the closures size from 445 to 447 MiB.
The reason to patch QEMU is that with latest Nix, tests like "printing"
or "misc" fail because they expect the store paths to be owned by uid 0
and gid 0.
Starting with NixOS/nix@5e51ffb1c2, Nix
builds inside of a new user namespace. Unfortunately this also means
that bind-mounted store paths that are part of the derivation's inputs
are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534.
This in turn causes things like sudo or cups to fail with errors about
insecure file permissions.
So in order to avoid that, let's make sure the VM always gets files
owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store
path.
In addition, this adds a virtualisation.qemu.program option so that we
can make sure that we only use the patched version if we're *really*
running NixOS VM tests (that is, whenever we have imported
test-instrumentation.nix).
Tested against the "misc" and "printing" tests.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This reverts commit 0e0e3c0c08.
I've been seeing quite some QEMU segfaults on Hydra,
hopefully reverting the bump will fix the issue.
(cherry picked from commit 863c121c0782b82900d736f9f71dbcfa80f62e1d)
Signed-off-by: Domen Kožar <domen@dev.si>
- Vte, add gtk3 support, enable introspection, update to 0.35.90
- Spice-gtk, add gtk3 support
- gtk-vnc, add gtk3 support
- Add libvirt-glib (thanks @bjornfor)
- Add usbredir
- qemu, enable usbredir
- spice-gtk, enable usbredir
- virt-manager, update to 1.0.1
[Bjørn:
* Set namePrefix = "" to preserve package name "virt-manager"
(instead of "python2.7-virt-manager")
* Add dconf to GIO_EXTRA_MODULES to get persistent settings in
virt-manager. Without it:
GLib-GIO-Message: Using the 'memory' GSettings backend. Your settings will not be saved or shared with other applications.
* Add ${gtk3}/share to XDG_DATA_DIRS to unbreak "Take Screenshot"
feature (fixes "Settings schema 'org.gtk.Settings.FileChooser' is not installed")
* gtk-vnc: don't pull "pkgs" attrset for optionalString, use stdenv.lib.optionalString instead.
]
We already enable VNC and SDL support by default and adding spice only
increases the closure size from 513 MB to 518 MB.
Closure size:
du -sch $(nix-store -qR ./result)
* libdbi / libdbi-drivers: updated to 0.8.3, and make it compile with
SQLite.
* qemu-image: fix the URL.
* gdmap: make it build again (requires an older GTK+).
* rlwrap: updated to 0.37.
* smbfs-fuse -> fusesmb to match the upstream name.
* x11vnc: updated to 0.9.10.
* clearlyU: fix the URL.
* Various packages: follow the coding conventions.
svn path=/nixpkgs/trunk/; revision=22814
`selectVersion ./foo "bar"' instead of `import ./foo/bar.nix'.
* Replaced `with args' with formal function arguments in several
packages.
* Renamed several files to `default.nix'. As a general rule, version
numbers should only be included in the filename when there is a
reason to keep multiple versions of a package in Nixpkgs.
Otherwise, it just makes it harder to update the package.
svn path=/nixpkgs/trunk/; revision=18403