We're propagating the plugin flags by importing from another Nix
expression file, which in turn exports the Nix path to the wrapper. This
causes that the store path isn't referenced in the wrapper and the path
isn't recognized by scanning the wrapper script (only those already
referenced at build time are).
So let's add the activated plugins to the buildInputs of the wrapper.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This brings a new stable version 40.0.2214.91 along with a beta update
to version 41.0.2272.16, the dev channel is still stuck at version
41.0.2272.12 and within the next days will jump to version 42.
For this reason, I've done some cheating here and brought the beta
channel in par with the dev channel, because dev is older than beta on
OmahaProxy.
Here's an overview of the channel upgrades:
stable: 39.0.2171.65 -> 40.0.2214.91 [1]
beta: 40.0.2214.10 -> 41.0.2272.16 [1] [2] [3]
dev: 41.0.2224.3 -> 41.0.2272.16 [1] [2] [3]
[1]: We needed to patch in locations of lib{pci,udev}.so, because
Chromium tries to load them at runtime. For version 41 startup will
fail if it is unable to load libudev, but it also has the advantage
that this fixes GPU detection using libpci in the stable version,
which in turn could fix a few bugs on NixOS.
[2]: The upstream Debian package for the binary plugins now uses XZ
compression for the enclosed data tarball.
[3]: Chromium 41 needs {shapshot,natives}_blob.bin in order to start up,
so let's cp it among with the .pak files to avoid adding a
conditional for version 40.
The release annoucement of the stable channel update can be found here:
http://googlechromereleases.blogspot.de/2015/01/stable-update.html
Note that this release contains 62 security fixes(!) and I'm hereby
apologizing for the delay of this update.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This adds enhanced-ctorrent (ctorrent) which is a CLI-based bittorrent
client written in C++. It is very fast for those times when one wants to
simply add a torrent quick'n'dirty-style.
Writing the gid_map is already non-fatal, but the actual sandbox process
still tries to setresgid() to nogroup (usually 65534). This however
fails, because if user namespace sandboxing is present, the namespace
doesn't have CAP_SETGID at this point.
Fortunately, the effective GID is already 65534, so we just need to
check whether the target gid matches and only(!) setresgid() if it
doesn't.
So if someone would run a SUID version of the sandbox, it would still
work nonetheless without a negative impact on security.
Fixes#5730, thanks to @wizeman for reporting and initial debugging.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The following vulnerabilities have been fixed.
- wnpa-sec-2015-01
The WCCP dissector could crash. (Bug 10720, Bug 10806) CVE-2015-0559,
CVE-2015-0560
- wnpa-sec-2015-02
The LPP dissector could crash. (Bug 10773) CVE-2015-0561
- wnpa-sec-2015-03
The DEC DNA Routing Protocol dissector could crash. (Bug 10724) CVE-2015-0562
- wnpa-sec-2015-04
The SMTP dissector could crash. (Bug 10823) CVE-2015-0563
- wnpa-sec-2015-05
Wireshark could crash while decypting TLS/SSL sessions. Discovered by Noam
Rathaus. CVE-2015-0564
See more at https://www.wireshark.org/docs/relnotes/wireshark-1.12.3.html