Since years I'm not maintaining anything of the list below other
than some updates when I needed them for some reason. Other people
is doing that maintenance on my behalf so I better take me out but
for very few packages. Finally!
This makes the command ‘nix-env -qa -f. --arg config '{skipAliases =
true;}'’ work in Nixpkgs.
Misc...
- qtikz: use libsForQt5.callPackage
This ensures we get the right poppler.
- rewrites:
docbook5_xsl -> docbook_xsl_ns
docbook_xml_xslt -> docbook_xsl
diffpdf: fixup
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/singularity/versions.
<details><summary>Version release notes (from GitHub)</summary>
Greetings Singularity containerizers!
This release contains fixes for a _high severity_ security issue affecting Singularity 2.3.0 through 2.5.1 on kernels that support overlay file systems (CVE-2018-12021). A malicious user with network access to the host system (e.g. ssh) could exploit this vulnerability to access sensitive information on disk and bypass directory image restrictions like those preventing the root file system from being mounted into the container.
Singularity 2.5.2 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects kernels that support overlayfs. If you are unable to upgrade immediately, you should set `enable overlay = no` in `singularity.conf`.
In addition, this release contains a large number of bug fixes. Details follow:
## [Security related fixes](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12021)
- Removed the option to use overlay images with `singularity mount`. This
flaw could allow a malicious user accessing the host system to access
sensitive information when coupled with persistent ext3 overlay.
- Fixed a race condition that might allow a malicious user to bypass directory
image restrictions, like mounting the host root filesystem as a container
image
## Bug fixes
- Fix an error in malloc allocation #1620
- Honor debug flag when pulling from docker hub #1556
- Fix a bug with passwd abort #1580
- Allow user to override singularity.conf "mount home = no" with --home option
#1496
- Improve debugging output #1535
- Fix some bugs in bind mounting #1525
- Define PR_(S|G)ET_NO_NEW_PRIVS in user space so that these features will
work with kernels that implement them (like Cray systems) #1506
- Create /dev/fd and standard streams symlinks in /dev when using minimal dev
mount or when specifying -c/-C/--contain option #1420
- Fixed * expansion during app runscript creation #1486
As always, please report any bugs to:
https://github.com/singularityware/singularity/issues/new</details>
These checks were done:
- built on NixOS
- /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2/bin/singularity passed the binary check.
- Warning: no invocation of /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2/bin/run-singularity had a zero exit code or showed the expected version
- 1 of 2 passed binary check by having a zero exit code.
- 0 of 2 passed binary check by having the new version present in output.
- found 2.5.2 with grep in /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2
- directory tree listing: https://gist.github.com/ed6db09ad43a19c6abf2d35d15ef489c
- du listing: https://gist.github.com/9bd23f4d6ee86a9eb2ba7ec5c986741d
* treewide: http -> https sources
This updates the source urls of all top-level packages from http to
https where possible.
* buildtorrent: fix url and tab -> spaces
I no longer use rancher and can test this derivation.
Also rancher-compose should have the same version as the rancher cluster
used. So it is better to be build by the user using it rather having a
random version in nixpkgs.
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/virtualbox/versions.
These checks were done:
- built on NixOS
- ran ‘/nix/store/6769l9s88jlcv3qgxpjsfr1ybkq3yvvb-virtualbox-5.2.12/bin/VBoxManage -h’ got 0 exit code
- ran ‘/nix/store/6769l9s88jlcv3qgxpjsfr1ybkq3yvvb-virtualbox-5.2.12/bin/VBoxManage --help’ got 0 exit code
- ran ‘/nix/store/6769l9s88jlcv3qgxpjsfr1ybkq3yvvb-virtualbox-5.2.12/bin/VBoxManage help’ got 0 exit code
- ran ‘/nix/store/6769l9s88jlcv3qgxpjsfr1ybkq3yvvb-virtualbox-5.2.12/bin/VBoxBalloonCtrl -h’ got 0 exit code
- ran ‘/nix/store/6769l9s88jlcv3qgxpjsfr1ybkq3yvvb-virtualbox-5.2.12/bin/VBoxBalloonCtrl --help’ got 0 exit code
- found 5.2.12 with grep in /nix/store/6769l9s88jlcv3qgxpjsfr1ybkq3yvvb-virtualbox-5.2.12
- directory tree listing: https://gist.github.com/f9bf852a0a8e6e0b4c44a9b68764850b
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/containerd/versions.
These checks were done:
- built on NixOS
- ran ‘/nix/store/lmnlz9w8fhf71pxl7wlhv9vsv4k3bnxd-containerd-1.1.0/bin/containerd -h’ got 0 exit code
- ran ‘/nix/store/lmnlz9w8fhf71pxl7wlhv9vsv4k3bnxd-containerd-1.1.0/bin/containerd --help’ got 0 exit code
- ran ‘/nix/store/lmnlz9w8fhf71pxl7wlhv9vsv4k3bnxd-containerd-1.1.0/bin/containerd help’ got 0 exit code
- ran ‘/nix/store/lmnlz9w8fhf71pxl7wlhv9vsv4k3bnxd-containerd-1.1.0/bin/containerd-release -h’ got 0 exit code
- ran ‘/nix/store/lmnlz9w8fhf71pxl7wlhv9vsv4k3bnxd-containerd-1.1.0/bin/containerd-release --help’ got 0 exit code
- ran ‘/nix/store/lmnlz9w8fhf71pxl7wlhv9vsv4k3bnxd-containerd-1.1.0/bin/containerd-release help’ got 0 exit code
- ran ‘/nix/store/lmnlz9w8fhf71pxl7wlhv9vsv4k3bnxd-containerd-1.1.0/bin/ctr -h’ got 0 exit code
- ran ‘/nix/store/lmnlz9w8fhf71pxl7wlhv9vsv4k3bnxd-containerd-1.1.0/bin/ctr --help’ got 0 exit code
- ran ‘/nix/store/lmnlz9w8fhf71pxl7wlhv9vsv4k3bnxd-containerd-1.1.0/bin/ctr help’ got 0 exit code
- found 1.1.0 with grep in /nix/store/lmnlz9w8fhf71pxl7wlhv9vsv4k3bnxd-containerd-1.1.0
- directory tree listing: https://gist.github.com/7b4a990853acfbf946f8abe02582f41d
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/tini/versions.
These checks were done:
- built on NixOS
- ran ‘/nix/store/h0h2qyxwrvsjy47m1xyv7sxzd2j0ilsi-tini-0.18.0/bin/tini -h’ got 0 exit code
- ran ‘/nix/store/h0h2qyxwrvsjy47m1xyv7sxzd2j0ilsi-tini-0.18.0/bin/tini --version’ and found version 0.18.0
- found 0.18.0 with grep in /nix/store/h0h2qyxwrvsjy47m1xyv7sxzd2j0ilsi-tini-0.18.0
- directory tree listing: https://gist.github.com/c992fd0a24dfc0365d6b62ac567d395c
Following legacy packing conventions, `isArm` was defined just for
32-bit ARM instruction set. This is confusing to non packagers though,
because Aarch64 is an ARM instruction set.
The official ARM overview for ARMv8[1] is surprisingly not confusing,
given the overall state of affairs for ARM naming conventions, and
offers us a solution. It divides the nomenclature into three levels:
```
ISA: ARMv8 {-A, -R, -M}
/ \
Mode: Aarch32 Aarch64
| / \
Encoding: A64 A32 T32
```
At the top is the overall v8 instruction set archicture. Second are the
two modes, defined by bitwidth but differing in other semantics too, and
buttom are the encodings, (hopefully?) isomorphic if they encode the
same mode.
The 32 bit encodings are mostly backwards compatible with previous
non-Thumb and Thumb encodings, and if so we can pun the mode names to
instead mean "sets of compatable or isomorphic encodings", and then
voilà we have nice names for 32-bit and 64-bit arm instruction sets
which do not use the word ARM so as to not confused either laymen or
experienced ARM packages.
[1]: https://developer.arm.com/products/architecture/a-profile
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/singularity/versions.
These checks were done:
- built on NixOS
- ran ‘/nix/store/0rcn1kn4j7rmr0qn314g28vpa4xf230d-singularity-2.4.6/bin/singularity -h’ got 0 exit code
- ran ‘/nix/store/0rcn1kn4j7rmr0qn314g28vpa4xf230d-singularity-2.4.6/bin/singularity --help’ got 0 exit code
- ran ‘/nix/store/0rcn1kn4j7rmr0qn314g28vpa4xf230d-singularity-2.4.6/bin/singularity help’ got 0 exit code
- found 2.4.6 with grep in /nix/store/0rcn1kn4j7rmr0qn314g28vpa4xf230d-singularity-2.4.6
- directory tree listing: https://gist.github.com/e2f21872e885760acf461b07dd5b4f86
This obsoletes two of the included patches, one of them RISC-V specific,
since they've been picked up by upstream.
This build has been confirmed as being able to build and run an (extremely
recent) RISC-V Fedora 28 Rawhide image, available from:
https://fedorapeople.org/groups/risc-v/disk-images/
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/containerd/versions.
These checks were done:
- built on NixOS
- ran ‘/nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3/bin/containerd -h’ got 0 exit code
- ran ‘/nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3/bin/containerd --help’ got 0 exit code
- ran ‘/nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3/bin/containerd help’ got 0 exit code
- ran ‘/nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3/bin/containerd-release -h’ got 0 exit code
- ran ‘/nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3/bin/containerd-release --help’ got 0 exit code
- ran ‘/nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3/bin/containerd-release help’ got 0 exit code
- ran ‘/nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3/bin/containerd-stress -h’ got 0 exit code
- ran ‘/nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3/bin/containerd-stress --help’ got 0 exit code
- ran ‘/nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3/bin/containerd-stress help’ got 0 exit code
- ran ‘/nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3/bin/ctr -h’ got 0 exit code
- ran ‘/nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3/bin/ctr --help’ got 0 exit code
- ran ‘/nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3/bin/ctr help’ got 0 exit code
- found 1.0.3 with grep in /nix/store/qmgzfad2cazgv7j1k31pqs512b59b8hp-containerd-1.0.3
- directory tree listing: https://gist.github.com/b830fb8c24834f83e627fd6d567eae87
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/singularity/versions.
These checks were done:
- built on NixOS
- ran `/nix/store/893zy5r9ih8lp9p24s9l198jdjdwadj4-singularity-2.4.5/bin/singularity -h` got 0 exit code
- ran `/nix/store/893zy5r9ih8lp9p24s9l198jdjdwadj4-singularity-2.4.5/bin/singularity --help` got 0 exit code
- ran `/nix/store/893zy5r9ih8lp9p24s9l198jdjdwadj4-singularity-2.4.5/bin/singularity help` got 0 exit code
- ran `/nix/store/893zy5r9ih8lp9p24s9l198jdjdwadj4-singularity-2.4.5/bin/singularity -v` and found version 2.4.5
- found 2.4.5 with grep in /nix/store/893zy5r9ih8lp9p24s9l198jdjdwadj4-singularity-2.4.5
- directory tree listing: https://gist.github.com/f42298f39e3c1c4832de9817cc1fc5bf
And also build in parallel.
I don't understand why we manually tediously link every single directory
from the source, but I don't want to investigate too much.
Bump lkl version to latest that includes merge of Linux 4.15 and fix for
an issue where cptofs wasn't returning failure when image size was too
small and file copying failed with:
error writing file: No space left on device
(see lkl/linux#427)
Semi-automatic update. These checks were done:
- built on NixOS
- ran `/nix/store/p41wb0fqnvn4bx6jjs7hs98xlrzp8s79-tini-0.17.0/bin/tini -h` got 0 exit code
- ran `/nix/store/p41wb0fqnvn4bx6jjs7hs98xlrzp8s79-tini-0.17.0/bin/tini --version` and found version 0.17.0
- ran `/nix/store/p41wb0fqnvn4bx6jjs7hs98xlrzp8s79-tini-0.17.0/bin/tini -h` and found version 0.17.0
- found 0.17.0 with grep in /nix/store/p41wb0fqnvn4bx6jjs7hs98xlrzp8s79-tini-0.17.0
- found 0.17.0 in filename of file in /nix/store/p41wb0fqnvn4bx6jjs7hs98xlrzp8s79-tini-0.17.0
Semi-automatic update. These checks were performed:
- built on NixOS
- found 1.11.0 with grep in /nix/store/m55my69q0dc6rbvf7sfz3mln7vca1d53-seabios-1.11.0
- found 1.11.0 in filename of file in /nix/store/m55my69q0dc6rbvf7sfz3mln7vca1d53-seabios-1.11.0
cc "@tstrobel"
Semi-automatic update. These checks were performed:
- built on NixOS
- found 2.4 with grep in /nix/store/5p43l2r5y6m0sdpyxwcwiv381ycglami-remotebox-2.4
- found 2.4 in filename of file in /nix/store/5p43l2r5y6m0sdpyxwcwiv381ycglami-remotebox-2.4
The AArch64 build fails after trying to pull in tmmintrin.h:
```
../common/memcpySSE.h:24:23: fatal error: tmmintrin.h: No such file or directory
#include <tmmintrin.h>
^
compilation terminated.
make: *** [Makefile:29: .build/renderers/opengl.o] Error 1
```
Which are SSSE3 intrinsics unsupported on ARM. This package also likely would
not be useful on ARM, as it requires KVM and a compatible KVM guest running
the frame relay (usually Windows).
Upstream changes without issue IDs:
* GUI: fixed occasional screen corruption when host screen resolution
is changed
* User interface: increase proposed disk size when creating new VMs for
Windows 7 and newer
* User interface: various improvements for high resolution screens
* VMM: Fixed problems using 256MB VRAM in raw-mode VMs
* Audio: implemented support for audio playback and recording for macOS
guests
* Audio: further timing improvements for Windows 10 guests
* Linux hosts: fixed problem accessing mini-toolbar under XFCE
The full changelog including issue IDs can be found at:
https://www.virtualbox.org/wiki/Changelog#v6
What was not mentioned in the changelog is that this release fixes
compiling the VirtualBox modules against kernel 4.15, which was added in
commit 61043ad4d1.
Tested this by running all of the tests in nixos/tests/virtualbox.nix.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @flokli, @svanderburg
[...]
make modules -C /nix/store/h1vzl6bq4wif3m8dd1bw2p3fv4shjg3n-linux-4.14.9-dev/lib/modules/4.14.9/build EXTRA_CFLAGS=-Werror-implicit-function-declaration M=/tmp/nix-build-spl-kernel-2017-11-16-4.14.9.drv-0/source/build
/nix/store/h1vzl6bq4wif3m8dd1bw2p3fv4shjg3n-linux-4.14.9-dev/lib/modules/4.14.9/source/Makefile:939: *** "Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel". Stop.
This patch introduces kernel.moduleBuildDependencies to avoid the logic "stdenv.lib.optional (stdenv.lib.versionAtLeast kernel.version "4.14") libelf" in multiple places.
[dezgeg did some minor tweaks on top]
* $out/bin/qemu-kvm should point to qemu-system-aarch64 on aarch64, libvirt expect it
* makeWrapper codes are separated as some architectures might require additional command flags (https://github.com/NixOS/nixpkgs/issues/31606#issuecomment-349675127)
* x86_64-on-i686 is not a native emulation and not supported by KVM, so it is removed from the list
Upstream changes without issue IDs:
* User interface: various improvements for high resolution screens
* User interface: added functionality to duplicate optical and floppy
images
* User interface: various improvements for the virtual media manager
* VMM: fixed emulation so that Plan 9 guests can start once more (5.1.0
regression)
* Storage: fixed regression breaking iSCSI
* Audio: added HDA support for more exotic guests (e.g. Haiku)
* Serial: fixed hanging I/O when using named pipes on Windows (5.2.0
regression)
* Serial: fixed broken communication with certain devices on Linux
hosts
* USB/OHCI: improved behavior so that the controller state after a VM
reset is closer to the initial state after VM start
* EFI: fixed HFS+ driver which in rare cases failed to access most
files on a volume
* Shared clipboard: fixed hang with OS X host and Linux guest
* Linux hosts: fixed kernel module compilation and start failures with
Linux kernel 4.14
* X11 hosts: better handle WM_CLASS setting
* Linux guests: fixed kernel module compilation and other problems with
Linux kernel 4.14
* Linux guests: fixed various 5.2.0 regressions
* Bridged networking: fixed duplicate EtherType in VLAN/priority tags
on Linux (5.2.0 regression)
The full changelog including issue IDs can be found at:
https://www.virtualbox.org/wiki/Changelog
Aside from just bumping the version number I also had to strip 3 levels
of the paths included in the guest-additions patches, because the
version was hardcoded in there and the patches still apply as-is.
I've re-added the stripped path using patchFlags and the -d option of
the patch utility.
Tested this by running all of the tests in the "virtualbox" NixOS VM
test module, here is the URL to the finished evaluation on my Hydra:
https://headcounter.org/hydra/eval/380191
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @NeQuissimus, @orivej, @etu, @vcunat
Issue: https://github.com/NixOS/nixpkgs/issues/31640
Issue: https://github.com/NixOS/nixpkgs/pull/31037
This updates to the new runc as was also done upstream:
f3ef17e47d
In particular, it fixes an issue where output of interactive docker containers
would not reset correctly to the beginning of a line.
* pkgs: refactor needless quoting of homepage meta attribute
A lot of packages are needlessly quoting the homepage meta attribute
(about 1400, 22%), this commit refactors all of those instances.
* pkgs: Fixing some links that were wrongfully unquoted in the previous
commit
* Fixed some instances
Compiling the kernel modules on Linux 4.12 fails, so I've included an
upstream patch from:
https://www.virtualbox.org/changeset/66927/vbox
The patch is applied against the guest additions as well, where we need
to transform the patch a bit so that we get CR LF line endings (DOS
format), which is what is the case for the guest additions ISO.
I've tested this with all the subtests of the "virtualbox" NixOS VM
tests and they all succeed on x86_64-linux.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit contains security patches for xen 4.8. The patches
for XSA-216 applied to the kernel are omitted, as they are part of
80e0cda7ff.
XSA-216 Issue Description:
> The block interface response structure has some discontiguous fields.
> Certain backends populate the structure fields of an otherwise
> uninitialized instance of this structure on their stacks, leaking
> data through the (internal or trailing) padding field.
More: https://xenbits.xen.org/xsa/advisory-216.html
XSA-217 Issue Description:
> Domains controlling other domains are permitted to map pages owned by
> the domain being controlled. If the controlling domain unmaps such a
> page without flushing the TLB, and if soon after the domain being
> controlled transfers this page to another PV domain (via
> GNTTABOP_transfer or, indirectly, XENMEM_exchange), and that third
> domain uses the page as a page table, the controlling domain will have
> write access to a live page table until the applicable TLB entry is
> flushed or evicted. Note that the domain being controlled is
> necessarily HVM, while the controlling domain is PV.
More: https://xenbits.xen.org/xsa/advisory-217.html
XSA-218 Issue Description:
> We have discovered two bugs in the code unmapping grant references.
>
> * When a grant had been mapped twice by a backend domain, and then
> unmapped by two concurrent unmap calls, the frontend may be informed
> that the page had no further mappings when the first call completed rather
> than when the second call completed.
>
> * A race triggerable by an unprivileged guest could cause a grant
> maptrack entry for grants to be "freed" twice. The ultimate effect of
> this would be for maptrack entries for a single domain to be re-used.
More: https://xenbits.xen.org/xsa/advisory-218.html
XSA-219 Issue Description:
> When using shadow paging, writes to guest pagetables must be trapped and
> emulated, so the shadows can be suitably adjusted as well.
>
> When emulating the write, Xen maps the guests pagetable(s) to make the final
> adjustment and leave the guest's view of its state consistent.
>
> However, when mapping the frame, Xen drops the page reference before
> performing the write. This is a race window where the underlying frame can
> change ownership.
>
> One possible attack scenario is for the frame to change ownership and to be
> inserted into a PV guest's pagetables. At that point, the emulated write will
> be an unaudited modification to the PV pagetables whose value is under guest
> control.
More: https://xenbits.xen.org/xsa/advisory-219.html
XSA-220 Issue Description:
> Memory Protection Extensions (MPX) and Protection Key (PKU) are features in
> newer processors, whose state is intended to be per-thread and context
> switched along with all other XSAVE state.
>
> Xen's vCPU context switch code would save and restore the state only
> if the guest had set the relevant XSTATE enable bits. However,
> surprisingly, the use of these features is not dependent (PKU) or may
> not be dependent (MPX) on having the relevant XSTATE bits enabled.
>
> VMs which use MPX or PKU, and context switch the state manually rather
> than via XSAVE, will have the state leak between vCPUs (possibly,
> between vCPUs in different guests). This in turn corrupts state in
> the destination vCPU, and hence may lead to weakened protections
>
> Experimentally, MPX appears not to make any interaction with BND*
> state if BNDCFGS.EN is set but XCR0.BND{CSR,REGS} are clear. However,
> the SDM is not clear in this case; therefore MPX is included in this
> advisory as a precaution.
More: https://xenbits.xen.org/xsa/advisory-220.html
XSA-221 Issue Description:
> When polling event channels, in general arbitrary port numbers can be
> specified. Specifically, there is no requirement that a polled event
> channel ports has ever been created. When the code was generalised
> from an earlier implementation, introducing some intermediate
> pointers, a check should have been made that these intermediate
> pointers are non-NULL. However, that check was omitted.
More: https://xenbits.xen.org/xsa/advisory-221.html
XSA-222 Issue Description:
> Certain actions require removing pages from a guest's P2M
> (Physical-to-Machine) mapping. When large pages are in use to map
> guest pages in the 2nd-stage page tables, such a removal operation may
> incur a memory allocation (to replace a large mapping with individual
> smaller ones). If this allocation fails, these errors are ignored by
> the callers, which would then continue and (for example) free the
> referenced page for reuse. This leaves the guest with a mapping to a
> page it shouldn't have access to.
>
> The allocation involved comes from a separate pool of memory created
> when the domain is created; under normal operating conditions it never
> fails, but a malicious guest may be able to engineer situations where
> this pool is exhausted.
More: https://xenbits.xen.org/xsa/advisory-222.html
XSA-224 Issue Description:
> We have discovered a number of bugs in the code mapping and unmapping
> grant references.
>
> * If a grant is mapped with both the GNTMAP_device_map and
> GNTMAP_host_map flags, but unmapped only with host_map, the device_map
> portion remains but the page reference counts are lowered as though it
> had been removed. This bug can be leveraged cause a page's reference
> counts and type counts to fall to zero while retaining writeable
> mappings to the page.
>
> * Under some specific conditions, if a grant is mapped with both the
> GNTMAP_device_map and GNTMAP_host_map flags, the operation may not
> grab sufficient type counts. When the grant is then unmapped, the
> type count will be erroneously reduced. This bug can be leveraged
> cause a page's reference counts and type counts to fall to zero while
> retaining writeable mappings to the page.
>
> * When a grant reference is given to an MMIO region (as opposed to a
> normal guest page), if the grant is mapped with only the
> GNTMAP_device_map flag set, a mapping is created at host_addr anyway.
> This does *not* cause reference counts to change, but there will be no
> record of this mapping, so it will not be considered when reporting
> whether the grant is still in use.
More: https://xenbits.xen.org/xsa/advisory-224.html
This commit adds the xen_4_8 package to be used instead of
xen (currently at 4.5.5):
* Add packages xen_4_8, xen_4_8-slim and xen_4_8-light
* Add packages qemu_xen_4_8 and qemu_xen_4_8-light to be used
with xen_4_8-slim and xen_4_8-light respectively.
* Add systemd to buildInputs of xen (it is required by oxenstored)
* Adapt xen service to work with the new version of xen
* Use xen-init-dom0 to initlilise dom0 in xen-store
* Currently, the virtualisation.xen.stored option is ignored
if xen 4.8 is used
XSA-216 Issue Description:
> The block interface response structure has some discontiguous fields.
> Certain backends populate the structure fields of an otherwise
> uninitialized instance of this structure on their stacks, leaking
> data through the (internal or trailing) padding field.
More: https://xenbits.xen.org/xsa/advisory-216.html
XSA-217 Issue Description:
> Domains controlling other domains are permitted to map pages owned by
> the domain being controlled. If the controlling domain unmaps such a
> page without flushing the TLB, and if soon after the domain being
> controlled transfers this page to another PV domain (via
> GNTTABOP_transfer or, indirectly, XENMEM_exchange), and that third
> domain uses the page as a page table, the controlling domain will have
> write access to a live page table until the applicable TLB entry is
> flushed or evicted. Note that the domain being controlled is
> necessarily HVM, while the controlling domain is PV.
More: https://xenbits.xen.org/xsa/advisory-217.html
XSA-218 Issue Description:
> We have discovered two bugs in the code unmapping grant references.
>
> * When a grant had been mapped twice by a backend domain, and then
> unmapped by two concurrent unmap calls, the frontend may be informed
> that the page had no further mappings when the first call completed rather
> than when the second call completed.
>
> * A race triggerable by an unprivileged guest could cause a grant
> maptrack entry for grants to be "freed" twice. The ultimate effect of
> this would be for maptrack entries for a single domain to be re-used.
More: https://xenbits.xen.org/xsa/advisory-218.html
XSA-219 Issue Description:
> When using shadow paging, writes to guest pagetables must be trapped and
> emulated, so the shadows can be suitably adjusted as well.
>
> When emulating the write, Xen maps the guests pagetable(s) to make the final
> adjustment and leave the guest's view of its state consistent.
>
> However, when mapping the frame, Xen drops the page reference before
> performing the write. This is a race window where the underlying frame can
> change ownership.
>
> One possible attack scenario is for the frame to change ownership and to be
> inserted into a PV guest's pagetables. At that point, the emulated write will
> be an unaudited modification to the PV pagetables whose value is under guest
> control.
More: https://xenbits.xen.org/xsa/advisory-219.html
XSA-220 Issue Description:
> Memory Protection Extensions (MPX) and Protection Key (PKU) are features in
> newer processors, whose state is intended to be per-thread and context
> switched along with all other XSAVE state.
>
> Xen's vCPU context switch code would save and restore the state only
> if the guest had set the relevant XSTATE enable bits. However,
> surprisingly, the use of these features is not dependent (PKU) or may
> not be dependent (MPX) on having the relevant XSTATE bits enabled.
>
> VMs which use MPX or PKU, and context switch the state manually rather
> than via XSAVE, will have the state leak between vCPUs (possibly,
> between vCPUs in different guests). This in turn corrupts state in
> the destination vCPU, and hence may lead to weakened protections
>
> Experimentally, MPX appears not to make any interaction with BND*
> state if BNDCFGS.EN is set but XCR0.BND{CSR,REGS} are clear. However,
> the SDM is not clear in this case; therefore MPX is included in this
> advisory as a precaution.
More: https://xenbits.xen.org/xsa/advisory-220.html
XSA-221 Issue Description:
> When polling event channels, in general arbitrary port numbers can be
> specified. Specifically, there is no requirement that a polled event
> channel ports has ever been created. When the code was generalised
> from an earlier implementation, introducing some intermediate
> pointers, a check should have been made that these intermediate
> pointers are non-NULL. However, that check was omitted.
More: https://xenbits.xen.org/xsa/advisory-221.html
XSA-222 Issue Description:
> Certain actions require removing pages from a guest's P2M
> (Physical-to-Machine) mapping. When large pages are in use to map
> guest pages in the 2nd-stage page tables, such a removal operation may
> incur a memory allocation (to replace a large mapping with individual
> smaller ones). If this allocation fails, these errors are ignored by
> the callers, which would then continue and (for example) free the
> referenced page for reuse. This leaves the guest with a mapping to a
> page it shouldn't have access to.
>
> The allocation involved comes from a separate pool of memory created
> when the domain is created; under normal operating conditions it never
> fails, but a malicious guest may be able to engineer situations where
> this pool is exhausted.
More: https://xenbits.xen.org/xsa/advisory-222.html
XSA-224 Issue Description:
> We have discovered a number of bugs in the code mapping and unmapping
> grant references.
>
> * If a grant is mapped with both the GNTMAP_device_map and
> GNTMAP_host_map flags, but unmapped only with host_map, the device_map
> portion remains but the page reference counts are lowered as though it
> had been removed. This bug can be leveraged cause a page's reference
> counts and type counts to fall to zero while retaining writeable
> mappings to the page.
>
> * Under some specific conditions, if a grant is mapped with both the
> GNTMAP_device_map and GNTMAP_host_map flags, the operation may not
> grab sufficient type counts. When the grant is then unmapped, the
> type count will be erroneously reduced. This bug can be leveraged
> cause a page's reference counts and type counts to fall to zero while
> retaining writeable mappings to the page.
>
> * When a grant reference is given to an MMIO region (as opposed to a
> normal guest page), if the grant is mapped with only the
> GNTMAP_device_map flag set, a mapping is created at host_addr anyway.
> This does *not* cause reference counts to change, but there will be no
> record of this mapping, so it will not be considered when reporting
> whether the grant is still in use.
More: https://xenbits.xen.org/xsa/advisory-224.html
The merge of the version bump in
6fb9f89238 didn't take care of our patch
for the hardening mode and thus enabling VirtualBox without also
force-disabling hardening mode will result in a build error.
While the patch is largely identical with the old version, I've removed
one particular change around the following code:
if (pFsObjState->Stat.st_mode & S_IWOTH)
return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
"World writable: '", pszPath, "'");
In the old version of the patch we have checked whether the path is
within the Nix store and suppressed the error return if that's the case.
The reason why I did that in the first place was because we had a bunch
of symlinks which were writable.
In VirtualBox 5.1.22 the code specifically checks whether the file is a
symlink, so we can safely drop our change.
Tested via all of the "virtualbox" NixOS VM subtests and they now all
succeed.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
XSA-206 Issue Description:
> xenstored supports transactions, such that if writes which would
> invalidate assumptions of a transaction occur, the entire transaction
> fails. Typical response on a failed transaction is to simply retry
> the transaction until it succeeds.
>
> Unprivileged domains may issue writes to xenstore which conflict with
> transactions either of the toolstack or of backends such as the driver
> domain. Depending on the exact timing, repeated writes may cause
> transactions made by these entities to fail indefinitely.
More: https://xenbits.xen.org/xsa/advisory-206.html
XSA-211 Issue Description:
> When a graphics update command gets passed to the VGA emulator, there
> are 3 possible modes that can be used to update the display:
>
> * blank - Clears the display
> * text - Treats the display as showing text
> * graph - Treats the display as showing graphics
>
> After the display geometry gets changed (i.e., after the CIRRUS VGA
> emulation has resized the display), the VGA emulator will resize the
> console during the next update command. However, when a blank mode is
> also selected during an update, this resize doesn't happen. The resize
> will be properly handled during the next time a non-blank mode is
> selected during an update.
>
> However, other console components - such as the VNC emulation - will
> operate as though this resize had happened. When the display is
> resized to be larger than before, this can result in a heap overflow
> as console components will expect the display buffer to be larger than
> it is currently allocated.
More: https://xenbits.xen.org/xsa/advisory-211.html
XSA-212 Issue Description:
> The XSA-29 fix introduced an insufficient check on XENMEM_exchange
> input, allowing the caller to drive hypervisor memory accesses outside
> of the guest provided input/output arrays.
More: https://xenbits.xen.org/xsa/advisory-212.html
XSA-213 Issue Description:
> 64-bit PV guests typically use separate (root) page tables for their
> kernel and user modes. Hypercalls are accessible to guest kernel
> context only, which certain hypercall handlers make assumptions on.
> The IRET hypercall (replacing the identically name CPU instruction)
> is used by guest kernels to transfer control from kernel mode to user
> mode. If such an IRET hypercall is placed in the middle of a multicall
> batch, subsequent operations invoked by the same multicall batch may
> wrongly assume the guest to still be in kernel mode. If one or more of
> these subsequent operations involve operations on page tables, they may
> be using the wrong root page table, confusing internal accounting. As
> a result the guest may gain writable access to some of its page tables.
More: https://xenbits.xen.org/xsa/advisory-213.html
XSA-214 Issue Description:
> The GNTTABOP_transfer operation allows one guest to transfer a page to
> another guest. The internal processing of this, however, does not
> include zapping the previous type of the page being transferred. This
> makes it possible for a PV guest to transfer a page previously used as
> part of a segment descriptor table to another guest while retaining the
> "contains segment descriptors" property.
>
> If the destination guest is a PV one of different bitness, it may gain
> access to segment descriptors it is not normally allowed to have, like
> 64-bit code segments in a 32-bit PV guest.
>
> If the destination guest is a HVM one, that guest may freely alter the
> page contents and then hand the page back to the same or another PV
> guest.
>
> In either case, if the destination PV guest then inserts that page into
> one of its own descriptor tables, the page still having the designated
> type results in validation of its contents being skipped.
More: https://xenbits.xen.org/xsa/advisory-214.html
XSA-215 Issue Description:
> Under certain special conditions Xen reports an exception resulting
> from returning to guest mode not via ordinary exception entry points,
> but via a so call failsafe callback. This callback, unlike exception
> handlers, takes 4 extra arguments on the stack (the saved data
> selectors DS, ES, FS, and GS). Prior to placing exception or failsafe
> callback frames on the guest kernel stack, Xen checks the linear
> address range to not overlap with hypervisor space. The range spanned
> by that check was mistakenly not covering these extra 4 slots.
More: https://xenbits.xen.org/xsa/advisory-215.html
Recent commit #c10af9e744c91dff1ccc07a52a0b57d1e4d339f3 changed the
behaviour of wrapPythonPrograms, which caused pygrub to no longer
being wrapped. This commit fixes this.
