maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

* In the checker, do traversals of the dependency graph explicitly. A

Browse source 
conditional expression in the blacklist can specify when to
  continue/stop a traversal.  For example, in

    <condition>
      <within>
        <traverse>
          <not><hasAttr name='outputHash' value='.+' /></not>
        </traverse>
        <hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' />
      </within>
    </condition>

  we traverse the dependency graph, not following the dependencies of
  `fetchurl' derivations (as indicated by the presence of an
  `outputHash' attribute - this is a bit ugly).  The resulting set of
  paths is scanned for a fetch of a file with the given hash, in this
  case, the hash of zlib-1.2.1.tar.gz (which has a security bug).  The
  intent is that a dependency on zlib is not a problem if it is in a
  `fetchurl' derivation, since that's build-time only.  (Other
  build-time uses of zlib *might* be a problem, e.g., static linking.)
This commit is contained in:
Eelco Dolstra 2005-03-07 16:26:05 +00:00
parent bfbc55cbc6
commit 97c93526da
2 changed files with 168 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

20
blacklisting/blacklist.xml
View file

@ -1,32 +1,28 @@
<blacklist>
<!--
<item id='openssl-0.9.7d-obsolete'>
<condition>
<containsSource
hash="sha256:1xf1749gdfw9f50mxa5rsnmwiwrb5mi0kg4siw8a73jykdp2i6ii"
origin="openssl-0.9.7d.tar.gz" />
<within>
<traverse><true /></traverse>
<hasAttr name='outputHash' value='1b49e90fc8a75c3a507c0a624529aca5' />
</within>
</condition>
<reason>
Race condition in CRL checking code. Upgrade to 0.9.7e.
</reason>
<severity class="all" level="low" />
</item>
-->
<item id='zlib-1.2.1-security' type='security'>
<condition>
<containsSource
hash="sha256:1xf1749gdfw9f50mxa5rsnmwiwrb5mi0kg4siw8a73jykdp2i6ii"
origin="openssl-0.9.7d.tar.gz" />
<!-- <within>
<within>
<traverse>
<not><hasName name='*.tar.*' /></not>
<not><hasAttr name='outputHash' value='.+' /></not>
</traverse>
<hasAttr name='md5' value='ef1cb003448b4a53517b8f25adb12452' />
</within> -->
<hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' />
</within>
</condition>
<reason>
Zlib 1.2.1 is vulnerable to a denial-of-service condition. See