Skip to content

[23.05] python3Packages.pymdown-extensions: add patch for CVE-2023-32309#248911

Merged
vcunat merged 2 commits intoNixOS:staging-23.05from
risicle:ris-pymdown-extensions-CVE-2023-32309-r23.05
Aug 26, 2023
Merged

[23.05] python3Packages.pymdown-extensions: add patch for CVE-2023-32309#248911
vcunat merged 2 commits intoNixOS:staging-23.05from
risicle:ris-pymdown-extensions-CVE-2023-32309-r23.05

Conversation

@risicle
Copy link
Copy Markdown
Contributor

@risicle risicle commented Aug 13, 2023
edited
Loading

Description of changes

https://nvd.nist.gov/vuln/detail/CVE-2023-32309

Upstream consider the fix for this a breaking change as it is no longer possible to traverse outside the base_path to find a snippet (without setting the new restrict_base_path config to False). But I think that's enough of an obscure use-case that on balance I'd rather quietly close that hole by default for stable users.

See #248700 for unstable.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@risicle risicle added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Aug 13, 2023
@github-actions github-actions bot added the 6.topic: python Python is a high-level, general-purpose programming language. label Aug 13, 2023
@ofborg ofborg bot requested a review from cpcloud August 13, 2023 13:26
@ofborg ofborg bot added 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches. labels Aug 13, 2023
@risicle
Copy link
Copy Markdown
Contributor Author

risicle commented Aug 13, 2023

@ofborg build python310Packages.pymdown-extensions.tests python310Packages.pymdown-extensions.tests hydrus

@risicle risicle force-pushed the ris-pymdown-extensions-CVE-2023-32309-r23.05 branch from 78c5d65 to 952b64c Compare August 13, 2023 16:42
@risicle risicle marked this pull request as ready for review August 13, 2023 17:13
@risicle risicle force-pushed the ris-pymdown-extensions-CVE-2023-32309-r23.05 branch from 952b64c to 91bd58b Compare August 13, 2023 17:44
@risicle risicle changed the base branch from release-23.05 to staging-23.05 August 13, 2023 17:45
@vcunat vcunat merged commit 0247331 into NixOS:staging-23.05 Aug 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpcloud cpcloud Awaiting requested review from cpcloud

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: python Python is a high-level, general-purpose programming language. 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@risicle @vcunat