This patch fixes a bug in guile-rsvg's build system, whereby the CFLAGS and LDFLAGS for Guile would not be captured. --- guile-rsvg-2.18.1/configure.ac 2015-08-31 22:30:30.578909480 +0200 +++ guile-rsvg-2.18.1/configure.ac 2015-08-31 22:32:15.071516084 +0200 @@ -39,6 +39,10 @@ AC_SUBST(WARN_CFLAGS) GUILE_PKG([2.2 2.0 1.8]) +dnl The above macro fails to set the 'GUILE_CFLAGS' and 'GUILE_LIBS' +dnl substitution variables, hence this line. +PKG_CHECK_MODULES(GUILE, guile-$GUILE_EFFECTIVE_VERSION) + PKG_CHECK_MODULES(GUILE_CAIRO, guile-cairo >= 1.4.0) AC_SUBST(GUILE_CAIRO_LIBS) AC_SUBST(GUILE_CAIRO_CFLAGS) me='id' value='dd5c8085dd994f9b362952f63fadd2e1382d835c'/> Wojtek's customized Guix
aboutsummaryrefslogtreecommitdiff
path: root/nix/libutil/util.hh
AgeCommit message (Expand)Author
2024-03-12daemon: Address shortcoming in previous security fix for CVE-2024-27297....This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two ways: (1) it didn’t have any effet for fixed-output derivations performed in a chroot, which is the case for all of them except those using “builtin:download” and “builtin:git-download”, and (2) it did not preserve ownership when copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156 Ludovic Courtès
2024-03-11daemon: Protect against FD escape when building fixed-output derivations (CVE......This fixes a security issue (CVE-2024-27297) whereby a fixed-output derivation build process could open a writable file descriptor to its output, send it to some outside process for instance over an abstract AF_UNIX socket, which would then allow said process to modify the file in the store after it has been marked as “valid”. Vulnerability discovered by puck <https://github.com/puckipedia>. Nix security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 Nix fix: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and a file descriptor. Rewrite the ‘Path’ variant accordingly. (copyFile, copyFileRecursively): New functions. * nix/libutil/util.hh (copyFileRecursively): New declaration. * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88 Ludovic Courtès
2020-12-08daemon: 'Agent' constructor takes a list of environment variables....* nix/libutil/util.hh (struct Agent)[Agent]: Add 'env' parameter. * nix/libutil/util.cc (Agent::Agent): Honor it. Ludovic Courtès
2020-09-14daemon: Move 'Agent' to libutil....* nix/libstore/build.cc (DerivationGoal::tryBuildHook): Add "offload" to 'args' and pass settings.guixProgram as the first argument to Agent::Agent. (pathNullDevice, commonChildInit, Agent, Agent::Agent) (Agent::~Agent): Move to... * nix/libutil/util.cc: ... here. * nix/libutil/util.hh (struct Agent, commonChildInit): New declarations. Ludovic Courtès