From 991265e724a6e026ceeb51502e08a4f44f67b486 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 19 Jun 2018 19:41:30 -0400 Subject: [PATCH] version deps need at least http-client-0.4.31 to build now, and connection-0.2.6 --- .../day_503__security_hole_part_5.mdwn | 17 ++++++++ ...=> CVE-2018-10857_and_CVE-2018-10859.mdwn} | 0 git-annex.cabal | 4 +- .../basement_fix-build-on-android.patch | 41 +++++++++++++++++++ 4 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 doc/devblog/day_503__security_hole_part_5.mdwn rename doc/security/{CVE-2018-10857.mdwn => CVE-2018-10857_and_CVE-2018-10859.mdwn} (100%) create mode 100644 standalone/android/haskell-patches/basement_fix-build-on-android.patch diff --git a/doc/devblog/day_503__security_hole_part_5.mdwn b/doc/devblog/day_503__security_hole_part_5.mdwn new file mode 100644 index 0000000000..88f800e12f --- /dev/null +++ b/doc/devblog/day_503__security_hole_part_5.mdwn @@ -0,0 +1,17 @@ +Started testing that the security fix will build everywhere on +release day. This is being particularly painful for the android build, +which has very old libraries and needed http-client updated, with many +follow-on changes, and is not successfully building yet after 5 hours. +I really need to finish deprecating the android build. + +Pretty exhausted from all this, and thinking what to do about +external special remotes, I elaborated on an idea that Daniel Dent had +raised in discussions about vulnerability, and realized that git-annex +has a second, worse vulnerability. This new one could be used to trick a +git-annex user into decrypting gpg encrypted data that they had +never stored in git-annex. The attacker needs to have control of both an +encrypted special remote and a git remote, so it's not an easy exploit to +pull off, but it's still super bad. + +This week is going to be a lot longer than I thought, and it's already +feeling kind of endless.. diff --git a/doc/security/CVE-2018-10857.mdwn b/doc/security/CVE-2018-10857_and_CVE-2018-10859.mdwn similarity index 100% rename from doc/security/CVE-2018-10857.mdwn rename to doc/security/CVE-2018-10857_and_CVE-2018-10859.mdwn diff --git a/git-annex.cabal b/git-annex.cabal index bab975c26a..fc64a16651 100644 --- a/git-annex.cabal +++ b/git-annex.cabal @@ -340,8 +340,8 @@ Executable git-annex bloomfilter, edit-distance, resourcet, - connection, - http-client, + connection (>= 0.2.6), + http-client (>= 0.4.31), http-client-tls, http-types (>= 0.7), http-conduit (>= 2.0), diff --git a/standalone/android/haskell-patches/basement_fix-build-on-android.patch b/standalone/android/haskell-patches/basement_fix-build-on-android.patch new file mode 100644 index 0000000000..948473bc2e --- /dev/null +++ b/standalone/android/haskell-patches/basement_fix-build-on-android.patch @@ -0,0 +1,41 @@ +From cc0c373b69f93057cbdcb634a461e10ec019d87a Mon Sep 17 00:00:00 2001 +From: androidbuilder +Date: Wed, 20 Jun 2018 00:29:11 +0100 +Subject: [PATCH] fix build on android + +--- + Basement/Terminal.hs | 2 -- + basement.cabal | 1 - + 2 files changed, 3 deletions(-) + +diff --git a/Basement/Terminal.hs b/Basement/Terminal.hs +index 8136e52..cca9606 100644 +--- a/Basement/Terminal.hs ++++ b/Basement/Terminal.hs +@@ -1,11 +1,9 @@ + {-# LANGUAGE CPP #-} + module Basement.Terminal + ( initialize +- , getDimensions + ) where + + import Basement.Compat.Base +-import Basement.Terminal.Size (getDimensions) + #ifdef mingw32_HOST_OS + import System.IO (hSetEncoding, utf8, hPutStrLn, stderr, stdin, stdout) + import System.Win32.Console (setConsoleCP, setConsoleOutputCP, getConsoleCP, getConsoleOutputCP) +diff --git a/basement.cabal b/basement.cabal +index af50291..0824c94 100644 +--- a/basement.cabal ++++ b/basement.cabal +@@ -135,7 +135,6 @@ library + Basement.String.Encoding.ASCII7 + Basement.String.Encoding.ISO_8859_1 + +- Basement.Terminal.Size + + + build-depends: base >= 4.7 && < 5 +-- +2.1.4 +