Security fixes:
- Message printout was vulnerable to format string injection
- dropbearconvert import of OpenSSH keys could run arbitrary code
as the local dropbearconvert user when parsing malicious key
files
- dbclient could run arbitrary code as the local dbclient user if
particular -m or -c arguments are provided
- dbclient or dropbear server could expose process memory to the
running user if compiled with DEBUG_TRACE and running with -v
Fixes:
- Fix port forwarding failure when connecting to domains that have
both IPv4 and IPv6 addresses. The bug was introduced in 2015.68
- Fix 100% CPU use while waiting for rekey to complete
cgit doesn't generate stable archives, so the SHA changed when there
was a commit earlier this year. Using fetchgit in hopes of stabilizing
the checked out sha.
(This is a rewritten version of the reverted commit
a927709a35, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
