Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1password-gui: 8.10.9 -> 8.10.16 #256365

Merged
merged 1 commit into from
Sep 22, 2023
Merged

1password-gui: 8.10.9 -> 8.10.16 #256365

merged 1 commit into from
Sep 22, 2023

Conversation

savannidgerinel
Copy link
Contributor

Description of changes

1Password has had several releases since the last NixOS update.

1Password for Linux | 1Password Releases

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@savannidgerinel
1password: 8.10.9 -> 8.10.16
89af7ca 
1Password has undergone many releases since the last NixOS update.
@ofborg ofborg bot requested review from amaxine, timstott and SebTM September 20, 2023 23:32
@amaxine
Copy link
Contributor

amaxine commented Sep 21, 2023

Thank you! Could you please alter the message to match the derivation name (_1password-gui)? I'll merge after that's fixed.

@amaxine amaxine merged commit 365194f into NixOS:master Sep 22, 2023
21 checks passed
toastal pushed a commit to toastal/nixpkgs that referenced this pull request Sep 25, 2023
@savannidgerinel @toastal
_1password-gui: 8.10.9 -> 8.10.16 (NixOS#256365)
3184933 
1Password has undergone many releases since the last NixOS update.
@jeffdik
Copy link

jeffdik commented Sep 28, 2023

Hi, thanks for your work on this!

I think this fixes CVE-2023-4863 for 1password[1] and maybe should be listed on CVE-2023-4863 (libwebp heap buffer overflow) tracking · Issue #254798 · NixOS/nixpkgs.

Security advisory for 1Password 8 for Mac, Windows and Linux mentions that 1password 8.10.15 contains the fix for CVE-2023-4863.

If you use strings and grep, it looks like 1password 8.10.9 uses Electron 25.0.1:

> strings /nix/store/xfwqr8vykb3gixqqflq6x07kd3afbnll-1password-8.10.9/share/1password/1password | grep '^Chrome/[0-9.]* Electron/[0-9]'
Chrome/114.0.5735.45 Electron/25.0.1

1password 8.10.16 uses Electron 25.8.1:

> strings /nix/store/ifxm9pagcf70dk01zf6yzbb0jzfrffb5-1password-8.10.16/share/1password/1password | grep '^Chrome/[0-9.]* Electron/[0-9]'
Chrome/114.0.5735.289 Electron/25.8.1

Based on the above, I think 1password doesn't use the system libwebp and has a bundled version of Electron.

Release electron v25.8.1 · electron/electron says Electron 25.8.1 has the fix for CVE-2023-4863.

Does this look right to you, and should this release be listed on CVE-2023-4863 (libwebp heap buffer overflow) tracking · Issue #254798 · NixOS/nixpkgs and backported to NixOS 23.05?

[1]: Security advisory for 1Password 8 for Mac, Windows and Linux

@pluiedev pluiedev mentioned this pull request Oct 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amaxine amaxine Awaiting requested review from amaxine

@timstott timstott Awaiting requested review from timstott

@SebTM SebTM Awaiting requested review from SebTM

Assignees
No one assigned
Labels
10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@savannidgerinel @amaxine @jeffdik