From 7ec755257aa0dca9d4aae50d4eaf7e87ee9128ad Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 3 Aug 2024 19:40:15 +0100 Subject: [PATCH] hydron: drop MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This package was marked as vulnerable in , almost a year ago and over a year after the project was archived upstream. The package and module are unusable without bypassing a security warning in 23.05, 23.11, and 24.05. Given that the package is intended as an organizer for potentially‐untrusted media files, the vulnerability is critical and leads to remote code execution, and there is basically no prospect of upstream releasing a fix, remove the package and module entirely for 24.11. --- nixos/modules/misc/ids.nix | 4 +- nixos/modules/module-list.nix | 1 - nixos/modules/rename.nix | 1 + nixos/modules/services/web-servers/hydron.nix | 164 ------------------ pkgs/servers/hydron/default.nix | 37 ---- pkgs/top-level/aliases.nix | 2 + pkgs/top-level/all-packages.nix | 2 - 7 files changed, 5 insertions(+), 206 deletions(-) delete mode 100644 nixos/modules/services/web-servers/hydron.nix delete mode 100644 pkgs/servers/hydron/default.nix diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 36a1a054fea90..1bdaf713ab5dc 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -327,7 +327,7 @@ in hdfs = 295; mapred = 296; hadoop = 297; - hydron = 298; + #hydron = 298; # removed 2024-08-03 cfssl = 299; cassandra = 300; qemu-libvirtd = 301; @@ -637,7 +637,7 @@ in hdfs = 295; mapred = 296; hadoop = 297; - hydron = 298; + #hydron = 298; # removed 2024-08-03 cfssl = 299; cassandra = 300; qemu-libvirtd = 301; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 436aa850cd52a..6df7d784a974e 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1495,7 +1495,6 @@ ./services/web-servers/fcgiwrap.nix ./services/web-servers/garage.nix ./services/web-servers/hitch/default.nix - ./services/web-servers/hydron.nix ./services/web-servers/jboss/default.nix ./services/web-servers/keter ./services/web-servers/lighttpd/cgit.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 2e37a984a34ee..df6090e41d7d4 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -67,6 +67,7 @@ in (mkRemovedOptionModule [ "services" "fprot" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "frab" ] "The frab module has been removed") (mkRemovedOptionModule [ "services" "homeassistant-satellite"] "The `services.homeassistant-satellite` module has been replaced by `services.wyoming-satellite`.") + (mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.") (mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer") (mkRemovedOptionModule [ "services" "kippo" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "mailpile" ] "The corresponding package was removed from nixpkgs.") diff --git a/nixos/modules/services/web-servers/hydron.nix b/nixos/modules/services/web-servers/hydron.nix deleted file mode 100644 index 68c0859fc3322..0000000000000 --- a/nixos/modules/services/web-servers/hydron.nix +++ /dev/null @@ -1,164 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - cfg = config.services.hydron; -in with lib; { - options.services.hydron = { - enable = mkEnableOption "hydron"; - - dataDir = mkOption { - type = types.path; - default = "/var/lib/hydron"; - example = "/home/okina/hydron"; - description = "Location where hydron runs and stores data."; - }; - - interval = mkOption { - type = types.str; - default = "weekly"; - example = "06:00"; - description = '' - How often we run hydron import and possibly fetch tags. Runs by default every week. - - The format is described in - {manpage}`systemd.time(7)`. - ''; - }; - - password = mkOption { - type = types.str; - default = "hydron"; - example = "dumbpass"; - description = "Password for the hydron database."; - }; - - passwordFile = mkOption { - type = types.path; - default = "/run/keys/hydron-password-file"; - example = "/home/okina/hydron/keys/pass"; - description = "Password file for the hydron database."; - }; - - postgresArgs = mkOption { - type = types.str; - description = "Postgresql connection arguments."; - example = '' - { - "driver": "postgres", - "connection": "user=hydron password=dumbpass dbname=hydron sslmode=disable" - } - ''; - }; - - postgresArgsFile = mkOption { - type = types.path; - default = "/run/keys/hydron-postgres-args"; - example = "/home/okina/hydron/keys/postgres"; - description = "Postgresql connection arguments file."; - }; - - listenAddress = mkOption { - type = types.nullOr types.str; - default = null; - example = "127.0.0.1:8010"; - description = "Listen on a specific IP address and port."; - }; - - importPaths = mkOption { - type = types.listOf types.path; - default = []; - example = [ "/home/okina/Pictures" ]; - description = "Paths that hydron will recursively import."; - }; - - fetchTags = mkOption { - type = types.bool; - default = true; - description = "Fetch tags for imported images and webm from gelbooru."; - }; - }; - - config = mkIf cfg.enable { - services.hydron.passwordFile = mkDefault (pkgs.writeText "hydron-password-file" cfg.password); - services.hydron.postgresArgsFile = mkDefault (pkgs.writeText "hydron-postgres-args" cfg.postgresArgs); - services.hydron.postgresArgs = mkDefault '' - { - "driver": "postgres", - "connection": "user=hydron password=${cfg.password} host=/run/postgresql dbname=hydron sslmode=disable" - } - ''; - - services.postgresql = { - enable = true; - ensureDatabases = [ "hydron" ]; - ensureUsers = [ - { name = "hydron"; - ensureDBOwnership = true; - } - ]; - }; - - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0750 hydron hydron - -" - "d '${cfg.dataDir}/.hydron' - hydron hydron - -" - "d '${cfg.dataDir}/images' - hydron hydron - -" - "Z '${cfg.dataDir}' - hydron hydron - -" - - "L+ '${cfg.dataDir}/.hydron/db_conf.json' - - - - ${cfg.postgresArgsFile}" - ]; - - systemd.services.hydron = { - description = "hydron"; - after = [ "network.target" "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - User = "hydron"; - Group = "hydron"; - ExecStart = "${pkgs.hydron}/bin/hydron serve" - + optionalString (cfg.listenAddress != null) " -a ${cfg.listenAddress}"; - }; - }; - - systemd.services.hydron-fetch = { - description = "Import paths into hydron and possibly fetch tags"; - - serviceConfig = { - Type = "oneshot"; - User = "hydron"; - Group = "hydron"; - ExecStart = "${pkgs.hydron}/bin/hydron import " - + optionalString cfg.fetchTags "-f " - + (escapeShellArg cfg.dataDir) + "/images " + (escapeShellArgs cfg.importPaths); - }; - }; - - systemd.timers.hydron-fetch = { - description = "Automatically import paths into hydron and possibly fetch tags"; - after = [ "network.target" "hydron.service" ]; - wantedBy = [ "timers.target" ]; - - timerConfig = { - Persistent = true; - OnCalendar = cfg.interval; - }; - }; - - users = { - groups.hydron.gid = config.ids.gids.hydron; - - users.hydron = { - description = "hydron server service user"; - home = cfg.dataDir; - group = "hydron"; - uid = config.ids.uids.hydron; - }; - }; - }; - - imports = [ - (mkRenamedOptionModule [ "services" "hydron" "baseDir" ] [ "services" "hydron" "dataDir" ]) - ]; - - meta.maintainers = with maintainers; [ Madouura ]; -} diff --git a/pkgs/servers/hydron/default.nix b/pkgs/servers/hydron/default.nix deleted file mode 100644 index 912d0971f01a1..0000000000000 --- a/pkgs/servers/hydron/default.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ lib -, buildGoModule -, fetchFromGitHub -, gitUpdater -, pkg-config -, ffmpeg_4 -}: - -buildGoModule rec { - pname = "hydron"; - version = "3.3.6"; - - src = fetchFromGitHub { - owner = "bakape"; - repo = "hydron"; - rev = "v${version}"; - hash = "sha256-Q1pZf5FPQw+pHItcZyOGx0N+iHmz9rW0+ANFsketh6E="; - }; - - vendorHash = "sha256-hKF2RCGnk/5hNS65vGoDdF1OUPSLe4PDegYlKTeqJDM="; - proxyVendor = true; - - nativeBuildInputs = [ pkg-config ]; - buildInputs = [ ffmpeg_4 ]; - - passthru.updateScript = gitUpdater { - rev-prefix = "v"; - }; - - meta = with lib; { - homepage = "https://github.com/bakape/hydron"; - description = "High performance media tagger and organizer"; - license = with licenses; [ lgpl3Plus ]; - knownVulnerabilities = [ "CVE-2023-4863" ]; # Via https://github.com/chai2010/webp dep - maintainers = with maintainers; [ Madouura ]; - }; -} diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index a0b4ad43fbe1b..17dc611b6a7c5 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -642,6 +642,8 @@ mapAliases ({ hll2390dw-cups = throw "The hll2390dw-cups package was dropped since it was unmaintained."; # Added 2024-06-21 ht-rust = xh; # Added 2021-02-13 hydra-unstable = hydra_unstable; # added 2022-05-10 + hydron = throw "hydron has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability"; + hyper-haskell = throw "'hyper-haskell' has been removed. reason: has been broken for a long time and depends on an insecure electron version"; # Added 2024-03-14 hyper-haskell-server-with-packages = throw "'hyper-haskell-server-with-packages' has been removed. reason: has been broken for a long time"; # Added 2024-03-14 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index a529941abd264..3dc3b69367a67 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -25329,8 +25329,6 @@ with pkgs; https-dns-proxy = callPackage ../servers/dns/https-dns-proxy { }; - hydron = callPackage ../servers/hydron { }; - ic-keysmith = callPackage ../tools/security/ic-keysmith { }; icecream = callPackage ../servers/icecream { };