treewide: add CVE identifiers to patches

This allows tools like broken.sh to correctly identify the patched
status.

12 files changed, 32 insertions, 21 deletions

diff --git a/pkgs/applications/office/antiword/10_fix_buffer_overflow_wordole_c.patch b/pkgs/applications/office/antiword/10_fix_buffer_overflow_wordole_c_CVE-2014-8123.patch
index ebf2f0900d9..ebf2f0900d9 100644
--- a/pkgs/applications/office/antiword/10_fix_buffer_overflow_wordole_c.patch
+++ b/pkgs/applications/office/antiword/10_fix_buffer_overflow_wordole_c_CVE-2014-8123.patch
diff --git a/pkgs/applications/office/antiword/default.nix b/pkgs/applications/office/antiword/default.nix
index 0154e21b374..c8cb294b0dc 100644
--- a/pkgs/applications/office/antiword/default.nix
+++ b/pkgs/applications/office/antiword/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
     substituteInPlace Makefile --replace "gcc" "cc"
   '';
 
-  patches = [ ./10_fix_buffer_overflow_wordole_c.patch ];
+  patches = [ ./10_fix_buffer_overflow_wordole_c_CVE-2014-8123.patch ];
 
   installTargets = [ "global_install" ];
 
diff --git a/pkgs/misc/drivers/foomatic-filters/default.nix b/pkgs/misc/drivers/foomatic-filters/default.nix
index 9bee05bfb25..3ca64e0e8f8 100644
--- a/pkgs/misc/drivers/foomatic-filters/default.nix
+++ b/pkgs/misc/drivers/foomatic-filters/default.nix
@@ -12,8 +12,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ perl cups dbus enscript ];
 
   patches = [
-    # for CVE-2015-8327 & CVE-2015-8560
     (fetchpatch {
+      name = "CVE-2015-8327+CVE-2015-8560.patch";
       url = "https://salsa.debian.org/debian/foomatic-filters/raw/a3abbef2d2f8c7e62d2fe64f64afe294563fdf8f/debian/patches/0500-r7406_also_consider_the_back_tick_as_an_illegal_shell_escape_character.patch";
       sha256 = "055nwi3sjf578nk40bqsch3wx8m2h65hdih0wmxflb6l0hwkq4p4";
     })
diff --git a/pkgs/os-specific/linux/libcgroup/default.nix b/pkgs/os-specific/linux/libcgroup/default.nix
index 026b43fc615..4d93c3bb4fe 100644
--- a/pkgs/os-specific/linux/libcgroup/default.nix
+++ b/pkgs/os-specific/linux/libcgroup/default.nix
@@ -13,6 +13,7 @@ stdenv.mkDerivation rec {
 
   patches = [
     (fetchpatch {
+      name = "CVE-2018-14348.patch";
       url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch?id=33e9f4c81de754bbf76b893ea1133ed023f2a0e5";
       sha256 = "1x0x29ld0cgmfwq4qy13s6d5c8sym1frfh1j2q47d8gfw6qaxka5";
     })
diff --git a/pkgs/tools/archivers/p7zip/default.nix b/pkgs/tools/archivers/p7zip/default.nix
index b7a97b3766b..d6ad699eaa8 100644
--- a/pkgs/tools/archivers/p7zip/default.nix
+++ b/pkgs/tools/archivers/p7zip/default.nix
@@ -13,10 +13,12 @@ stdenv.mkDerivation rec {
     ./12-CVE-2016-9296.patch
     ./13-CVE-2017-17969.patch
     (fetchpatch {
+      name = "3-CVE-2018-5996.patch";
       url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/3-CVE-2018-5996.patch";
       sha256 = "1zivvkazmza0653i498ccp3zbpbpc7dvxl3zxwllbx41b6n589yp";
     })
     (fetchpatch {
+      name = "4-CVE-2018-10115.patch";
       url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/4-CVE-2018-10115.patch";
       sha256 = "1cr7q8gnrk9yp6dcvxaqi1yhdbgp964nkv65ls41mw1kdfm44zn6";
     })
diff --git a/pkgs/tools/filesystems/fuseiso/default.nix b/pkgs/tools/filesystems/fuseiso/default.nix
index ded1fac65f8..0a4472d7123 100644
--- a/pkgs/tools/filesystems/fuseiso/default.nix
+++ b/pkgs/tools/filesystems/fuseiso/default.nix
@@ -9,27 +9,27 @@ stdenv.mkDerivation rec {
     sha256 = "127xql52dcdhmh7s5m9xc6q39jdlj3zhbjar1j821kb6gl3jw94b";
   };
 
-  patches = map (p:
-    fetchpatch {
-      inherit (p) name sha256;
-      url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/${p.name}";
-    }) [
-    {
+  patches = [
+    (fetchpatch {
       name = "00-support_large_iso.patch";
+      url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/00-support_large_iso.patch";
       sha256 = "1lmclb1qwzz5f4wlq693g83bblwnjjl73qhgfxbsaac5hnn2shjw";
-    }
-    {
+    })
+    (fetchpatch {
       name = "01-fix_typo.patch";
+      url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/01-fix_typo.patch";
       sha256 = "14rpxp0yylzsgqv0r19l4wx1h5hvqp617gpv1yg0w48amr9drasa";
-    }
-    { # CVE-2015-8837
-      name = "02-prevent-buffer-overflow.patch";
+    })
+    (fetchpatch {
+      name = "02-prevent-buffer-overflow_CVE-2015-8837.patch";
+      url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/02-prevent-buffer-overflow.patch";
       sha256 = "1ls2pp3mh91pdb51qz1fsd8pwhbky6988bpd156bn7wgfxqzh8ig";
-    }
-    { # CVE-2015-8836
-      name = "03-prevent-integer-overflow.patch";
+    })
+    (fetchpatch {
+      name = "03-prevent-integer-overflow_CVE-2015-8836.patch";
+      url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/03-prevent-integer-overflow.patch";
       sha256 = "100cw07fk4sa3hl7a1gk2hgz4qsxdw99y20r7wpidwwwzy463zcv";
-    }
+    })
   ];
 
   nativeBuildInputs = [ autoreconfHook pkgconfig ];
diff --git a/pkgs/tools/misc/mcrypt/default.nix b/pkgs/tools/misc/mcrypt/default.nix
index 9969148e223..afbe811e7f2 100644
--- a/pkgs/tools/misc/mcrypt/default.nix
+++ b/pkgs/tools/misc/mcrypt/default.nix
@@ -9,7 +9,12 @@ stdenv.mkDerivation rec {
     sha256 = "5145aa844e54cca89ddab6fb7dd9e5952811d8d787c4f4bf27eb261e6c182098";
   };
 
-  patches = [ ./format-string.patch ./overflow.patch ./segv.patch ./sprintf.patch ];
+  patches = [
+    ./format-string_CVE-2012-4426.patch
+    ./overflow_CVE-2012-4409.patch
+    ./segv.patch
+    ./sprintf_CVE-2012-4527.patch
+  ];
 
   buildInputs = [ libmcrypt libmhash ];
 
diff --git a/pkgs/tools/misc/mcrypt/format-string.patch b/pkgs/tools/misc/mcrypt/format-string_CVE-2012-4426.patch
index 322ab473811..322ab473811 100644
--- a/pkgs/tools/misc/mcrypt/format-string.patch
+++ b/pkgs/tools/misc/mcrypt/format-string_CVE-2012-4426.patch
diff --git a/pkgs/tools/misc/mcrypt/overflow.patch b/pkgs/tools/misc/mcrypt/overflow_CVE-2012-4409.patch
index bf747a58266..bf747a58266 100644
--- a/pkgs/tools/misc/mcrypt/overflow.patch
+++ b/pkgs/tools/misc/mcrypt/overflow_CVE-2012-4409.patch
diff --git a/pkgs/tools/misc/mcrypt/sprintf.patch b/pkgs/tools/misc/mcrypt/sprintf_CVE-2012-4527.patch
index 1c9ade80777..1c9ade80777 100644
--- a/pkgs/tools/misc/mcrypt/sprintf.patch
+++ b/pkgs/tools/misc/mcrypt/sprintf_CVE-2012-4527.patch
diff --git a/pkgs/tools/security/super/default.nix b/pkgs/tools/security/super/default.nix
index 73321fd618e..07051731069 100644
--- a/pkgs/tools/security/super/default.nix
+++ b/pkgs/tools/security/super/default.nix
@@ -17,9 +17,11 @@ stdenv.mkDerivation rec {
   '';
 
   patches = [
-   (fetchpatch { url = "https://salsa.debian.org/debian/super/raw/debian/3.30.0-7/debian/patches/14-Fix-unchecked-setuid-call.patch";
-                 sha256 = "08m9hw4kyfjv0kqns1cqha4v5hkgp4s4z0q1rgif1fnk14xh7wqh";
-               })
+    (fetchpatch {
+      name = "CVE-2014-0470.patch";
+      url = "https://salsa.debian.org/debian/super/raw/debian/3.30.0-7/debian/patches/14-Fix-unchecked-setuid-call.patch";
+      sha256 = "08m9hw4kyfjv0kqns1cqha4v5hkgp4s4z0q1rgif1fnk14xh7wqh";
+    })
   ];
 
   NIX_CFLAGS_COMPILE = "-D_GNU_SOURCE";
diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix
index 39f1b7e5bc2..c29060cb82f 100644
--- a/pkgs/tools/text/a2ps/default.nix
+++ b/pkgs/tools/text/a2ps/default.nix
@@ -17,6 +17,7 @@ stdenv.mkDerivation rec {
       sha256 = "0grqqsc3m45niac56m19m5gx7gc0m8zvia5iman1l4rlq31shf8s";
     })
     (fetchpatch {
+      name = "CVE-2015-8107.patch";
       url = "https://sources.debian.net/data/main/a/a2ps/1:4.14-1.3/debian/patches/fix-format-security.diff";
       sha256 = "0pq7zl41gf2kc6ahwyjnzn93vbxb4jc2c5g8j20isp4vw6dqrnwv";
     })