diff options
author | worldofpeace <worldofpeace@protonmail.ch> | 2019-06-18 19:47:39 -0400 |
---|---|---|
committer | worldofpeace <worldofpeace@protonmail.ch> | 2019-06-18 19:48:47 -0400 |
commit | fae9e165bb2cce50da9d10e16edd91c5ce41bf09 (patch) | |
tree | d7d407fab18bc4024964dfae9d7c06a26c1d0f7e /pkgs/development/libraries/gvfs | |
parent | 02ea0d3959ba5a8f2108d3bc8f5a57635d758713 (diff) | |
download | nixpkgs-fae9e165bb2cce50da9d10e16edd91c5ce41bf09.tar nixpkgs-fae9e165bb2cce50da9d10e16edd91c5ce41bf09.tar.gz nixpkgs-fae9e165bb2cce50da9d10e16edd91c5ce41bf09.tar.bz2 nixpkgs-fae9e165bb2cce50da9d10e16edd91c5ce41bf09.tar.lz nixpkgs-fae9e165bb2cce50da9d10e16edd91c5ce41bf09.tar.xz nixpkgs-fae9e165bb2cce50da9d10e16edd91c5ce41bf09.tar.zst nixpkgs-fae9e165bb2cce50da9d10e16edd91c5ce41bf09.zip |
gvfs: fix CVE-2019-12795
This is a version of #63481 for master. Vulnerability Description: daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does. #63301
Diffstat (limited to 'pkgs/development/libraries/gvfs')
-rw-r--r-- | pkgs/development/libraries/gvfs/default.nix | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/pkgs/development/libraries/gvfs/default.nix b/pkgs/development/libraries/gvfs/default.nix index a238efb4bdb..1d6bad1914b 100644 --- a/pkgs/development/libraries/gvfs/default.nix +++ b/pkgs/development/libraries/gvfs/default.nix @@ -38,6 +38,11 @@ in stdenv.mkDerivation rec { url = "https://gitlab.gnome.org/GNOME/gvfs/commit/ec939a01c278d1aaa47153f51b5c5f0887738dd9.patch"; sha256 = "0hfybfaz2gfx3yyw5ymx6q0pqwkx2r1i7gzprfp80bplwslq0d4h"; }) + # CVE-2019-12795 + (fetchpatch { + url = "https://gitlab.gnome.org/GNOME/gvfs/commit/d8c9138bf240975848b1c54db648ec4cd516a48f.patch"; + sha256 = "1lx6yxykx24mnq5izijqk744zj6rgww6ba76z0qjal4y0z3gsdqp"; + }) ]; postPatch = '' |