diff options
| author | Lancelot SIX <lsix@lancelotsix.com> | 2019-11-06 17:30:02 +0100 |
|---|---|---|
| committer | Frederik Rietdijk <freddyrietdijk@fridh.nl> | 2019-11-12 14:46:08 +0100 |
| commit | fe758f5fa368ebcdc03419c54412dd9abfd76b35 (patch) | |
| tree | e4ade3fcf562880d3dc747804b084bd792177702 /pkgs/tools/archivers/cpio | |
| parent | 30e428c96caa2e41472100a959ea68206e542998 (diff) | |
| download | nixpkgs-fe758f5fa368ebcdc03419c54412dd9abfd76b35.tar nixpkgs-fe758f5fa368ebcdc03419c54412dd9abfd76b35.tar.gz nixpkgs-fe758f5fa368ebcdc03419c54412dd9abfd76b35.tar.bz2 nixpkgs-fe758f5fa368ebcdc03419c54412dd9abfd76b35.tar.lz nixpkgs-fe758f5fa368ebcdc03419c54412dd9abfd76b35.tar.xz nixpkgs-fe758f5fa368ebcdc03419c54412dd9abfd76b35.tar.zst nixpkgs-fe758f5fa368ebcdc03419c54412dd9abfd76b35.zip | |
cpio: 2.12 -> 2.13
See https://lists.gnu.org/archive/html/info-gnu/2019-11/msg00002.html for release information. Fixes CVE-2019-14866
Diffstat (limited to 'pkgs/tools/archivers/cpio')
| -rw-r--r-- | pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch | 29 | ||||
| -rw-r--r-- | pkgs/tools/archivers/cpio/default.nix | 20 |
2 files changed, 3 insertions, 46 deletions
diff --git a/pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch b/pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch deleted file mode 100644 index 90ddeff9790..00000000000 --- a/pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/src/copyin.c b/src/copyin.c -index cde911e..032d35f 100644 ---- a/src/copyin.c -+++ b/src/copyin.c -@@ -1385,6 +1385,8 @@ process_copy_in () - break; - } - -+ if (file_hdr.c_namesize <= 1) -+ file_hdr.c_name = xrealloc(file_hdr.c_name, 2); - cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag, - false); - -diff --git a/src/util.c b/src/util.c -index 6ff6032..2763ac1 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -1411,7 +1411,10 @@ set_file_times (int fd, - } - - /* Do we have to ignore absolute paths, and if so, does the filename -- have an absolute path? */ -+ have an absolute path? -+ Before calling this function make sure that the allocated NAME buffer has -+ capacity at least 2 bytes to allow us to store the "." string inside. */ -+ - void - cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, - bool strip_leading_dots) diff --git a/pkgs/tools/archivers/cpio/default.nix b/pkgs/tools/archivers/cpio/default.nix index 44943109ee1..3f6b3ba4598 100644 --- a/pkgs/tools/archivers/cpio/default.nix +++ b/pkgs/tools/archivers/cpio/default.nix @@ -1,30 +1,16 @@ -{ stdenv, fetchurl, fetchpatch }: +{ stdenv, fetchurl }: let - version = "2.12"; + version = "2.13"; name = "cpio-${version}"; in stdenv.mkDerivation { inherit name; src = fetchurl { url = "mirror://gnu/cpio/${name}.tar.bz2"; - sha256 = "0vi9q475h1rki53100zml75vxsykzyhrn70hidy41s5c2rc8r6bh"; + sha256 = "0vbgnhkawdllgnkdn6zn1f56fczwk0518krakz2qbwhxmv2vvdga"; }; - patches = [ - (fetchpatch { - name = "CVE-2015-1197-cpio-2.12.patch"; - url = "https://gist.github.com/nckx/70b0bfa80ddfb86c2967/" - + "raw/e9b40d4d4b701f584f826775b75beb10751dc884/" - + "CVE-2015-1197-cpio-2.12.patch"; - sha256 = "0ph43m4lavwkc4gnl5h9p3da4kb1pnhwk5l2qsky70dqri8pcr8v"; - }) - - # Report: http://www.openwall.com/lists/oss-security/2016/01/19/4 - # Patch from https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html - ./CVE-2016-2037-out-of-bounds-write.patch - ]; - preConfigure = if stdenv.isCygwin then '' sed -i gnu/fpending.h -e 's,include <stdio_ext.h>,,' '' else null; |