summary refs log tree commit diff
path: root/pkgs/tools/archivers/cpio/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/tools/archivers/cpio/default.nix')
-rw-r--r--pkgs/tools/archivers/cpio/default.nix21
1 files changed, 19 insertions, 2 deletions
diff --git a/pkgs/tools/archivers/cpio/default.nix b/pkgs/tools/archivers/cpio/default.nix
index 2f3a1b97487..6a61ded4b19 100644
--- a/pkgs/tools/archivers/cpio/default.nix
+++ b/pkgs/tools/archivers/cpio/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl}:
+{ stdenv, fetchurl, fetchpatch }:
 
 stdenv.mkDerivation {
   name = "cpio-2.11";
@@ -8,7 +8,24 @@ stdenv.mkDerivation {
     sha256 = "bb820bfd96e74fc6ce43104f06fe733178517e7f5d1cdee553773e8eff7d5bbd";
   };
 
-  patches = [ ./no-gets.patch ] ++ stdenv.lib.optional stdenv.isDarwin ./darwin-fix.patch;
+  patches = [
+    ./no-gets.patch
+    (fetchpatch {
+      name = "CVE-2014-9112.diff";
+      url = "http://pkgs.fedoraproject.org/cgit/cpio.git/plain/cpio-2.11"
+        + "-CVE-2014-9112.patch?h=f21&id=b475b4d6f31c95e073edc95c742a33a39ef4ec95";
+      sha256 = "0c9yrysvpwbmiq7ph84dk6mv46hddiyvkgya1zsmj76n9ypb1b4i";
+    })
+  ] ++ stdenv.lib.optional stdenv.isDarwin ./darwin-fix.patch;
+
+  postPatch = let pp =
+    fetchpatch {
+      name = "CVE-2015-1197.diff";
+      url = "https://marc.info/?l=oss-security&m=142289947619786&w=2";
+      sha256 = "0fr95bj416zfljv40fl1sh50059d18wdmfgaq8ad2fqi5cnbk859";
+    };
+    # one "<" and one "&" sign get mangled in the patch
+    in "cat ${pp} | sed 's/&lt;/</;s/&amp;/\\&/' | patch -p1";
 
   meta = {
     homepage = http://www.gnu.org/software/cpio/;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-30 05:03:25 +0000