philipp
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

treewide: add CVE identifiers to patches 

This allows tools like broken.sh to correctly identify the patched
status.
gstqt5
Martin Weinelt 2020-05-06 23:18:09 +02:00
parent f46cbbc540
commit e24f5eab66
No known key found for this signature in database
GPG Key ID: BD4AA0528F63F17E
12 changed files with 32 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
pkgs/applications/office/antiword/10_fix_buffer_overflow_wordole_c.patch → pkgs/applications/office/antiword/10_fix_buffer_overflow_wordole_c_CVE-2014-8123.patch
View File

2
pkgs/applications/office/antiword/default.nix
View File

@ -16,7 +16,7 @@ stdenv.mkDerivation {
substituteInPlace Makefile --replace "gcc" "cc"
'';
patches = [ ./10_fix_buffer_overflow_wordole_c.patch ];
patches = [ ./10_fix_buffer_overflow_wordole_c_CVE-2014-8123.patch ];
installTargets = [ "global_install" ];

2
pkgs/misc/drivers/foomatic-filters/default.nix
View File

@ -12,8 +12,8 @@ stdenv.mkDerivation rec {
buildInputs = [ perl cups dbus enscript ];
patches = [
# for CVE-2015-8327 & CVE-2015-8560
(fetchpatch {
name = "CVE-2015-8327+CVE-2015-8560.patch";
url = "https://salsa.debian.org/debian/foomatic-filters/raw/a3abbef2d2f8c7e62d2fe64f64afe294563fdf8f/debian/patches/0500-r7406_also_consider_the_back_tick_as_an_illegal_shell_escape_character.patch";
sha256 = "055nwi3sjf578nk40bqsch3wx8m2h65hdih0wmxflb6l0hwkq4p4";
})

1
pkgs/os-specific/linux/libcgroup/default.nix
View File

@ -13,6 +13,7 @@ stdenv.mkDerivation rec {
patches = [
(fetchpatch {
name = "CVE-2018-14348.patch";
url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch?id=33e9f4c81de754bbf76b893ea1133ed023f2a0e5";
sha256 = "1x0x29ld0cgmfwq4qy13s6d5c8sym1frfh1j2q47d8gfw6qaxka5";
})

2
pkgs/tools/archivers/p7zip/default.nix
View File

@ -13,10 +13,12 @@ stdenv.mkDerivation rec {
./12-CVE-2016-9296.patch
./13-CVE-2017-17969.patch
(fetchpatch {
name = "3-CVE-2018-5996.patch";
url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/3-CVE-2018-5996.patch";
sha256 = "1zivvkazmza0653i498ccp3zbpbpc7dvxl3zxwllbx41b6n589yp";
})
(fetchpatch {
name = "4-CVE-2018-10115.patch";
url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/4-CVE-2018-10115.patch";
sha256 = "1cr7q8gnrk9yp6dcvxaqi1yhdbgp964nkv65ls41mw1kdfm44zn6";
})

30
pkgs/tools/filesystems/fuseiso/default.nix
View File

@ -9,27 +9,27 @@ stdenv.mkDerivation rec {
sha256 = "127xql52dcdhmh7s5m9xc6q39jdlj3zhbjar1j821kb6gl3jw94b";
};
patches = map (p:
fetchpatch {
inherit (p) name sha256;
url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/${p.name}";
}) [
{
patches = [
(fetchpatch {
name = "00-support_large_iso.patch";
url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/00-support_large_iso.patch";
sha256 = "1lmclb1qwzz5f4wlq693g83bblwnjjl73qhgfxbsaac5hnn2shjw";
}
{
})
(fetchpatch {
name = "01-fix_typo.patch";
url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/01-fix_typo.patch";
sha256 = "14rpxp0yylzsgqv0r19l4wx1h5hvqp617gpv1yg0w48amr9drasa";
}
{ # CVE-2015-8837
name = "02-prevent-buffer-overflow.patch";
})
(fetchpatch {
name = "02-prevent-buffer-overflow_CVE-2015-8837.patch";
url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/02-prevent-buffer-overflow.patch";
sha256 = "1ls2pp3mh91pdb51qz1fsd8pwhbky6988bpd156bn7wgfxqzh8ig";
}
{ # CVE-2015-8836
name = "03-prevent-integer-overflow.patch";
})
(fetchpatch {
name = "03-prevent-integer-overflow_CVE-2015-8836.patch";
url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/03-prevent-integer-overflow.patch";
sha256 = "100cw07fk4sa3hl7a1gk2hgz4qsxdw99y20r7wpidwwwzy463zcv";
}
})
];
nativeBuildInputs = [ autoreconfHook pkgconfig ];

7
pkgs/tools/misc/mcrypt/default.nix
View File

@ -9,7 +9,12 @@ stdenv.mkDerivation rec {
sha256 = "5145aa844e54cca89ddab6fb7dd9e5952811d8d787c4f4bf27eb261e6c182098";
};
patches = [ ./format-string.patch ./overflow.patch ./segv.patch ./sprintf.patch ];
patches = [
./format-string_CVE-2012-4426.patch
./overflow_CVE-2012-4409.patch
./segv.patch
./sprintf_CVE-2012-4527.patch
];
buildInputs = [ libmcrypt libmhash ];

0
pkgs/tools/misc/mcrypt/format-string.patch → pkgs/tools/misc/mcrypt/format-string_CVE-2012-4426.patch
View File

0
pkgs/tools/misc/mcrypt/overflow.patch → pkgs/tools/misc/mcrypt/overflow_CVE-2012-4409.patch
View File

0
pkgs/tools/misc/mcrypt/sprintf.patch → pkgs/tools/misc/mcrypt/sprintf_CVE-2012-4527.patch
View File

8
pkgs/tools/security/super/default.nix
View File

@ -17,9 +17,11 @@ stdenv.mkDerivation rec {
'';
patches = [
(fetchpatch { url = "https://salsa.debian.org/debian/super/raw/debian/3.30.0-7/debian/patches/14-Fix-unchecked-setuid-call.patch";
sha256 = "08m9hw4kyfjv0kqns1cqha4v5hkgp4s4z0q1rgif1fnk14xh7wqh";
})
(fetchpatch {
name = "CVE-2014-0470.patch";
url = "https://salsa.debian.org/debian/super/raw/debian/3.30.0-7/debian/patches/14-Fix-unchecked-setuid-call.patch";
sha256 = "08m9hw4kyfjv0kqns1cqha4v5hkgp4s4z0q1rgif1fnk14xh7wqh";
})
];
NIX_CFLAGS_COMPILE = "-D_GNU_SOURCE";

1
pkgs/tools/text/a2ps/default.nix
View File

@ -17,6 +17,7 @@ stdenv.mkDerivation rec {
sha256 = "0grqqsc3m45niac56m19m5gx7gc0m8zvia5iman1l4rlq31shf8s";
})
(fetchpatch {
name = "CVE-2015-8107.patch";
url = "https://sources.debian.net/data/main/a/a2ps/1:4.14-1.3/debian/patches/fix-format-security.diff";
sha256 = "0pq7zl41gf2kc6ahwyjnzn93vbxb4jc2c5g8j20isp4vw6dqrnwv";
})