Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chocolate-doom: fixed CVE-2020-14983 #92235

Closed
wants to merge 1 commit into from
Closed

chocolate-doom: fixed CVE-2020-14983 #92235

wants to merge 1 commit into from

Conversation

neonfuz
Copy link
Contributor

@neonfuz neonfuz commented Jul 3, 2020

Motivation for this change

Fix CVE-2020-14983

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@neonfuz neonfuz mentioned this pull request Jul 3, 2020
Closed
1 task
@ofborg ofborg bot requested a review from MP2E July 3, 2020 23:03
danieldk
danieldk suggested changes Jul 4, 2020
View reviewed changes
pkgs/games/chocolate-doom/default.nix Outdated
@@ -11,12 +11,15 @@ stdenv.mkDerivation rec {
sha256 = "0ajzb767wyj8vzhjpsmgslw42b0155ji4alk26shxl7k5ijbzn0j";
};

patches = [ ./CVE-2020-14983.patch ];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After #92130 only the ticdup patch should be necessary (is that also a CVE?). Please use fetchpatch to get it from the upstream repository:

https://github.com/chocolate-doom/chocolate-doom/commit/54fb12eeaa7d527defbe65e7e00e37d5feb7c597.diff

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure honestly. When upstream linked to the fix for CVE-2020-14983 they included it, so I included it.

@ckauhaus ckauhaus linked an issue Jul 4, 2020 that may be closed by this pull request
Vulnerability roundup 87: chocolate-doom-3.0.0: 1 advisory [9.8] #92035
Closed
1 task
@neonfuz
Copy link
Contributor Author

neonfuz commented Jul 5, 2020

Actually it looks like 3.0.1 has both patches applied, so there's nothing to be done here. Considering this is a security issue, is 20.03 going to get 3.0.1 backported?

https://github.com/chocolate-doom/chocolate-doom/blob/chocolate-doom-3.0.1/src/d_loop.c#L427

@neonfuz neonfuz closed this Jul 5, 2020
@danieldk
Copy link
Contributor

danieldk commented Jul 5, 2020

Actually it looks like 3.0.1 has both patches applied, so there's nothing to be done here. Considering this is a security issue, is 20.03 going to get 3.0.1 backported?

Indeed, made a PR for that when the update was merged:

#92248

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danieldk danieldk danieldk requested changes

@MP2E MP2E Awaiting requested review from MP2E

Assignees
No one assigned
Labels
10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability roundup 87: chocolate-doom-3.0.0: 1 advisory [9.8]
2 participants
@neonfuz @danieldk