Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: aa3c79f85f7c
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 3f92c2124a55
Choose a head ref
  • 7 commits
  • 5 files changed
  • 3 contributors

Commits on Nov 4, 2019

  1. ghostscript: add patches for CVE-2019-3839 

    (cherry picked from commit f55969b)
    @risicle
    risicle committed Nov 4, 2019

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    marsam Mario Rodas
    GPG key ID: 4C4BEFD7B18DC5E8
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    6db96e9 View commit details

  2. ghostscript: add patches for CVE-2019-10216, CVE-2019-14811, CVE-2019… 

    …-14812, CVE-2019-14813 and some of CVE-2019-14817

as with master, not all of the CVE-2019-14817 patch applies cleanly, but
the parts that do should provide some protection

(cherry picked from commit bd3f644)
    @risicle
    risicle committed Nov 4, 2019

    Unverified

    No user is associated with the committer email.
    Learn about vigilant mode
    Copy the full SHA
    7e2ddc6 View commit details

Commits on Nov 11, 2019

  1. gdal: add patch for CVE-2019-17545

    @risicle
    risicle committed Nov 11, 2019

    Unverified

    No user is associated with the committer email.
    Learn about vigilant mode
    Copy the full SHA
    1f2a133 View commit details

Commits on Nov 16, 2019

  1. Merge #72808: ghostscript: security patches

    @vcunat
    vcunat committed Nov 16, 2019
    Copy the full SHA
    79d9429 View commit details

  2. Merge #73253: gdal: patch CVE-2019-17545

    @vcunat
    vcunat committed Nov 16, 2019
    Copy the full SHA
    eef525b View commit details

  3. Merge #72958: libexif: fix CVE-2018-20030 

    (cherry picked from commit 908f624)
Fixes #57153.
    @vcunat
    vcunat committed Nov 16, 2019
    Copy the full SHA
    08cc1b8 View commit details

  4. electrum-dash: mark as vulnerable 

    CVE-2018-1000022 in electrum

(cherry picked from commit a50507a)
    @c0bw3b
    c0bw3b committed Nov 16, 2019
    Copy the full SHA
    3f92c21 View commit details
1 change: 1 addition & 0 deletions pkgs/applications/misc/electrum/dash.nix
View file
Original file line number Diff line number Diff line change
@@ -42,5 +42,6 @@ python2Packages.buildPythonApplication rec {
homepage = https://github.com/dashpay/electrum-dash;
license = licenses.gpl3;
maintainers = with maintainers; [ np ];
knownVulnerabilities = [ "CVE-2018-1000022" ];
};
}
9 changes: 9 additions & 0 deletions pkgs/development/libraries/gdal/default.nix
View file
Original file line number Diff line number Diff line change
@@ -16,6 +16,15 @@ stdenv.mkDerivation rec {
sha256 = "09qgy36z0jc9w05373m4n0vm4j54almdzql6z9p9zr9pdp61syf3";
};

patches = [
(fetchpatch {
name = "CVE-2019-17545.patch";
url = "https://github.com/OSGeo/gdal/commit/8cd2d2eb6327cf782a74dae263ffa6f89f46c93d.patch";
stripLen = 1;
sha256 = "06h88a659jcqf6ps1m91qy78s6s9krbkwnz28f5qh7032vlp6qpw";
})
];

buildInputs = [ unzip libjpeg libtiff libpng proj openssl sqlite
libspatialite poppler hdf4 qhull giflib expat libxml2 ]
++ (with pythonPackages; [ python numpy wrapPython ])
25 changes: 18 additions & 7 deletions pkgs/development/libraries/libexif/default.nix
View file
Original file line number Diff line number Diff line change
@@ -9,21 +9,32 @@ stdenv.mkDerivation rec {
};

patches = [
(fetchpatch {
name = "CVE-2017-7544.patch";
url = https://sourceforge.net/p/libexif/bugs/_discuss/thread/fc394c4b/489a/attachment/xx.pat;
sha256 = "1qgk8hgnxr8d63jsc4vljxz9yg33mbml280dq4a6050rmk9wq4la";
})
(fetchpatch {
name = "CVE-2017-7544.patch";
url = "https://github.com/libexif/libexif/commit/c39acd1692023b26290778a02a9232c873f9d71a.patch";
sha256 = "0xgx6ly2i4q05shb61mfx6njwf1yp347jkznm0ka4m85i41xm6sd";
})
(fetchpatch {
name = "CVE-2018-20030-1.patch";
url = "https://github.com/libexif/libexif/commit/5d28011c40ec86cf52cffad541093d37c263898a.patch";
sha256 = "1wv8s962wmbn2m2xypgirf12g6msrbplpsmd5bh86irfwhkcppj3";
})
(fetchpatch {
name = "CVE-2018-20030-2.patch";
url = "https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89.patch";
sha256 = "01aqvz63glwq6wg0wr7ykqqghb4abgq77ghvhizbzadg1k4h7drx";
excludes = [ "NEWS" ];
})
];
patchFlags = "-p0";

buildInputs = [ gettext ];

meta = {
homepage = http://libexif.sourceforge.net/;
homepage = https://libexif.github.io/;
description = "A library to read and manipulate EXIF data in digital photographs";
license = stdenv.lib.licenses.lgpl21;
platforms = stdenv.lib.platforms.unix;
maintainers = [ stdenv.lib.maintainers.erictapen ];
};

}
36 changes: 36 additions & 0 deletions pkgs/misc/ghostscript/9.26-CVE-2019-10216.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
Based on upstream commit 5b85ddd19a8420a1bd2d5529325be35d78e94234
--- a/Resource/Init/gs_type1.ps
+++ b/Resource/Init/gs_type1.ps
@@ -118,25 +118,25 @@
( to be the same as glyph: ) print 1 index //== exec } if
3 index exch 3 index //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
- }
+ }executeonly
{pop} ifelse
- } forall
+ } executeonly forall
pop pop
- }
+ } executeonly
{
pop pop pop
} ifelse
- }
+ } executeonly
{
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
pop pop
} ifelse
- } forall
+ } executeonly forall
3 1 roll pop pop
- } if
+ } executeonly if
pop
dup /.AGLprocessed~GS //true //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
- } if
+ } executeonly if

%% We need to excute the C .buildfont1 in a stopped context so that, if there
%% are errors we can put the stack back sanely and exit. Otherwise callers won't
24 changes: 24 additions & 0 deletions pkgs/misc/ghostscript/default.nix
View file
Original file line number Diff line number Diff line change
@@ -51,6 +51,30 @@ stdenv.mkDerivation rec {
url = "http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=d3537a54740d78c5895ec83694a07b3e4f616f61";
sha256 = "1hr8bpi87bbg1kvv28kflmfh1dhzxw66p9q0ddvbrj72qd86p3kx";
})
(fetchpatch {
name = "CVE-2019-3839-part-1";
url = "http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9";
sha256 = "0gn1n9fq5msrxxzspidcnmykp1iv3yvx5485fddmgrslr52ngcf9";
})
(fetchpatch {
name = "CVE-2019-3839-part-2";
url = "http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=db24f253409d5d085c2760c814c3e1d3fa2dac59";
sha256 = "1h6kpwc6ryr6jlxjr6bfnvmmf8x0kqmyjlx3hggqjs23n0wsr9p9";
})
./9.26-CVE-2019-10216.patch
(fetchpatch {
name = "CVE-2019-14811.CVE-2019-14812.CVE-2019-14813.patch";
url = "https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33";
sha256 = "19928sr7xpx7iibk9gn127g0r1yv2lcfpwgk2ipzz4wgrs3f5j70";
})
(fetchpatch {
name = "CVE-2019-14817-partial.patch";
url = "https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19";
# patch doesn't apply cleanly to all files, but at least partially applying it fixes
# *some* of the problematic sites.
excludes = ["Resource/Init/pdf_font.ps" "Resource/Init/pdf_draw.ps"];
sha256 = "04sy05svm3d2hyyzq41x5aqg3cgg2shaq08ivdqsys95nlihccpn";
})
];

outputs = [ "out" "man" "doc" ];