Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: a08e88c7e51b
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 79d9429c4c7a
Choose a head ref
  • 4 commits
  • 5 files changed
  • 3 contributors

Commits on Nov 4, 2019

  1. ghostscript: add patches for CVE-2019-3839 

    (cherry picked from commit f55969b)
    @risicle
    risicle committed Nov 4, 2019
    Copy the full SHA
    6db96e9 View commit details

  2. ghostscript: add patches for CVE-2019-10216, CVE-2019-14811, CVE-2019… 

    …-14812, CVE-2019-14813 and some of CVE-2019-14817

as with master, not all of the CVE-2019-14817 patch applies cleanly, but
the parts that do should provide some protection

(cherry picked from commit bd3f644)
    @risicle
    risicle committed Nov 4, 2019
    Copy the full SHA
    7e2ddc6 View commit details

Commits on Nov 16, 2019

  1. flashplayer: 32.0.0.270 -> 32.0.0.293 

    (cherry picked from commit 8c99772)
    @bendlas
    bendlas committed Nov 16, 2019
    Copy the full SHA
    aa3c79f View commit details

  2. Merge #72808: ghostscript: security patches

    @vcunat
    vcunat committed Nov 16, 2019
    Copy the full SHA
    79d9429 View commit details
4 changes: 2 additions & 2 deletions pkgs/applications/networking/browsers/chromium/plugins.nix
View file
Original file line number Diff line number Diff line change
@@ -100,11 +100,11 @@ let

flash = stdenv.mkDerivation rec {
pname = "flashplayer-ppapi";
version = "32.0.0.270";
version = "32.0.0.293";

src = fetchzip {
url = "https://fpdownload.adobe.com/pub/flashplayer/pdc/${version}/flash_player_ppapi_linux.x86_64.tar.gz";
sha256 = "1z8nfw7b3dsy79gb50bmmdjz66j5gx6m0hkw1abp35xdgh2sz2ak";
sha256 = "0rgriqdbyrzpm1bcph35bhzd5dz21yim56z93hkmbpdqg7767dwm";
stripRoot = false;
};

10 changes: 5 additions & 5 deletions pkgs/applications/networking/browsers/mozilla-plugins/flashplayer/default.nix
View file
Original file line number Diff line number Diff line change
@@ -74,7 +74,7 @@ let
in
stdenv.mkDerivation rec {
pname = "flashplayer";
version = "32.0.0.270";
version = "32.0.0.293";

src = fetchurl {
url =
@@ -85,14 +85,14 @@ stdenv.mkDerivation rec {
sha256 =
if debug then
if arch == "x86_64" then
"1c3dn4gkl40i5sjkvpbkn9fl82vjhy1v7dhrayk3ncfsxcyvbcm0"
"0lz1na68gdi9n23hfj5c731dbskm9684cwar7ji8yjfhfryfg5yn"
else
"1g7i9mihn5g9i71xyf805k19yk41vsr85gzk87gm426m0hcgg89i"
"10gm2ynndlyk66fndfbh7ah5ssqpyw8415i10n3lpw940x201dk0"
else
if arch == "x86_64" then
"16lxgkbr2hg49vhc7414zkh1kblhysf779854faay308ml3i5kdw"
"0hmlv0v9lbgxrmz0n7czfnrbrwjwxhy99gsr5g1m0aqgw0y61clc"
else
"0jrdzm8pw7aq32w7m4rvkhj7mmqyddh5yxpj7q3d9hxrwshkikvj";
"0qdw4f48xhnkzdly3jz63v14nmzd0gg49az5wxb08ghs8laaqlik";
};

nativeBuildInputs = [ unzip ];
6 changes: 3 additions & 3 deletions pkgs/applications/networking/browsers/mozilla-plugins/flashplayer/standalone.nix
View file
Original file line number Diff line number Diff line change
@@ -50,7 +50,7 @@

stdenv.mkDerivation rec {
pname = "flashplayer-standalone";
version = "32.0.0.270";
version = "32.0.0.293";

src = fetchurl {
url =
@@ -60,9 +60,9 @@ stdenv.mkDerivation rec {
"https://fpdownload.macromedia.com/pub/flashplayer/updaters/32/flash_player_sa_linux.x86_64.tar.gz";
sha256 =
if debug then
"0k5azrl92hkbn7adjz7s2lv8h59n7gsjrcprqdc485i4f7sjmkwj"
"13mrknvl3yd8vrcs7mp6szz6f9ssfs72apzvc60f9qfwkhiwlg87"
else
"1la5s4wxchfpl8in576xj675yrg84pify22pwf063h0jg3rdgi68";
"0isvmzyi4isxvxxc5ksplcqc5cafpvbrln3dddpms8zps2dxpyzi";
};

nativeBuildInputs = [ unzip ];
36 changes: 36 additions & 0 deletions pkgs/misc/ghostscript/9.26-CVE-2019-10216.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
Based on upstream commit 5b85ddd19a8420a1bd2d5529325be35d78e94234
--- a/Resource/Init/gs_type1.ps
+++ b/Resource/Init/gs_type1.ps
@@ -118,25 +118,25 @@
( to be the same as glyph: ) print 1 index //== exec } if
3 index exch 3 index //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
- }
+ }executeonly
{pop} ifelse
- } forall
+ } executeonly forall
pop pop
- }
+ } executeonly
{
pop pop pop
} ifelse
- }
+ } executeonly
{
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
pop pop
} ifelse
- } forall
+ } executeonly forall
3 1 roll pop pop
- } if
+ } executeonly if
pop
dup /.AGLprocessed~GS //true //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
- } if
+ } executeonly if

%% We need to excute the C .buildfont1 in a stopped context so that, if there
%% are errors we can put the stack back sanely and exit. Otherwise callers won't
24 changes: 24 additions & 0 deletions pkgs/misc/ghostscript/default.nix
View file
Original file line number Diff line number Diff line change
@@ -51,6 +51,30 @@ stdenv.mkDerivation rec {
url = "http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=d3537a54740d78c5895ec83694a07b3e4f616f61";
sha256 = "1hr8bpi87bbg1kvv28kflmfh1dhzxw66p9q0ddvbrj72qd86p3kx";
})
(fetchpatch {
name = "CVE-2019-3839-part-1";
url = "http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9";
sha256 = "0gn1n9fq5msrxxzspidcnmykp1iv3yvx5485fddmgrslr52ngcf9";
})
(fetchpatch {
name = "CVE-2019-3839-part-2";
url = "http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=db24f253409d5d085c2760c814c3e1d3fa2dac59";
sha256 = "1h6kpwc6ryr6jlxjr6bfnvmmf8x0kqmyjlx3hggqjs23n0wsr9p9";
})
./9.26-CVE-2019-10216.patch
(fetchpatch {
name = "CVE-2019-14811.CVE-2019-14812.CVE-2019-14813.patch";
url = "https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33";
sha256 = "19928sr7xpx7iibk9gn127g0r1yv2lcfpwgk2ipzz4wgrs3f5j70";
})
(fetchpatch {
name = "CVE-2019-14817-partial.patch";
url = "https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19";
# patch doesn't apply cleanly to all files, but at least partially applying it fixes
# *some* of the problematic sites.
excludes = ["Resource/Init/pdf_font.ps" "Resource/Init/pdf_draw.ps"];
sha256 = "04sy05svm3d2hyyzq41x5aqg3cgg2shaq08ivdqsys95nlihccpn";
})
];

outputs = [ "out" "man" "doc" ];