New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fontforge: CVE-2020-5395, CVE-2020-5496 #88557
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't nixpkgs-review
this giant rebuild on my laptop, sorry. But you could take the opportunity and replace fetchurl
with fetchFromGithub
and http
with https
in meta.homepage
. :)
5b4dfbe
to
8cfbdaa
Compare
These CVEs have two different issues being tagged as 'Exploit'. CVE-2020-5395 [0]: fontforge/fontforge#4084 CVE-2020-5496 [1]: fontforge/fontforge#4085 Both issues refer to [2] as a fix, so I guess this patch fixes it. [0] https://nvd.nist.gov/vuln/detail/CVE-2020-5395 [1] https://nvd.nist.gov/vuln/detail/CVE-2020-5496 [2] fontforge/fontforge@048a91e
The old homepage fontforge.github.io redirects to fontforge.org
bcd5a0b
to
a16ff5e
Compare
Fixed the https URL. We use fetchurl, as we are building from the release tarball, not from source. I'm not satisfied with the situation but it's non-trivial to fix, as the release tarball contains more than just the sources. I'm working on a PR that fixes the issue and upgrades to |
Ah, that makes sense. I was wondering why you didn't just update 😃 |
ofborg failed to fetch the patch |
That's weird, the URL is still valid. Let's retry it. |
I've merged #89583. |
Motivation for this change
Close #88291.
Things done
See the commit message for reasoning.
This needs to be backported to
nixos-20.03
.sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)