Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: d6c1b566b770
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: f860b7b6083b
Choose a head ref
  • 5 commits
  • 5 files changed
  • 3 contributors

Commits on May 9, 2020

  1. wire-desktop: linux 3.16.2923 -> 3.17.2924 

    (cherry picked from commit 84b5107)
    @toonn @FRidh
    toonn authored and FRidh committed May 9, 2020
    Copy the full SHA
    b04336d View commit details

  2. wire-desktop: mac 3.16.3630 -> 3.17.3666 

    (cherry picked from commit b408b8c)
    @toonn @FRidh
    toonn authored and FRidh committed May 9, 2020

    Verified

    This commit was signed with the committer’s verified signature.
    globin Robin Gloster
    GPG key ID: 5E4C836C632C2882
    Verified
    Learn about vigilant mode
    Copy the full SHA
    655649e View commit details

  3. graphicsmagick: apply patch for CVE-2020-10938 

    Adapted from http://hg.graphicsmagick.org/hg/GraphicsMagick/raw-rev/95abc2b694ce
    @mweinelt @FRidh
    mweinelt authored and FRidh committed May 9, 2020

    Verified

    This commit was signed with the committer’s verified signature.
    globin Robin Gloster
    GPG key ID: 5E4C836C632C2882
    Verified
    Learn about vigilant mode
    Copy the full SHA
    afb0b51 View commit details

  4. cups: 2.3.1 -> 2.3.3 

    https://github.com/apple/cups/releases/tag/v2.3.3

Fixes:

https://nvd.nist.gov/vuln/detail/CVE-2019-8842
https://nvd.nist.gov/vuln/detail/CVE-2020-3898
(cherry picked from commit fe90f585cacd4bda07e5c32706134a19b2c24027)
    @mmilata @FRidh
    mmilata authored and FRidh committed May 9, 2020
    Copy the full SHA
    f354d93 View commit details

  5. libssh: 0.8.8 -> 0.8.9 

    Fixes CVE-2020-1730.
Release notes: https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/

(cherry picked from commit 812ede7d26765f6663e9aa34311068a0392d95b7)
    @mmilata @FRidh
    mmilata authored and FRidh committed May 9, 2020
    Copy the full SHA
    f860b7b View commit details
296 changes: 296 additions & 0 deletions pkgs/applications/graphics/graphicsmagick/CVE-2020-10938.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,296 @@

# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1573921897 21600
# Node ID 95abc2b694ceb0866f8aae94849bdf4033272035
# Parent 751e9e822b09b60713a51b218bd7722c381d3634
HuffmanDecodeImage(): Fix signed overflow on range check which leads to heap overflow in 32-bit applications. Ascii85Tuple(): Fix thread safety issue.

diff -r 751e9e822b09 -r 95abc2b694ce magick/compress.c
--- a/magick/compress.c Sun Nov 10 13:33:34 2019 -0600
+++ b/magick/compress.c Sat Nov 16 10:31:37 2019 -0600
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003 - 2015 GraphicsMagick Group
+% Copyright (C) 2003-2019 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
@@ -53,21 +53,26 @@
*/
typedef struct HuffmanTable
{
+ unsigned int
+ id;
+
int
- id,
- code,
+ code;
+
+ unsigned int
length,
count;
+
} HuffmanTable;

/*
Huffman coding declarations.
*/
-#define TWId 23
-#define MWId 24
-#define TBId 25
-#define MBId 26
-#define EXId 27
+#define TWId 23U
+#define MWId 24U
+#define TBId 25U
+#define MBId 26U
+#define EXId 27U

static const HuffmanTable
MBTable[]=
@@ -202,37 +207,38 @@
*/
#define MaxLineExtent 36

-static char *Ascii85Tuple(unsigned char *data)
+static char *Ascii85Tuple(char tuple[6], const unsigned char * restrict data)
{
- static char
- tuple[6];
+ magick_uint32_t
+ code;

- register long
- i,
- x;
-
- unsigned long
- code,
- quantum;
-
- code=((((unsigned long) data[0] << 8) | (unsigned long) data[1]) << 16) |
- ((unsigned long) data[2] << 8) | (unsigned long) data[3];
- if (code == 0L)
+ code=((((magick_uint32_t) data[0] << 8) | (magick_uint32_t) data[1]) << 16) |
+ ((magick_uint32_t) data[2] << 8) | (magick_uint32_t) data[3];
+ if (code == 0)
{
tuple[0]='z';
tuple[1]='\0';
- return(tuple);
}
- quantum=85UL*85UL*85UL*85UL;
- for (i=0; i < 4; i++)
- {
- x=(long) (code/quantum);
- code-=quantum*x;
- tuple[i]=(char) (x+(int) '!');
- quantum/=85L;
- }
- tuple[4]=(char) ((code % 85L)+(int) '!');
- tuple[5]='\0';
+ else
+ {
+ register magick_int32_t
+ i,
+ x;
+
+ magick_uint32_t
+ quantum;
+
+ quantum=85U*85U*85U*85U;
+ for (i=0; i < 4; i++)
+ {
+ x=(magick_int32_t) (code/quantum);
+ code-=quantum*x;
+ tuple[i]=(char) (x+(int) '!');
+ quantum/=85;
+ }
+ tuple[4]=(char) ((code % 85)+(int) '!');
+ tuple[5]='\0';
+ }
return(tuple);
}

@@ -255,6 +261,9 @@

MagickExport void Ascii85Flush(Image *image)
{
+ char
+ tuple_buff[6];
+
register char
*tuple;

@@ -266,7 +275,7 @@
image->ascii85->buffer[image->ascii85->offset]=0;
image->ascii85->buffer[image->ascii85->offset+1]=0;
image->ascii85->buffer[image->ascii85->offset+2]=0;
- tuple=Ascii85Tuple(image->ascii85->buffer);
+ tuple=Ascii85Tuple(tuple_buff, image->ascii85->buffer);
(void) WriteBlob(image,image->ascii85->offset+1,
*tuple == 'z' ? "!!!!" : tuple);
}
@@ -286,6 +295,9 @@
register unsigned char
*p;

+ char
+ tuple_buff[6];
+
assert(image != (Image *) NULL);
assert(image->signature == MagickSignature);
assert(image->ascii85 != (Ascii85Info *) NULL);
@@ -296,7 +308,7 @@
p=image->ascii85->buffer;
for (n=image->ascii85->offset; n >= 4; n-=4)
{
- for (q=Ascii85Tuple(p); *q; q++)
+ for (q=Ascii85Tuple(tuple_buff,p); *q; q++)
{
image->ascii85->line_break--;
if ((image->ascii85->line_break < 0) && (*q != '%'))
@@ -355,11 +367,11 @@
%
%
*/
-#define HashSize 1021
-#define MBHashA 293
-#define MBHashB 2695
-#define MWHashA 3510
-#define MWHashB 1178
+#define HashSize 1021U
+#define MBHashA 293U
+#define MBHashB 2695U
+#define MWHashA 3510U
+#define MWHashB 1178U

#define InitializeHashTable(hash,table,a,b) \
{ \
@@ -401,26 +413,30 @@
byte,
code,
color,
- length,
null_lines,
runlength;

unsigned int
bit,
index,
+ length,
mask;

long
- count,
+ count;
+
+ unsigned long
y;

register IndexPacket
*indexes;

- register long
- i,
+ register unsigned long
x;

+ unsigned int
+ i;
+
register PixelPacket
*q;

@@ -481,13 +497,13 @@
image->x_resolution=204.0;
image->y_resolution=196.0;
image->units=PixelsPerInchResolution;
- for (y=0; ((y < (long) image->rows) && (null_lines < 3)); )
+ for (y=0; ((y < image->rows) && (null_lines < 3)); )
{
/*
Initialize scanline to white.
*/
p=scanline;
- for (x=0; x < (long) image->columns; x++)
+ for (x=0; x < image->columns; x++)
*p++=0;
/*
Decode Huffman encoded scanline.
@@ -502,7 +518,7 @@
{
if (byte == EOF)
break;
- if (x >= (long) image->columns)
+ if (x >= image->columns)
{
while (runlength < 11)
InputBit(bit);
@@ -563,7 +579,7 @@
case TBId:
{
count+=entry->count;
- if ((x+count) > (long) image->columns)
+ if ((x+(unsigned long) count) > image->columns)
count=(long) image->columns-x;
if (count > 0)
{
@@ -603,7 +619,7 @@
break;
}
indexes=AccessMutableIndexes(image);
- for (x=0; x < (long) image->columns; x++)
+ for (x=0; x < image->columns; x++)
{
index=(unsigned int) (*p++);
indexes[x]=index;
@@ -695,7 +711,9 @@
runlength;

long
- n,
+ n;
+
+ unsigned long
y;

Image
@@ -704,8 +722,10 @@
register const IndexPacket
*indexes;

- register long
- i,
+ unsigned long
+ i;
+
+ register unsigned long
x;

register const PixelPacket
@@ -772,10 +792,10 @@
polarity=(PixelIntensityToQuantum(&huffman_image->colormap[0]) <
PixelIntensityToQuantum(&huffman_image->colormap[1]) ? 0x00 : 0x01);
q=scanline;
- for (i=(long) width; i > 0; i--)
+ for (i=0; i < width; i++) /* was: for (i=(long) width; i > 0; i--) */
*q++=(unsigned char) polarity;
q=scanline;
- for (y=0; y < (long) huffman_image->rows; y++)
+ for (y=0; y < huffman_image->rows; y++)
{
p=AcquireImagePixels(huffman_image,0,y,huffman_image->columns,1,
&huffman_image->exception);
@@ -785,7 +805,7 @@
break;
}
indexes=AccessImmutableIndexes(huffman_image);
- for (x=0; x < (long) huffman_image->columns; x++)
+ for (x=0; x < huffman_image->columns; x++)
{
*q=(unsigned char) (indexes[x] == polarity ? !polarity : polarity);
q++;

1 change: 1 addition & 0 deletions pkgs/applications/graphics/graphicsmagick/default.nix
View file
Original file line number Diff line number Diff line change
@@ -14,6 +14,7 @@ stdenv.mkDerivation rec {
patches = [
./disable-popen.patch
./1.3.32-darwin-png-strlcat-fix.patch
./CVE-2020-10938.patch
];

configureFlags = [
8 changes: 4 additions & 4 deletions pkgs/applications/networking/instant-messengers/wire-desktop/default.nix
View file
Original file line number Diff line number Diff line change
@@ -20,13 +20,13 @@ let
pname = "wire-desktop";

version = {
x86_64-darwin = "3.16.3630";
x86_64-linux = "3.16.2923";
x86_64-darwin = "3.17.3666";
x86_64-linux = "3.17.2924";
}.${system} or throwSystem;

sha256 = {
x86_64-darwin = "1lnjn45bhd36n9xgx6xx9cggwivvkr2s6r4zai2dwg0aac1bywr5";
x86_64-linux = "0c8jmlsg2gnxsvly04xj1al80nj52rg4czfdha58sg14x14lyspz";
x86_64-darwin = "0r3ckfrdx0ah6wn364ii1q1laya2nmmfz9jsikc6ss28lijb6ipn";
x86_64-linux = "16f8zawdx7dyrb8hp3fd2j821jj7jlan60knmdlrrk84phlc9ldd";
}.${system} or throwSystem;

meta = with stdenv.lib; {
4 changes: 2 additions & 2 deletions pkgs/development/libraries/libssh/default.nix
View file
Original file line number Diff line number Diff line change
@@ -2,11 +2,11 @@

stdenv.mkDerivation rec {
pname = "libssh";
version = "0.8.8";
version = "0.8.9";

src = fetchurl {
url = "https://www.libssh.org/files/0.8/${pname}-${version}.tar.xz";
sha256 = "1qk5bm9r6199jbfk54f8w24vkl52051g8s3kmq4z2kdc6vbpy4jb";
sha256 = "09b8w9m5qiap8wbvz4613nglsynpk8hn0q9b929ny2y4l2fy2nc5";
};

postPatch = ''
4 changes: 2 additions & 2 deletions pkgs/misc/cups/default.nix
View file
Original file line number Diff line number Diff line change
@@ -30,15 +30,15 @@ stdenv.mkDerivation rec {
pname = "cups";

# After 2.2.6, CUPS requires headers only available in macOS 10.12+
version = if stdenv.isDarwin then "2.2.6" else "2.3.1";
version = if stdenv.isDarwin then "2.2.6" else "2.3.3";

passthru = { inherit version; };

src = fetchurl {
url = "https://github.com/apple/cups/releases/download/v${version}/cups-${version}-source.tar.gz";
sha256 = if version == "2.2.6"
then "16qn41b84xz6khrr2pa2wdwlqxr29rrrkjfi618gbgdkq9w5ff20"
else "1kkpmj17205j8w9hdff2bfpk6lwdmr3gx0j4r35nhgvya24rvjhv";
else "1vpk0b2vq830f8fvf9z8qjsm5k141i7pi8djbinpnr78pi4dj7r6";
};

outputs = [ "out" "lib" "dev" "man" ];