Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 01539e6f9a7d
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 38d043b11647
Choose a head ref
  • 2 commits
  • 12 files changed
  • 2 contributors

Commits on May 6, 2020

  1. treewide: add CVE identifiers to patches 

    This allows tools like broken.sh to correctly identify the patched
status.
    @mweinelt
    mweinelt committed May 6, 2020

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    mweinelt Martin Weinelt
    GPG key ID: BD4AA0528F63F17E
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    e24f5ea View commit details

  2. Merge pull request #87139 from mweinelt/pr/security-patch-names 

    treewide: add CVE identifiers to patches
    @andir
    andir authored May 6, 2020

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    38d043b View commit details
0 ...rd/10_fix_buffer_overflow_wordole_c.patch → ...er_overflow_wordole_c_CVE-2014-8123.patch
View file
File renamed without changes.
2 changes: 1 addition & 1 deletion pkgs/applications/office/antiword/default.nix
View file
Original file line number Diff line number Diff line change
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
substituteInPlace Makefile --replace "gcc" "cc"
'';

patches = [ ./10_fix_buffer_overflow_wordole_c.patch ];
patches = [ ./10_fix_buffer_overflow_wordole_c_CVE-2014-8123.patch ];

installTargets = [ "global_install" ];

2 changes: 1 addition & 1 deletion pkgs/misc/drivers/foomatic-filters/default.nix
View file
Original file line number Diff line number Diff line change
@@ -12,8 +12,8 @@ stdenv.mkDerivation rec {
buildInputs = [ perl cups dbus enscript ];

patches = [
# for CVE-2015-8327 & CVE-2015-8560
(fetchpatch {
name = "CVE-2015-8327+CVE-2015-8560.patch";
url = "https://salsa.debian.org/debian/foomatic-filters/raw/a3abbef2d2f8c7e62d2fe64f64afe294563fdf8f/debian/patches/0500-r7406_also_consider_the_back_tick_as_an_illegal_shell_escape_character.patch";
sha256 = "055nwi3sjf578nk40bqsch3wx8m2h65hdih0wmxflb6l0hwkq4p4";
})
1 change: 1 addition & 0 deletions pkgs/os-specific/linux/libcgroup/default.nix
View file
Original file line number Diff line number Diff line change
@@ -13,6 +13,7 @@ stdenv.mkDerivation rec {

patches = [
(fetchpatch {
name = "CVE-2018-14348.patch";
url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch?id=33e9f4c81de754bbf76b893ea1133ed023f2a0e5";
sha256 = "1x0x29ld0cgmfwq4qy13s6d5c8sym1frfh1j2q47d8gfw6qaxka5";
})
2 changes: 2 additions & 0 deletions pkgs/tools/archivers/p7zip/default.nix
View file
Original file line number Diff line number Diff line change
@@ -13,10 +13,12 @@ stdenv.mkDerivation rec {
./12-CVE-2016-9296.patch
./13-CVE-2017-17969.patch
(fetchpatch {
name = "3-CVE-2018-5996.patch";
url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/3-CVE-2018-5996.patch";
sha256 = "1zivvkazmza0653i498ccp3zbpbpc7dvxl3zxwllbx41b6n589yp";
})
(fetchpatch {
name = "4-CVE-2018-10115.patch";
url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/4-CVE-2018-10115.patch";
sha256 = "1cr7q8gnrk9yp6dcvxaqi1yhdbgp964nkv65ls41mw1kdfm44zn6";
})
30 changes: 15 additions & 15 deletions pkgs/tools/filesystems/fuseiso/default.nix
View file
Original file line number Diff line number Diff line change
@@ -9,27 +9,27 @@ stdenv.mkDerivation rec {
sha256 = "127xql52dcdhmh7s5m9xc6q39jdlj3zhbjar1j821kb6gl3jw94b";
};

patches = map (p:
fetchpatch {
inherit (p) name sha256;
url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/${p.name}";
}) [
{
patches = [
(fetchpatch {
name = "00-support_large_iso.patch";
url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/00-support_large_iso.patch";
sha256 = "1lmclb1qwzz5f4wlq693g83bblwnjjl73qhgfxbsaac5hnn2shjw";
}
{
})
(fetchpatch {
name = "01-fix_typo.patch";
url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/01-fix_typo.patch";
sha256 = "14rpxp0yylzsgqv0r19l4wx1h5hvqp617gpv1yg0w48amr9drasa";
}
{ # CVE-2015-8837
name = "02-prevent-buffer-overflow.patch";
})
(fetchpatch {
name = "02-prevent-buffer-overflow_CVE-2015-8837.patch";
url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/02-prevent-buffer-overflow.patch";
sha256 = "1ls2pp3mh91pdb51qz1fsd8pwhbky6988bpd156bn7wgfxqzh8ig";
}
{ # CVE-2015-8836
name = "03-prevent-integer-overflow.patch";
})
(fetchpatch {
name = "03-prevent-integer-overflow_CVE-2015-8836.patch";
url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/03-prevent-integer-overflow.patch";
sha256 = "100cw07fk4sa3hl7a1gk2hgz4qsxdw99y20r7wpidwwwzy463zcv";
}
})
];

nativeBuildInputs = [ autoreconfHook pkgconfig ];
7 changes: 6 additions & 1 deletion pkgs/tools/misc/mcrypt/default.nix
View file
Original file line number Diff line number Diff line change
@@ -9,7 +9,12 @@ stdenv.mkDerivation rec {
sha256 = "5145aa844e54cca89ddab6fb7dd9e5952811d8d787c4f4bf27eb261e6c182098";
};

patches = [ ./format-string.patch ./overflow.patch ./segv.patch ./sprintf.patch ];
patches = [
./format-string_CVE-2012-4426.patch
./overflow_CVE-2012-4409.patch
./segv.patch
./sprintf_CVE-2012-4527.patch
];

buildInputs = [ libmcrypt libmhash ];

0 pkgs/tools/misc/mcrypt/format-string.patch → .../mcrypt/format-string_CVE-2012-4426.patch
View file
File renamed without changes.
0 pkgs/tools/misc/mcrypt/overflow.patch → .../misc/mcrypt/overflow_CVE-2012-4409.patch
View file
File renamed without changes.
0 pkgs/tools/misc/mcrypt/sprintf.patch → ...s/misc/mcrypt/sprintf_CVE-2012-4527.patch
View file
File renamed without changes.
8 changes: 5 additions & 3 deletions pkgs/tools/security/super/default.nix
View file
Original file line number Diff line number Diff line change
@@ -17,9 +17,11 @@ stdenv.mkDerivation rec {
'';

patches = [
(fetchpatch { url = "https://salsa.debian.org/debian/super/raw/debian/3.30.0-7/debian/patches/14-Fix-unchecked-setuid-call.patch";
sha256 = "08m9hw4kyfjv0kqns1cqha4v5hkgp4s4z0q1rgif1fnk14xh7wqh";
})
(fetchpatch {
name = "CVE-2014-0470.patch";
url = "https://salsa.debian.org/debian/super/raw/debian/3.30.0-7/debian/patches/14-Fix-unchecked-setuid-call.patch";
sha256 = "08m9hw4kyfjv0kqns1cqha4v5hkgp4s4z0q1rgif1fnk14xh7wqh";
})
];

NIX_CFLAGS_COMPILE = "-D_GNU_SOURCE";
1 change: 1 addition & 0 deletions pkgs/tools/text/a2ps/default.nix
View file
Original file line number Diff line number Diff line change
@@ -17,6 +17,7 @@ stdenv.mkDerivation rec {
sha256 = "0grqqsc3m45niac56m19m5gx7gc0m8zvia5iman1l4rlq31shf8s";
})
(fetchpatch {
name = "CVE-2015-8107.patch";
url = "https://sources.debian.net/data/main/a/a2ps/1:4.14-1.3/debian/patches/fix-format-security.diff";
sha256 = "0pq7zl41gf2kc6ahwyjnzn93vbxb4jc2c5g8j20isp4vw6dqrnwv";
})