Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 0e9548e14973
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 49ac77d07eb9
Choose a head ref
  • 5 commits
  • 6 files changed
  • 3 contributors

Commits on Jul 28, 2019

  1. gnupatch: apply patches for CVE-2019-1363 and CVE-2019-13638 

    (cherry picked from commit 49c4c4a)
PR #65498
    @andir @vcunat
    andir authored and vcunat committed Jul 28, 2019
    Copy the full SHA
    b39c8b2 View commit details

Commits on Jul 29, 2019

  1. Merge branch 'release-19.03' into staging-19.03

    @vcunat
    vcunat committed Jul 29, 2019
    Copy the full SHA
    d86daf5 View commit details

Commits on Jul 30, 2019

  1. ffmpeg{_4,-full}: 4.1.3 -> 4.1.4 (security) 

    Fixes #64656 CVE-2019-13312 CVE-2019-13390.

(cherry picked from commit 3e17fe4)
    @vcunat
    vcunat committed Jul 30, 2019
    Copy the full SHA
    40aedac View commit details

  2. Merge branch 'staging-19.03' into release-19.03

    @vcunat
    vcunat committed Jul 30, 2019
    Copy the full SHA
    a057890 View commit details

  3. ffmpeg: 3.4.5 -> 3.4.6 (#58549) 

    https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/0ac9001ab9f2bdd7c4306afd1a91d6c78b294d9f:/Changelog
(cherry picked from commit dfdacfd)
I don't know if any CVEs are filed against this, but it still seems
likely to fix more things than break.
    @dtzWill @vcunat
    dtzWill authored and vcunat committed Jul 30, 2019
    Copy the full SHA
    49ac77d View commit details
11 changes: 8 additions & 3 deletions pkgs/development/libraries/ffmpeg-full/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{ stdenv, fetchurl, pkgconfig, perl, texinfo, yasm
{ stdenv, fetchurl, fetchpatch, pkgconfig, perl, texinfo, yasm
/*
* Licensing options (yes some are listed twice, filters and such are not listed)
*/
@@ -230,12 +230,17 @@ assert opensslExtlib -> gnutls == null && openssl != null && nonfreeLicensing;

stdenv.mkDerivation rec {
name = "ffmpeg-full-${version}";
version = "4.1.3";
version = "4.1.4";

src = fetchurl {
url = "https://www.ffmpeg.org/releases/ffmpeg-${version}.tar.xz";
sha256 = "0gdnprc7gk4b7ckq8wbxbrj7i00r76r9a5g9mj7iln40512j0c0c";
sha256 = "1qd7a10gs12ifcp31gramcgqjl77swskjfp7cijibgyg5yl4kw7i";
};
patches = [(fetchpatch { # remove on update
name = "fix-hardcoded-tables.diff";
url = "http://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff_plain/c8232e50074f";
sha256 = "0jlksks4fjajby8fjk7rfp414gxfdgd6q9khq26i52xvf4kg2dw6";
})];

prePatch = ''
patchShebangs .
4 changes: 2 additions & 2 deletions pkgs/development/libraries/ffmpeg/3.4.nix
View file
Original file line number Diff line number Diff line change
@@ -6,7 +6,7 @@

callPackage ./generic.nix (args // rec {
version = "${branch}";
branch = "3.4.5";
sha256 = "0cbzysj9pskxh1kfdwmq2848fn6gi4pvh5y3insv10pdhpcjp8a3";
branch = "3.4.6";
sha256 = "1s20wzgxxrm56gckyb8cf1lh36hdnkdxvmmnnvdxvia4zb3grf1b";
darwinFrameworks = [ Cocoa CoreMedia ];
})
9 changes: 7 additions & 2 deletions pkgs/development/libraries/ffmpeg/4.nix
View file
Original file line number Diff line number Diff line change
@@ -6,7 +6,12 @@

callPackage ./generic.nix (args // rec {
version = "${branch}";
branch = "4.1.3";
sha256 = "0aka5pibjhpks1wrsvqpy98v8cbvyvnngwqhh4ajkg6pbdl7k9i9";
branch = "4.1.4";
sha256 = "01w44ygm5bvc243hlhfnvb2lxfb0blz2cxnphxqgw30vj3c1prx7";
patches = [(fetchpatch { # remove on update
name = "fix-hardcoded-tables.diff";
url = "http://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff_plain/c8232e50074f";
sha256 = "0jlksks4fjajby8fjk7rfp414gxfdgd6q9khq26i52xvf4kg2dw6";
})];
darwinFrameworks = [ Cocoa CoreMedia ];
})
108 changes: 108 additions & 0 deletions pkgs/tools/text/gnupatch/CVE-2019-13636.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001
From: Andreas Gruenbacher <agruen@gnu.org>
Date: Mon, 15 Jul 2019 16:21:48 +0200
Subject: Don't follow symlinks unless --follow-symlinks is given

* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file,
append_to_file): Unless the --follow-symlinks option is given, open files with
the O_NOFOLLOW flag to avoid following symlinks. So far, we were only doing
that consistently for input files.
* src/util.c (create_backup): When creating empty backup files, (re)create them
with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
---
src/inp.c | 12 ++++++++++--
src/util.c | 14 +++++++++++---
2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/src/inp.c b/src/inp.c
index 32d0919..22d7473 100644
--- a/src/inp.c
+++ b/src/inp.c
@@ -238,8 +238,13 @@ plan_a (char const *filename)
{
if (S_ISREG (instat.st_mode))
{
- int ifd = safe_open (filename, O_RDONLY|binary_transput, 0);
+ int flags = O_RDONLY | binary_transput;
size_t buffered = 0, n;
+ int ifd;
+
+ if (! follow_symlinks)
+ flags |= O_NOFOLLOW;
+ ifd = safe_open (filename, flags, 0);
if (ifd < 0)
pfatal ("can't open file %s", quotearg (filename));

@@ -340,6 +345,7 @@ plan_a (char const *filename)
static void
plan_b (char const *filename)
{
+ int flags = O_RDONLY | binary_transput;
int ifd;
FILE *ifp;
int c;
@@ -353,7 +359,9 @@ plan_b (char const *filename)

if (instat.st_size == 0)
filename = NULL_DEVICE;
- if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0
+ if (! follow_symlinks)
+ flags |= O_NOFOLLOW;
+ if ((ifd = safe_open (filename, flags, 0)) < 0
|| ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r")))
pfatal ("Can't open file %s", quotearg (filename));
if (TMPINNAME_needs_removal)
diff --git a/src/util.c b/src/util.c
index 1cc08ba..fb38307 100644
--- a/src/util.c
+++ b/src/util.c
@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, bool leave_original)

try_makedirs_errno = ENOENT;
safe_unlink (bakname);
- while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0)
+ while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0)
{
if (errno != try_makedirs_errno)
pfatal ("Can't create file %s", quotearg (bakname));
@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t mode,
static void
copy_to_fd (const char *from, int tofd)
{
+ int from_flags = O_RDONLY | O_BINARY;
int fromfd;
ssize_t i;

- if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0)
+ if (! follow_symlinks)
+ from_flags |= O_NOFOLLOW;
+ if ((fromfd = safe_open (from, from_flags, 0)) < 0)
pfatal ("Can't reopen file %s", quotearg (from));
while ((i = read (fromfd, buf, bufsize)) != 0)
{
@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat *tost,
else
{
assert (S_ISREG (mode));
+ if (! follow_symlinks)
+ to_flags |= O_NOFOLLOW;
tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode,
to_dir_known_to_exist);
copy_to_fd (from, tofd);
@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat *tost,
void
append_to_file (char const *from, char const *to)
{
+ int to_flags = O_WRONLY | O_APPEND | O_BINARY;
int tofd;

- if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0)
+ if (! follow_symlinks)
+ to_flags |= O_NOFOLLOW;
+ if ((tofd = safe_open (to, to_flags, 0)) < 0)
pfatal ("Can't reopen file %s", quotearg (to));
copy_to_fd (from, tofd);
if (close (tofd) != 0)
--
cgit v1.0-41-gc330

38 changes: 38 additions & 0 deletions pkgs/tools/text/gnupatch/CVE-2019-13638.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
From: Andreas Gruenbacher <agruen@gnu.org>
Date: Fri, 6 Apr 2018 19:36:15 +0200
Subject: Invoke ed directly instead of using the shell

* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
command to avoid quoting vulnerabilities.
---
src/pch.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/pch.c b/src/pch.c
index 4fd5a05..16e001a 100644
--- a/src/pch.c
+++ b/src/pch.c
@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
*outname_needs_removal = true;
copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
}
- sprintf (buf, "%s %s%s", editor_program,
- verbosity == VERBOSE ? "" : "- ",
- outname);
fflush (stdout);

pid = fork();
@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
else if (pid == 0)
{
dup2 (tmpfd, 0);
- execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
+ assert (outname[0] != '!' && outname[0] != '-');
+ execlp (editor_program, editor_program, "-", outname, (char *) NULL);
_exit (2);
}
else
--
cgit v1.0-41-gc330

6 changes: 6 additions & 0 deletions pkgs/tools/text/gnupatch/default.nix
View file
Original file line number Diff line number Diff line change
@@ -23,6 +23,12 @@ stdenv.mkDerivation rec {
})
# https://git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300
./CVE-2018-6952.patch

# https://git.savannah.gnu.org/cgit/patch.git/patch/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a
./CVE-2019-13636.patch

# https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
./CVE-2019-13638.patch
];

nativeBuildInputs = [ autoreconfHook ];