Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: ffd9bf7e2929
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 4fd6cb7abdac
Choose a head ref
  • 1 commit
  • 2 files changed
  • 1 contributor

Commits on Jun 22, 2019

  1. bzip2: patch CVE-2019-12900 

    The vulnerability seems quite serious.
It isn't practical to use fetchpatch here due to bootstrapping,
so I just committed the small patch file.
    @vcunat
    vcunat committed Jun 22, 2019
    Copy the full SHA
    4fd6cb7 View commit details
Showing with 14 additions and 0 deletions.
  1. +13 −0 pkgs/tools/compression/bzip2/cve-2019-12900.patch
  2. +1 −0 pkgs/tools/compression/bzip2/default.nix
13 changes: 13 additions & 0 deletions pkgs/tools/compression/bzip2/cve-2019-12900.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d
diff --git a/decompress.c b/decompress.c
--- a/decompress.c
+++ b/decompress.c
@@ -287,7 +287,7 @@
GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
+ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
for (i = 0; i < nSelectors; i++) {
j = 0;
while (True) {
1 change: 1 addition & 0 deletions pkgs/tools/compression/bzip2/default.nix
View file
Original file line number Diff line number Diff line change
@@ -22,6 +22,7 @@ stdenv.mkDerivation rec {

patches = [
./CVE-2016-3189.patch
./cve-2019-12900.patch
];

postPatch = ''