ntfs3g: patch for CVE-2017-0358

From the Debian advisory: Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation. (cherry picked from commit 19f23d0)
NixOS · Feb 9, 2017 · 723a563 · 723a563
1 parent 4562b1b
commit 723a563
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/pkgs/tools/filesystems/ntfs-3g/default.nix b/pkgs/tools/filesystems/ntfs-3g/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, utillinux, libuuid
+{stdenv, fetchurl, fetchpatch, utillinux, libuuid
 , crypto ? false, libgcrypt, gnutls, pkgconfig}:
 
 stdenv.mkDerivation rec {
@@ -14,6 +14,13 @@ stdenv.mkDerivation rec {
     sha256 = "180y5y09h30ryf2vim8j30a2npwz1iv9ly5yjmh3wjdkwh2jrdyp";
   };
 
+  patches = [
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/n/ntfs-3g/1:2016.2.22AR.1-4/debian/patches/0003-CVE-2017-0358.patch";
+      sha256 = "0hd05q9q06r18k8pmppvch1sslzqln5fvqj51d5r72g4mnpavpj3";
+    })
+  ];
+
   patchPhase = ''
     substituteInPlace src/Makefile.in --replace /sbin '@sbindir@'
     substituteInPlace ntfsprogs/Makefile.in --replace /sbin '@sbindir@'
@@ -45,4 +52,3 @@ stdenv.mkDerivation rec {
     license = licenses.gpl2Plus; # and (lib)fuse-lite under LGPL2+
   };
 }
-