Merge pull request #49150 from andir/secfoo

Various security issues
This commit is contained in:
Andreas Rammhold 2018-10-26 17:18:06 +02:00 committed by GitHub
commit 30a0b4c6eb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 42 additions and 53 deletions

View File

@ -4,7 +4,7 @@
}:
let
version = "0.17.0";
version = "0.18.0";
in mkDerivation rec {
name = "sddm-${version}";
@ -13,12 +13,11 @@ in mkDerivation rec {
owner = "sddm";
repo = "sddm";
rev = "v${version}";
sha256 = "1m35ly6miwy8ivsln3j1bfv0nxbc4gyqnj7f847zzp53jsqrm3mq";
sha256 = "16xnm02iqgy4hydzd6my0widq981glbazbhxnihhclgsaczh8mfq";
};
patches = [
./sddm-ignore-config-mtime.patch
./qt511.patch
];
postPatch =

View File

@ -1,28 +0,0 @@
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 005c9ad..71b46d7 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -93,7 +93,7 @@ find_package(XCB REQUIRED)
find_package(XKB REQUIRED)
# Qt 5
-find_package(Qt5 5.6.0 CONFIG REQUIRED Core DBus Gui Qml Quick LinguistTools)
+find_package(Qt5 5.6.0 CONFIG REQUIRED Core DBus Gui Qml Quick LinguistTools Test)
# find qt5 imports dir
get_target_property(QMAKE_EXECUTABLE Qt5::qmake LOCATION)
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index c9d935a..bb85ddd 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -2,9 +2,8 @@ set(QT_USE_QTTEST TRUE)
include_directories(../src/common)
-
set(ConfigurationTest_SRCS ConfigurationTest.cpp ../src/common/ConfigReader.cpp)
add_executable(ConfigurationTest ${ConfigurationTest_SRCS})
add_test(NAME Configuration COMMAND ConfigurationTest)
-qt5_use_modules(ConfigurationTest Test)
+target_link_libraries(ConfigurationTest Qt5::Core Qt5::Test)

View File

@ -15,5 +15,11 @@ stdenv.mkDerivation {
homepage = https://xmlgraphics.apache.org/batik;
license = licenses.asl20;
platforms = platforms.unix;
knownVulnerabilities = [
# vulnerabilities as of 16th October 2018 from https://xmlgraphics.apache.org/security.html:
"CVE-2018-8013"
"CVE-2017-5662"
"CVE-2015-0250"
];
};
}

View File

@ -103,5 +103,8 @@ stdenv.mkDerivation rec {
license = licenses.gpl3;
platforms = platforms.linux;
maintainers = with maintainers; [ robbinch ];
knownVulnerabilities = [
"CVE-2015-1032"
];
};
}

View File

@ -1,5 +1,5 @@
{ stdenv, fetchurl, meson, ninja, pkgconfig, glib, gobjectIntrospection, cairo
, libarchive, freetype, libjpeg, libtiff, gnome3
, libarchive, freetype, libjpeg, libtiff, gnome3, fetchpatch
}:
let
@ -13,6 +13,19 @@ in stdenv.mkDerivation rec {
sha256 = "412b1343bd31fee41f7204c47514d34c563ae34dafa4cc710897366bd6cd0fae";
};
patches = [
(fetchpatch {
name = "CVE-2018-10733-1.patch";
url = https://gitlab.gnome.org/GNOME/libgxps/commit/b458226e162fe1ffe7acb4230c114a52ada5131b.patch;
sha256 = "0pqg9iwkg69qknj7vkgn26c32fndy55byxivd4km0vjfhfyx69hd";
})
(fetchpatch {
name = "CVE-2018-10733-2.patch";
url = https://gitlab.gnome.org/GNOME/libgxps/commit/133fe2a96e020d4ca65c6f64fb28a404050ebbfd.patch;
sha256 = "19n01x8zs05wf801mkz4mypvapph7h941md3hr3rj0ry6r88pkir";
})
];
nativeBuildInputs = [ meson ninja pkgconfig gobjectIntrospection ];
buildInputs = [ glib cairo freetype libjpeg libtiff ];
propagatedBuildInputs = [ libarchive ];

View File

@ -15,6 +15,13 @@ stdenv.mkDerivation rec {
url = "https://github.com/taglib/taglib/commit/eb9ded1206f18.patch";
sha256 = "1bvpxsvmlpi3by7myzss9kkpdkv405612n8ff68mw1ambj8h1m90";
})
(fetchpatch {
# https://github.com/taglib/taglib/pull/869
name = "CVE-2018-11439.patch";
url = "https://github.com/taglib/taglib/commit/272648ccfcccae30e002ccf34a22e075dd477278.patch";
sha256 = "0p397qq4anvcm0p8xs68mxa8hg6dl07chg260lc6k2929m34xv72";
})
];
nativeBuildInputs = [ cmake ];

View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, pam, yacc, flex }:
{ stdenv, fetchurl, fetchpatch, pam, yacc, flex }:
stdenv.mkDerivation rec {
name = "libcgroup-${version}";
@ -11,6 +11,13 @@ stdenv.mkDerivation rec {
buildInputs = [ pam yacc flex ];
patches = [
(fetchpatch {
url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch?id=33e9f4c81de754bbf76b893ea1133ed023f2a0e5";
sha256 = "1x0x29ld0cgmfwq4qy13s6d5c8sym1frfh1j2q47d8gfw6qaxka5";
})
];
postPatch = ''
substituteInPlace src/tools/Makefile.in \
--replace 'chmod u+s' 'chmod +x'

View File

@ -5,34 +5,16 @@
}:
stdenv.mkDerivation rec {
version = "3.7.1";
version = "3.8.1";
name = "yara-${version}";
src = fetchFromGitHub {
owner = "VirusTotal";
repo = "yara";
rev = "v${version}";
sha256 = "05smkn4ii8irx6ccnzrhwa39pkmrjyxjmfrwh6mhdd8iz51v5cgz";
sha256 = "1ys2y5f2cif3g42daq646jcrn2na19zkx7fds2gnavj5c1rk7463";
};
# FIXME: this is probably not the right way to make it work
# make[2]: *** No rule to make target 'libyara/.libs/libyara.a', needed by 'yara'. Stop.
prePatch = ''
cat >staticlibrary.patch <<EOF
--- a/Makefile.am 2015-11-01 11:39:12.000000000 +0100
+++ b/Makefile.am 2015-11-01 11:45:32.000000000 +0100
@@ -12 +12 @@
-yara_LDADD = libyara/.libs/libyara.a
+yara_LDADD = libyara/.libs/libyara${stdenv.hostPlatform.extensions.sharedLibrary}
@@ -15 +15 @@
-yarac_LDADD = libyara/.libs/libyara.a
+yarac_LDADD = libyara/.libs/libyara${stdenv.hostPlatform.extensions.sharedLibrary}
EOF
'';
patches = [
"staticlibrary.patch"
];
buildInputs = [ autoconf automake libtool pcre]
++ stdenv.lib.optionals withCrypto [ openssl ]
++ stdenv.lib.optionals enableMagic [ file ]