libtar: fix CVE-2013-4420 by Debian patches

CC maintainer @bjornfor.
2025-01-29 16:24:10 +00:00 · 2014-08-21 20:28:25 +02:00 · 2014-08-21 20:28:25 +02:00 · 380ba438ee
commit 380ba438ee
parent d2539c6ff5
1 changed files with 15 additions and 2 deletions
--- a/pkgs/development/libraries/libtar/default.nix
+++ b/pkgs/development/libraries/libtar/default.nix
@ -1,9 +1,9 @@
-{ stdenv, fetchgit, autoreconfHook }:
+{ stdenv, fetchgit, fetchpatch, autoreconfHook }:

 stdenv.mkDerivation rec {
  version = "1.2.20";
  name = "libtar-${version}";
-  
+
  # Maintenance repo for libtar (Arch Linux uses this)
  src = fetchgit {
    url = "git://repo.or.cz/libtar.git";
@ -11,6 +11,19 @@ stdenv.mkDerivation rec {
    sha256 = "1pjsqnqjaqgkzf1j8m6y5h76bwprffsjjj6gk8rh2fjsha14rqn9";
  };

+  patches = let
+    fp =  name: sha256:
+      fetchpatch {
+        url = "http://sources.debian.net/data/main/libt/libtar/1.2.20-4/debian/patches/${name}.patch";
+        inherit sha256;
+      };
+    in [
+      (fp "no_static_buffers"         "0yv90bhvqjj0v650gzn8fbzhdhzx5z0r1lh5h9nv39wnww435bd0")
+      (fp "no_maxpathlen"             "11riv231wpbdb1cm4nbdwdsik97wny5sxcwdgknqbp61ibk572b7")
+      (fp "CVE-2013-4420"             "0d010190bqgr2ggy02qwxvjaymy9a22jmyfwdfh4086v876cbxpq")
+      (fp "th_get_size-unsigned-int"  "1ravbs5yrfac98mnkrzciw9hd2fxq4dc07xl3wx8y2pv1bzkwm41")
+    ];
+
  buildInputs = [ autoreconfHook ];

  meta = with stdenv.lib; {