bzip2: patch CVE-2019-12900

The vulnerability seems quite serious.
It isn't practical to use fetchpatch here due to bootstrapping,
so I just committed the small patch file.
This commit is contained in:
Vladimír Čunát 2019-06-22 11:53:12 +02:00
parent ffd9bf7e29
commit 4fd6cb7abd
No known key found for this signature in database
GPG Key ID: E747DF1F9575A3AA
2 changed files with 14 additions and 0 deletions

View File

@ -0,0 +1,13 @@
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d
diff --git a/decompress.c b/decompress.c
--- a/decompress.c
+++ b/decompress.c
@@ -287,7 +287,7 @@
GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
+ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
for (i = 0; i < nSelectors; i++) {
j = 0;
while (True) {

View File

@ -22,6 +22,7 @@ stdenv.mkDerivation rec {
patches = [
./CVE-2016-3189.patch
./cve-2019-12900.patch
];
postPatch = ''