From e15d6e1b3c267156453924942d426ba420f54f20 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Wed, 8 Nov 2017 20:54:55 +0100 Subject: [PATCH 01/10] yara: 3.6.0 -> 3.6.3 (fixes CVE-2017-11328) --- pkgs/tools/security/yara/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/security/yara/default.nix b/pkgs/tools/security/yara/default.nix index 34eb5583c455..7423c2d435bf 100644 --- a/pkgs/tools/security/yara/default.nix +++ b/pkgs/tools/security/yara/default.nix @@ -5,14 +5,14 @@ }: stdenv.mkDerivation rec { - version = "3.6.0"; + version = "3.6.3"; name = "yara-${version}"; src = fetchFromGitHub { owner = "VirusTotal"; repo = "yara"; rev = "v${version}"; - sha256 = "05nadqpvihdyxym11mn6n02rzv2ng8ga7j9l0g5gnjx366gcai42"; + sha256 = "13znbdwin9lvql43wpms5hh13h8rk5x5wajgmphz18rxwp8h7j78"; }; # FIXME: this is probably not the right way to make it work From 4b759a0011dd91d921ccf5c379b7291535cfc280 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Wed, 8 Nov 2017 21:19:12 +0100 Subject: [PATCH 02/10] rzip: fix CVE-2017-8364 --- pkgs/tools/compression/rzip/default.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/compression/rzip/default.nix b/pkgs/tools/compression/rzip/default.nix index 2737966b83e5..ad1b80410419 100644 --- a/pkgs/tools/compression/rzip/default.nix +++ b/pkgs/tools/compression/rzip/default.nix @@ -1,4 +1,4 @@ -{stdenv, fetchurl, bzip2}: +{stdenv, fetchurl, fetchpatch, bzip2}: stdenv.mkDerivation { name = "rzip-2.1"; @@ -8,6 +8,14 @@ stdenv.mkDerivation { }; buildInputs = [ bzip2 ]; + patches = [ + (fetchpatch { + name = "CVE-2017-8364-fill-buffer.patch"; + url = https://sources.debian.net/data/main/r/rzip/2.1-4.1/debian/patches/80-CVE-2017-8364-fill-buffer.patch; + sha256 = "0jcjlx9ksdvxvjyxmyzscx9ar9992iy5icw0sc3n0p09qi4d6x1r"; + }) + ]; + meta = { homepage = http://rzip.samba.org/; description = "Compression program"; From f8b53a70f1bcc628f255830fccffe77ee469b68e Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Wed, 8 Nov 2017 21:40:28 +0100 Subject: [PATCH 03/10] redis: fix CVE-2017-15047 Fix is based on work at [1] which upstream seems to have implemented as seen at [2]. [1] https://github.com/antirez/redis/pull/4365 [2] https://github.com/antirez/redis/commit/ffcf7d5ab1e98d84c28af9bea7be76c6737820ad --- pkgs/servers/nosql/redis/default.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkgs/servers/nosql/redis/default.nix b/pkgs/servers/nosql/redis/default.nix index 60f132799fcc..9ef0987d9b96 100644 --- a/pkgs/servers/nosql/redis/default.nix +++ b/pkgs/servers/nosql/redis/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, lua }: +{ stdenv, fetchurl, fetchpatch, lua }: stdenv.mkDerivation rec { version = "4.0.2"; @@ -9,6 +9,14 @@ stdenv.mkDerivation rec { sha256 = "04s8cgvwjj1979s3hg8zkwc9pyn3jkjpz5zidp87kfcipifr385i"; }; + patches = [ + (fetchpatch { + name = "CVE-2017-15047.patch"; + url = https://github.com/antirez/redis/commit/ffcf7d5ab1e98d84c28af9bea7be76c6737820ad.patch; + sha256 = "0cgx3lm0n7jxhsly8v9hdvy6vlamj3ck2jsid4fwyapz6907h64l"; + }) + ]; + buildInputs = [ lua ]; makeFlags = "PREFIX=$(out)"; From 8312eaf11c688715f6ff2dd380c4393d19e69ccd Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Wed, 8 Nov 2017 21:49:40 +0100 Subject: [PATCH 04/10] radare2: 2.0.0 -> 2.0.1 (+ fix for CVE-2017-15385) --- .../development/tools/analysis/radare2/default.nix | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/pkgs/development/tools/analysis/radare2/default.nix b/pkgs/development/tools/analysis/radare2/default.nix index 1754727bb364..9468842f0c4d 100644 --- a/pkgs/development/tools/analysis/radare2/default.nix +++ b/pkgs/development/tools/analysis/radare2/default.nix @@ -1,4 +1,4 @@ -{stdenv, fetchFromGitHub, fetchurl, pkgconfig, libusb, readline, libewf, perl, zlib, openssl, +{stdenv, fetchFromGitHub, fetchurl, fetchpatch, pkgconfig, libusb, readline, libewf, perl, zlib, openssl, gtk2 ? null, vte ? null, gtkdialog ? null, python ? null, ruby ? null, @@ -13,16 +13,24 @@ let inherit (stdenv.lib) optional; in stdenv.mkDerivation rec { - version = "2.0.0"; + version = "2.0.1"; name = "radare2-${version}"; src = fetchFromGitHub { owner = "radare"; repo = "radare2"; rev = version; - sha256 = "1ahai9x6jc15wjzdbdkri3rc88ark2i5s8nv2pxcp0wwldvawlzi"; + sha256 = "031ndvinsypagpkdszxjq0hj91ijq9zx4dzk53sz7il7s3zn65c7"; }; + patches = [ + (fetchpatch { + name = "CVE-2017-15385.patch"; + url = https://github.com/radare/radare2/commit/21a6f570ba33fa9f52f1bba87f07acc4e8c178f4.patch; + sha256 = "19qg5j9yr5r62nrq2b6mscxsz0wyyfah2z5jz8dvj9kqxq186d43"; + }) + ]; + postPatch = let cs_ver = "3.0.4"; # version from $sourceRoot/shlr/Makefile capstone = fetchurl { From b6fd7bfd040aeea0990a175c161a72d89b97281f Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Wed, 8 Nov 2017 22:14:20 +0100 Subject: [PATCH 05/10] qpdf: 6.0.0 -> 7.0.0 (fixes several CVEs) fixes CVE-2017-11624,CVE-2017-11625,CVE-2017-11626,CVE-2017-11627,CVE-2017-12595,CVE-2017-9208,CVE-2017-9209,CVE-2017-9210 --- pkgs/development/libraries/qpdf/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/development/libraries/qpdf/default.nix b/pkgs/development/libraries/qpdf/default.nix index 4cd5fb0f6414..e53ad00cf7d5 100644 --- a/pkgs/development/libraries/qpdf/default.nix +++ b/pkgs/development/libraries/qpdf/default.nix @@ -1,18 +1,18 @@ -{ stdenv, fetchurl, pcre, zlib, perl }: +{ stdenv, fetchurl, libjpeg, pcre, zlib, perl }: -let version = "6.0.0"; +let version = "7.0.0"; in stdenv.mkDerivation rec { name = "qpdf-${version}"; src = fetchurl { url = "mirror://sourceforge/qpdf/qpdf/${version}/${name}.tar.gz"; - sha256 = "0csj2p2gkxrc0rk8ykymlsdgfas96vzf1dip3y1x7z1q9plwgzd9"; + sha256 = "0py6p27fx4qrwq9mvcybna42b0bdi359x38lzmggxl5a9khqvl7y"; }; nativeBuildInputs = [ perl ]; - buildInputs = [ pcre zlib ]; + buildInputs = [ pcre zlib libjpeg ]; postPatch = '' patchShebangs qpdf/fix-qdf From 6255e95a3d570d0ac17cac9483a2c9da7a1b619e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sat, 11 Nov 2017 10:24:48 +0100 Subject: [PATCH 06/10] qpdf: nitpicks after update I read the release notes. http://qpdf.sourceforge.net/files/qpdf-manual.html#ref.release-notes --- pkgs/development/libraries/qpdf/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/qpdf/default.nix b/pkgs/development/libraries/qpdf/default.nix index e53ad00cf7d5..e2c80e445e76 100644 --- a/pkgs/development/libraries/qpdf/default.nix +++ b/pkgs/development/libraries/qpdf/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, libjpeg, pcre, zlib, perl }: +{ stdenv, fetchurl, libjpeg, zlib, perl }: let version = "7.0.0"; in @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ perl ]; - buildInputs = [ pcre zlib libjpeg ]; + buildInputs = [ zlib libjpeg ]; postPatch = '' patchShebangs qpdf/fix-qdf @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { meta = with stdenv.lib; { homepage = http://qpdf.sourceforge.net/; description = "A C++ library and set of programs that inspect and manipulate the structure of PDF files"; - license = licenses.artistic2; + license = licenses.asl20; # as of 7.0.0, people may stay at artistic2 maintainers = with maintainers; [ abbradar ]; platforms = platforms.all; }; From ac677c7a017cafb8c3cc71ba550b8fd829469384 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sat, 11 Nov 2017 13:30:18 +0100 Subject: [PATCH 07/10] partclone: 0.2.89 -> 0.3.11 (fixes CVE-2017-6596) --- pkgs/tools/backup/partclone/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/backup/partclone/default.nix b/pkgs/tools/backup/partclone/default.nix index 54756a29cd6d..681999e35d07 100644 --- a/pkgs/tools/backup/partclone/default.nix +++ b/pkgs/tools/backup/partclone/default.nix @@ -4,13 +4,13 @@ stdenv.mkDerivation rec { name = "partclone-${version}"; - version = "0.2.89"; + version = "0.3.11"; src = fetchFromGitHub { owner = "Thomas-Tsai"; repo = "partclone"; rev = version; - sha256 = "0gw47pchqshhm00yf34qgxh6bh2jfryv0sm7ghwn77bv5gzwr481"; + sha256 = "0bv15i0gxym4dv48rgaavh8p94waryn1l6viis6qh5zm9cd08skg"; }; nativeBuildInputs = [ autoreconfHook pkgconfig ]; From 4d4cd769f6e812028706d6a0e46d268c8ec224c3 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Wed, 8 Nov 2017 23:49:14 +0100 Subject: [PATCH 08/10] libextractor: 1.4 -> 1.6 (+ fixes multiple CVEs) fixes CVE-2017-15266,CVE-2017-15267,CVE-2017-15600,CVE-2017-15601,CVE-2017-15602,CVE-2017-15922 --- pkgs/development/libraries/libextractor/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libextractor/default.nix b/pkgs/development/libraries/libextractor/default.nix index a6fb4ec515a8..81caa3e91acc 100644 --- a/pkgs/development/libraries/libextractor/default.nix +++ b/pkgs/development/libraries/libextractor/default.nix @@ -7,11 +7,11 @@ assert gtkSupport -> glib != null && gtk3 != null; assert videoSupport -> ffmpeg != null && libmpeg2 != null; stdenv.mkDerivation rec { - name = "libextractor-1.4"; + name = "libextractor-1.6"; src = fetchurl { url = "mirror://gnu/libextractor/${name}.tar.gz"; - sha256 = "0v7ns5jhsyp1wzvbaydfgxnva5zd63gkzm9djhckmam9liq824l4"; + sha256 = "17gnpgspdhfgcr27j8sn9105vb4lw22yqdrhic62l79q5v5avm16"; }; preConfigure = From 73bec97674389da0ab5a31ad7789efc0df8596f5 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Thu, 9 Nov 2017 11:49:23 +0100 Subject: [PATCH 09/10] libexif: fix CVE-2017-7544 Patch application simplified during rebasing. --- pkgs/development/libraries/libexif/default.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/libexif/default.nix b/pkgs/development/libraries/libexif/default.nix index ebcba0fa1553..5a8f5126680e 100644 --- a/pkgs/development/libraries/libexif/default.nix +++ b/pkgs/development/libraries/libexif/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, gettext }: +{ stdenv, fetchurl, fetchpatch, gettext }: stdenv.mkDerivation rec { name = "libexif-0.6.21"; @@ -8,6 +8,15 @@ stdenv.mkDerivation rec { sha256 = "06nlsibr3ylfwp28w8f5466l6drgrnydgxrm4jmxzrmk5svaxk8n"; }; + patches = [ + (fetchpatch { + name = "CVE-2017-7544.patch"; + url = https://sourceforge.net/p/libexif/bugs/_discuss/thread/fc394c4b/489a/attachment/xx.pat; + sha256 = "1qgk8hgnxr8d63jsc4vljxz9yg33mbml280dq4a6050rmk9wq4la"; + }) + ]; + patchFlags = "-p0"; + buildInputs = [ gettext ]; meta = { From 17fae2499a12722f945105e26b1aabc745d642d0 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Thu, 9 Nov 2017 12:11:35 +0100 Subject: [PATCH 10/10] busybox: fix CVE-2017-1587{34} --- pkgs/os-specific/linux/busybox/default.nix | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index 6c9c43e4e5a9..0030f60000d2 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, buildPackages, fetchurl +{ stdenv, lib, buildPackages, fetchurl, fetchpatch , enableStatic ? false , enableMinimal ? false , useMusl ? false, musl @@ -39,7 +39,19 @@ stdenv.mkDerivation rec { hardeningDisable = [ "format" ] ++ lib.optionals enableStatic [ "fortify" ]; - patches = [ ./busybox-in-store.patch ]; + patches = [ + ./busybox-in-store.patch + (fetchpatch { + name = "CVE-2017-15873.patch"; + url = "https://git.busybox.net/busybox/patch/?id=0402cb32df015d9372578e3db27db47b33d5c7b0"; + sha256 = "1s3xqifd0dww19mbnzrks0i1az0qwd884sxjzrx33d6a9jxv4dzn"; + }) + (fetchpatch { + name = "CVE-2017-15874.patch"; + url = "https://git.busybox.net/busybox/patch/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b"; + sha256 = "0169p4ylz9zd14ghhb39yfjvbdca2kb21pphylfh9ny7i484ahql"; + }) + ]; configurePhase = '' export KCONFIG_NOTIMESTAMP=1