json-c: update to 0.12, fixing CVE-2013-{6370,6371}

This commit is contained in:
Vladimír Čunát 2014-05-03 17:17:34 +02:00
parent 208e7cae1a
commit d96f262166
3 changed files with 41 additions and 10 deletions

View File

@ -1,20 +1,32 @@
{ stdenv, fetchurl }:
{ stdenv, fetchurl, autoreconfHook }:
stdenv.mkDerivation rec {
name = "json-c-0.9";
name = "json-c-0.12";
src = fetchurl {
url = "http://oss.metaparadigm.com/json-c/json-c-0.9.tar.gz";
sha256 = "0xcl8cwzm860f8m0cdzyw6slwcddni4mraw4shvr3qgqkdn4hakh";
url = "https://s3.amazonaws.com/json-c_releases/releases/${name}-nodoc.tar.gz";
sha256 = "0dgvjjyb9xva63l6sy70sdch2w4ryvacdmfd3fg2f2v13lqx5mkg";
};
patches = [ ./unused-variable.patch ];
buildInputs = [ autoreconfHook ]; # won't configure without it, no idea why
# compatibility hack (for mypaint at least)
postInstall = ''
ln -s json-c.pc "$out/lib/pkgconfig/json.pc"
'';
meta = with stdenv.lib; {
homepage = "http://oss.metaparadigm.com/json-c/";
description = "A JSON implementation in C";
homepage = https://github.com/json-c/json-c/wiki;
maintainers = with maintainers; [ lovek323 ];
platforms = platforms.unix;
longDescription = ''
JSON-C implements a reference counting object model that allows you to
easily construct JSON objects in C, output them as JSON formatted strings
and parse JSON formatted strings back into the C representation of JSON
objects.
'';
hydraPlatforms = platforms.linux;
};
}

View File

@ -0,0 +1,18 @@
See https://groups.google.com/forum/#!topic/json-c/TYodemkG338
diff --git a/json_tokener.c b/json_tokener.c
index 19de8ef..32bc8af 100644
--- a/json_tokener.c
+++ b/json_tokener.c
@@ -352,12 +352,10 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
case json_tokener_state_inf: /* aka starts with 'i' */
{
- int size;
int size_inf;
int is_negative = 0;
printbuf_memappend_fast(tok->pb, &c, 1);
- size = json_min(tok->st_pos+1, json_null_str_len);
size_inf = json_min(tok->st_pos+1, json_inf_str_len);
char *infbuf = tok->pb->buf;
if (*infbuf == '-')

View File

@ -1112,7 +1112,9 @@ let
*/
graphviz_2_0 = callPackage ../tools/graphics/graphviz/2.0.nix { };
grive = callPackage ../tools/filesystems/grive { };
grive = callPackage ../tools/filesystems/grive {
json_c = json-c-0-11; # won't configure with 0.12; others are vulnerable
};
groff = callPackage ../tools/text/groff {
ghostscript = null;
@ -4788,9 +4790,8 @@ let
json_glib = callPackage ../development/libraries/json-glib { };
json-c-0-9 = callPackage ../development/libraries/json-c { };
json-c-0-11 = callPackage ../development/libraries/json-c/0.11.nix { };
json_c = json-c-0-9;
json-c-0-11 = callPackage ../development/libraries/json-c/0.11.nix { }; # vulnerable
json_c = callPackage ../development/libraries/json-c { };
jsoncpp = callPackage ../development/libraries/jsoncpp { };