From 3d2df41a8fe6591181f88b3aff16e1f62bc8efa6 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Sat, 9 Dec 2017 13:09:28 +0100 Subject: [PATCH] rsync: fix CVE-2017-16548 --- .../networking/sync/rsync/base.nix | 19 +++++++++++++------ .../networking/sync/rsync/default.nix | 4 ++-- .../networking/sync/rsync/rrsync.nix | 4 ++-- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/pkgs/applications/networking/sync/rsync/base.nix b/pkgs/applications/networking/sync/rsync/base.nix index a95835610d52..f6224b0f48f1 100644 --- a/pkgs/applications/networking/sync/rsync/base.nix +++ b/pkgs/applications/networking/sync/rsync/base.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl }: +{ stdenv, fetchurl, fetchpatch }: rec { version = "3.1.2"; @@ -7,11 +7,18 @@ rec { url = "mirror://samba/rsync/src/rsync-${version}.tar.gz"; sha256 = "1hm1q04hz15509f0p9bflw4d6jzfvpm1d36dxjwihk1wzakn5ypc"; }; - patches = fetchurl { - # signed with key 0048 C8B0 26D4 C96F 0E58 9C2F 6C85 9FB1 4B96 A8C5 - url = "mirror://samba/rsync/rsync-patches-${version}.tar.gz"; - sha256 = "09i3dcl37p22dp75vlnsvx7bm05ggafnrf1zwhf2kbij4ngvxvpd"; - }; + patches = [ + (fetchurl { + # signed with key 0048 C8B0 26D4 C96F 0E58 9C2F 6C85 9FB1 4B96 A8C5 + url = "mirror://samba/rsync/rsync-patches-${version}.tar.gz"; + sha256 = "09i3dcl37p22dp75vlnsvx7bm05ggafnrf1zwhf2kbij4ngvxvpd"; + }) + (fetchpatch { + name = "CVE-2017-16548.patch"; + url = "https://git.samba.org/rsync.git/?p=rsync.git;a=commitdiff_plain;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1;hp=bc112b0e7feece62ce98708092306639a8a53cce"; + sha256 = "1dcdnfhbc5gd0ph7pds0xr2v8rpb2a4p7l9c1wml96nhnyww1pg1"; + }) + ]; meta = with stdenv.lib; { homepage = http://rsync.samba.org/; diff --git a/pkgs/applications/networking/sync/rsync/default.nix b/pkgs/applications/networking/sync/rsync/default.nix index 1f5e9601ff22..8c66e41f4cd2 100644 --- a/pkgs/applications/networking/sync/rsync/default.nix +++ b/pkgs/applications/networking/sync/rsync/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, perl, libiconv, zlib, popt +{ stdenv, fetchurl, fetchpatch, perl, libiconv, zlib, popt , enableACLs ? true, acl ? null , enableCopyDevicesPatch ? false }: @@ -6,7 +6,7 @@ assert enableACLs -> acl != null; let - base = import ./base.nix { inherit stdenv fetchurl; }; + base = import ./base.nix { inherit stdenv fetchurl fetchpatch; }; in stdenv.mkDerivation rec { name = "rsync-${base.version}"; diff --git a/pkgs/applications/networking/sync/rsync/rrsync.nix b/pkgs/applications/networking/sync/rsync/rrsync.nix index 7563b0ea1950..bc2a6eb9c3cb 100644 --- a/pkgs/applications/networking/sync/rsync/rrsync.nix +++ b/pkgs/applications/networking/sync/rsync/rrsync.nix @@ -1,7 +1,7 @@ -{ stdenv, fetchurl, perl, rsync }: +{ stdenv, fetchurl, fetchpatch, perl, rsync }: let - base = import ./base.nix { inherit stdenv fetchurl; }; + base = import ./base.nix { inherit stdenv fetchurl fetchpatch; }; in stdenv.mkDerivation rec { name = "rrsync-${base.version}";