cpio: 2.12 -> 2.13

See https://lists.gnu.org/archive/html/info-gnu/2019-11/msg00002.html for release information. Fixes CVE-2019-14866
2019-11-06 17:30:02 +01:00 · 2019-11-06 17:30:02 +01:00 · fe758f5fa3
parent 30e428c96c
commit fe758f5fa3
2 changed files with 3 additions and 46 deletions
--- a/pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch
+++ b/pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch
@ -1,29 +0,0 @@
-diff --git a/src/copyin.c b/src/copyin.c
-index cde911e..032d35f 100644
--- a/src/copyin.c
-+++ b/src/copyin.c
-@@ -1385,6 +1385,8 @@ process_copy_in ()
-          break;
-        }
-
-+      if (file_hdr.c_namesize <= 1)
-+        file_hdr.c_name = xrealloc(file_hdr.c_name, 2);
-       cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag,
-                              false);
-
-diff --git a/src/util.c b/src/util.c
-index 6ff6032..2763ac1 100644
--- a/src/util.c
-+++ b/src/util.c
-@@ -1411,7 +1411,10 @@ set_file_times (int fd,
- }
-
- /* Do we have to ignore absolute paths, and if so, does the filename
-   have an absolute path?  */
-+   have an absolute path?
-+   Before calling this function make sure that the allocated NAME buffer has
-+   capacity at least 2 bytes to allow us to store the "." string inside.  */
-+
- void
- cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
-                        bool strip_leading_dots)
--- a/pkgs/tools/archivers/cpio/default.nix
+++ b/pkgs/tools/archivers/cpio/default.nix
@ -1,30 +1,16 @@
-{ stdenv, fetchurl, fetchpatch }:
+{ stdenv, fetchurl }:

 let
-  version = "2.12";
+  version = "2.13";
  name = "cpio-${version}";
 in stdenv.mkDerivation {
  inherit name;

  src = fetchurl {
    url = "mirror://gnu/cpio/${name}.tar.bz2";
-    sha256 = "0vi9q475h1rki53100zml75vxsykzyhrn70hidy41s5c2rc8r6bh";
+    sha256 = "0vbgnhkawdllgnkdn6zn1f56fczwk0518krakz2qbwhxmv2vvdga";
  };

-  patches = [
-    (fetchpatch {
-      name = "CVE-2015-1197-cpio-2.12.patch";
-      url = "https://gist.github.com/nckx/70b0bfa80ddfb86c2967/"
-        + "raw/e9b40d4d4b701f584f826775b75beb10751dc884/"
-        + "CVE-2015-1197-cpio-2.12.patch";
-      sha256 = "0ph43m4lavwkc4gnl5h9p3da4kb1pnhwk5l2qsky70dqri8pcr8v";
-    })
-
-    # Report: http://www.openwall.com/lists/oss-security/2016/01/19/4
-    # Patch from https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html
-    ./CVE-2016-2037-out-of-bounds-write.patch
-  ];
-
  preConfigure = if stdenv.isCygwin then ''
    sed -i gnu/fpending.h -e 's,include <stdio_ext.h>,,'
  '' else null;