diff --git a/pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch b/pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch deleted file mode 100644 index 90ddeff9790e..000000000000 --- a/pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/src/copyin.c b/src/copyin.c -index cde911e..032d35f 100644 ---- a/src/copyin.c -+++ b/src/copyin.c -@@ -1385,6 +1385,8 @@ process_copy_in () - break; - } - -+ if (file_hdr.c_namesize <= 1) -+ file_hdr.c_name = xrealloc(file_hdr.c_name, 2); - cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag, - false); - -diff --git a/src/util.c b/src/util.c -index 6ff6032..2763ac1 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -1411,7 +1411,10 @@ set_file_times (int fd, - } - - /* Do we have to ignore absolute paths, and if so, does the filename -- have an absolute path? */ -+ have an absolute path? -+ Before calling this function make sure that the allocated NAME buffer has -+ capacity at least 2 bytes to allow us to store the "." string inside. */ -+ - void - cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, - bool strip_leading_dots) diff --git a/pkgs/tools/archivers/cpio/default.nix b/pkgs/tools/archivers/cpio/default.nix index 44943109ee18..3f6b3ba4598c 100644 --- a/pkgs/tools/archivers/cpio/default.nix +++ b/pkgs/tools/archivers/cpio/default.nix @@ -1,30 +1,16 @@ -{ stdenv, fetchurl, fetchpatch }: +{ stdenv, fetchurl }: let - version = "2.12"; + version = "2.13"; name = "cpio-${version}"; in stdenv.mkDerivation { inherit name; src = fetchurl { url = "mirror://gnu/cpio/${name}.tar.bz2"; - sha256 = "0vi9q475h1rki53100zml75vxsykzyhrn70hidy41s5c2rc8r6bh"; + sha256 = "0vbgnhkawdllgnkdn6zn1f56fczwk0518krakz2qbwhxmv2vvdga"; }; - patches = [ - (fetchpatch { - name = "CVE-2015-1197-cpio-2.12.patch"; - url = "https://gist.github.com/nckx/70b0bfa80ddfb86c2967/" - + "raw/e9b40d4d4b701f584f826775b75beb10751dc884/" - + "CVE-2015-1197-cpio-2.12.patch"; - sha256 = "0ph43m4lavwkc4gnl5h9p3da4kb1pnhwk5l2qsky70dqri8pcr8v"; - }) - - # Report: http://www.openwall.com/lists/oss-security/2016/01/19/4 - # Patch from https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html - ./CVE-2016-2037-out-of-bounds-write.patch - ]; - preConfigure = if stdenv.isCygwin then '' sed -i gnu/fpending.h -e 's,include ,,' '' else null;