3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/pkgs/development/libraries/jasper/default.nix
c0bw3b a0d335ff39 jasper: mark as vulnerable
Many memory issues remain unfixed or partially fixed:
CVE-2018-18873 CVE-2018-19539 CVE-2018-19540 CVE-2018-19541
CVE-2018-9252 CVE-2018-19542 CVE-2018-19543 CVE-2018-20570
CVE-2018-20584 CVE-2018-20622 CVE-2018-9252

Debian/Ubuntu, OpenSuSE and Gentoo removed it entirely. See:
https://github.com/mdadams/jasper/issues/208
2019-11-20 19:46:15 +01:00

52 lines
1.3 KiB
Nix

{ stdenv, fetchFromGitHub, fetchpatch, libjpeg, cmake }:
stdenv.mkDerivation rec {
pname = "jasper";
version = "2.0.16";
src = fetchFromGitHub {
repo = "jasper";
owner = "mdadams";
rev = "version-${version}";
sha256 = "05l75yd1zsxwv25ykwwwjs8961szv7iywf16nc6vc6qpby27ckv6";
};
patches = [
(fetchpatch {
name = "CVE-2018-9055.patch";
url = "http://paste.opensuse.org/view/raw/330751ce";
sha256 = "0m798m6c4v9yyhql7x684j5kppcm6884n1rrb9ljz8p9aqq2jqnm";
})
];
# newer reconf to recognize a multiout flag
nativeBuildInputs = [ cmake ];
propagatedBuildInputs = [ libjpeg ];
configureFlags = [ "--enable-shared" ];
outputs = [ "bin" "dev" "out" "man" ];
enableParallelBuilding = true;
doCheck = false; # fails
postInstall = ''
moveToOutput bin "$bin"
'';
meta = with stdenv.lib; {
homepage = https://www.ece.uvic.ca/~frodo/jasper/;
description = "JPEG2000 Library";
platforms = platforms.unix;
license = licenses.jasper;
maintainers = with maintainers; [ pSub ];
knownVulnerabilities = [
"Numerous CVE unsolved upstream"
"See: https://github.com/NixOS/nixpkgs/pull/57681#issuecomment-475857499"
"See: https://github.com/mdadams/jasper/issues/208"
];
};
}