From 7eaa83a3e9b4641e134a5d7e586ef757dc2d591f Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 31 Aug 2016 13:25:47 +0200 Subject: [PATCH] qemu: patch security issues in 9pfs CVE-2016-7116, others have no ID assigned, yet. Fixes from 2.7 tree. --- .../virtualization/qemu/default.nix | 25 ++++++++++++++++--- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix index 4cdb2f7ec7d8..e3b7a9554413 100644 --- a/pkgs/applications/virtualization/qemu/default.nix +++ b/pkgs/applications/virtualization/qemu/default.nix @@ -1,6 +1,6 @@ -{ stdenv, fetchurl, python, zlib, pkgconfig, glib, ncurses, perl, pixman -, vde2, alsaLib, texinfo, libuuid, flex, bison, lzo, snappy -, libaio, gnutls, nettle +{ stdenv, fetchurl, fetchpatch, python, zlib, pkgconfig, glib +, ncurses, perl, pixman, vde2, alsaLib, texinfo, libuuid, flex +, bison, lzo, snappy, libaio, gnutls, nettle , makeWrapper , attr, libcap, libcap_ng , CoreServices, Cocoa, rez, setfile @@ -45,7 +45,24 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - patches = [ ./no-etc-install.patch ]; + patches = [ + ./no-etc-install.patch + (fetchpatch { + url = "http://git.qemu.org/?p=qemu.git;a=patch;h=fff39a7ad09da07ef490de05c92c91f22f8002f2"; + name = "9pfs-forbid-illegal-path-names.patch"; + sha256 = "081j85p6m7s1cfh3aq1i2av2fsiarlri9gs939s0wvc6pdyb4b70"; + }) + (fetchpatch { + url = "http://git.qemu.org/?p=qemu.git;a=patch;h=805b5d98c649d26fc44d2d7755a97f18e62b438a"; + name = "9pfs-forbid-.-and-..-in-file-names.patch"; + sha256 = "0km6knll492dx745gx37bi6dhmz08cmjiyf479ajkykp0aljii24"; + }) + (fetchpatch { + url = "http://git.qemu.org/?p=qemu.git;a=patch;h=56f101ecce0eafd09e2daf1c4eeb1377d6959261"; + name = "9pfs-directory-traversal-CVE-2016-7116.patch"; + sha256 = "06pr070qj19w5mjxr36bcqxmgpiczncigqsbwfc8ncjhm1h7dmry"; + }) + ]; configureFlags = [ "--smbd=smbd" # use `smbd' from $PATH