From d96f262166fe0d6cd62d301007e743581ec4a05d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sat, 3 May 2014 17:17:34 +0200 Subject: [PATCH] json-c: update to 0.12, fixing CVE-2013-{6370,6371} --- pkgs/development/libraries/json-c/default.nix | 24 ++++++++++++++----- .../libraries/json-c/unused-variable.patch | 18 ++++++++++++++ pkgs/top-level/all-packages.nix | 9 +++---- 3 files changed, 41 insertions(+), 10 deletions(-) create mode 100644 pkgs/development/libraries/json-c/unused-variable.patch diff --git a/pkgs/development/libraries/json-c/default.nix b/pkgs/development/libraries/json-c/default.nix index 78100521584b..ad425f2a3812 100644 --- a/pkgs/development/libraries/json-c/default.nix +++ b/pkgs/development/libraries/json-c/default.nix @@ -1,20 +1,32 @@ -{ stdenv, fetchurl }: +{ stdenv, fetchurl, autoreconfHook }: stdenv.mkDerivation rec { - name = "json-c-0.9"; + name = "json-c-0.12"; src = fetchurl { - url = "http://oss.metaparadigm.com/json-c/json-c-0.9.tar.gz"; - sha256 = "0xcl8cwzm860f8m0cdzyw6slwcddni4mraw4shvr3qgqkdn4hakh"; + url = "https://s3.amazonaws.com/json-c_releases/releases/${name}-nodoc.tar.gz"; + sha256 = "0dgvjjyb9xva63l6sy70sdch2w4ryvacdmfd3fg2f2v13lqx5mkg"; }; + + patches = [ ./unused-variable.patch ]; + + buildInputs = [ autoreconfHook ]; # won't configure without it, no idea why + + # compatibility hack (for mypaint at least) + postInstall = '' + ln -s json-c.pc "$out/lib/pkgconfig/json.pc" + ''; + meta = with stdenv.lib; { - homepage = "http://oss.metaparadigm.com/json-c/"; description = "A JSON implementation in C"; + homepage = https://github.com/json-c/json-c/wiki; + maintainers = with maintainers; [ lovek323 ]; + platforms = platforms.unix; + longDescription = '' JSON-C implements a reference counting object model that allows you to easily construct JSON objects in C, output them as JSON formatted strings and parse JSON formatted strings back into the C representation of JSON objects. ''; - hydraPlatforms = platforms.linux; }; } diff --git a/pkgs/development/libraries/json-c/unused-variable.patch b/pkgs/development/libraries/json-c/unused-variable.patch new file mode 100644 index 000000000000..1726234c526d --- /dev/null +++ b/pkgs/development/libraries/json-c/unused-variable.patch @@ -0,0 +1,18 @@ +See https://groups.google.com/forum/#!topic/json-c/TYodemkG338 +diff --git a/json_tokener.c b/json_tokener.c +index 19de8ef..32bc8af 100644 +--- a/json_tokener.c ++++ b/json_tokener.c +@@ -352,12 +352,10 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok, + + case json_tokener_state_inf: /* aka starts with 'i' */ + { +- int size; + int size_inf; + int is_negative = 0; + + printbuf_memappend_fast(tok->pb, &c, 1); +- size = json_min(tok->st_pos+1, json_null_str_len); + size_inf = json_min(tok->st_pos+1, json_inf_str_len); + char *infbuf = tok->pb->buf; + if (*infbuf == '-') diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 54c61561da8d..93405dd80011 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1112,7 +1112,9 @@ let */ graphviz_2_0 = callPackage ../tools/graphics/graphviz/2.0.nix { }; - grive = callPackage ../tools/filesystems/grive { }; + grive = callPackage ../tools/filesystems/grive { + json_c = json-c-0-11; # won't configure with 0.12; others are vulnerable + }; groff = callPackage ../tools/text/groff { ghostscript = null; @@ -4788,9 +4790,8 @@ let json_glib = callPackage ../development/libraries/json-glib { }; - json-c-0-9 = callPackage ../development/libraries/json-c { }; - json-c-0-11 = callPackage ../development/libraries/json-c/0.11.nix { }; - json_c = json-c-0-9; + json-c-0-11 = callPackage ../development/libraries/json-c/0.11.nix { }; # vulnerable + json_c = callPackage ../development/libraries/json-c { }; jsoncpp = callPackage ../development/libraries/jsoncpp { };