From f3ec500d487443800a6406690817159654a8ccdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 21 Apr 2014 17:56:39 +0200 Subject: [PATCH] libarchive: move patch into nixpkgs Unfortunately, github periodically changes output even for raw diffs (not just raw patches). I'm including the patch in nixpkgs. I was unable to do it without hash change. Even if I added binary equal file. --- .../libraries/libarchive/CVE-2013-0211.patch | 30 +++++++++++++++++++ .../libraries/libarchive/default.nix | 8 ++--- 2 files changed, 33 insertions(+), 5 deletions(-) create mode 100644 pkgs/development/libraries/libarchive/CVE-2013-0211.patch diff --git a/pkgs/development/libraries/libarchive/CVE-2013-0211.patch b/pkgs/development/libraries/libarchive/CVE-2013-0211.patch new file mode 100644 index 000000000000..5b1a9831063f --- /dev/null +++ b/pkgs/development/libraries/libarchive/CVE-2013-0211.patch @@ -0,0 +1,30 @@ +From 22531545514043e04633e1c015c7540b9de9dbe4 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle +Date: Fri, 22 Mar 2013 23:48:41 -0700 +Subject: [PATCH] Limit write requests to at most INT_MAX. This prevents a + certain common programming error (passing -1 to write) from leading to other + problems deeper in the library. + +--- + libarchive/archive_write.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c +index eede5e0..be85621 100644 +--- a/libarchive/archive_write.c ++++ b/libarchive/archive_write.c +@@ -673,8 +673,13 @@ static ssize_t + _archive_write_data(struct archive *_a, const void *buff, size_t s) + { + struct archive_write *a = (struct archive_write *)_a; ++ const size_t max_write = INT_MAX; ++ + archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC, + ARCHIVE_STATE_DATA, "archive_write_data"); ++ /* In particular, this catches attempts to pass negative values. */ ++ if (s > max_write) ++ s = max_write; + archive_clear_error(&a->archive); + return ((a->format_write_data)(a, buff, s)); + } + diff --git a/pkgs/development/libraries/libarchive/default.nix b/pkgs/development/libraries/libarchive/default.nix index 5e728d9b3dd1..f0c3c0632a95 100644 --- a/pkgs/development/libraries/libarchive/default.nix +++ b/pkgs/development/libraries/libarchive/default.nix @@ -12,11 +12,9 @@ stdenv.mkDerivation rec { sha256 = "0pixqnrcf35dnqgv0lp7qlcw7k13620qkhgxr288v7p4iz6ym1zb"; }; - patches = [(fetchurl { - url = "https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4.diff"; - sha256 = "1466ddrkdh2r8idmj3v7fk2gwnhc1kdxvyczdpnqms0qlmas6fj5"; - name = "CVE-2013-0211.patch"; - })]; + patches = [ + ./CVE-2013-0211.patch # https://github.com/libarchive/libarchive/commit/22531545 + ]; buildInputs = [ sharutils libxml2 zlib bzip2 openssl xz ] ++ stdenv.lib.optionals stdenv.isLinux [ e2fsprogs attr acl ];