commit bfbca9dacd12d24c0d6179cc6d9b0775a9819caa · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

jq: Fix CVE-2015-8863 and CVE-2016-4074 (#18908)

jq has not had a release since v1.5 in August 2015, so backport both of
these patches (the fix for CVE-2015-8863 is in the current master, while
the fix for CVE-2016-4074 is not yet in master).

authored by Aneesh Agrawal and committed by Franz Pletz 9 years ago bfbca9da 7615d638

+26 -20

1 changed file

expand all

unified split

pkgs

development

tools

default.nix

+26 -20

pkgs/development/tools/jq/default.nix

··· 1 - {stdenv, fetchurl, oniguruma}: 2 - let 3 - s = # Generated upstream information 4 - rec { 5 - baseName="jq"; 6 - version="1.5"; 7 - name="${baseName}-${version}"; 8 url="https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"; 9 sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4"; 10 }; 11 - buildInputs = [ 12 - oniguruma 13 ]; 14 - in 15 - stdenv.mkDerivation { 16 - inherit (s) name version; 17 - inherit buildInputs; 18 - src = fetchurl { 19 - inherit (s) url sha256; 20 - }; 21 22 # jq is linked to libjq: 23 configureFlags = [ 24 "LDFLAGS=-Wl,-rpath,\\\${libdir}" 25 ]; 26 meta = { 27 - inherit (s) version; 28 description = ''A lightweight and flexible command-line JSON processor''; 29 - license = stdenv.lib.licenses.mit ; 30 - maintainers = [stdenv.lib.maintainers.raskin]; 31 - platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin; 32 }; 33 }

··· 1 + { stdenv, lib, fetchurl, fetchpatch, oniguruma }: 2 + 3 + stdenv.mkDerivation rec { 4 + name = "jq-${version}"; 5 + version="1.5"; 6 + 7 + src = fetchurl { 8 url="https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"; 9 sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4"; 10 }; 11 + 12 + buildInputs = [ oniguruma ]; 13 + 14 + patches = [ 15 + (fetchpatch { 16 + name = "CVE-2015-8863.patch"; 17 + url = https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.diff; 18 + sha256 = "18bjanzvklfzlzzd690y88725l7iwl4f6wnr429na5pfmircbpvh"; 19 + }) 20 + (fetchpatch { 21 + name = "CVE-2016-4074.patch"; 22 + url = https://patch-diff.githubusercontent.com/raw/stedolan/jq/pull/1214.diff; 23 + sha256 = "1w8bapnyp56di6p9casbfczfn8258rw0z16grydavdjddfm280l9"; 24 + }) 25 ]; 26 + patchFlags = [ "-p2" ]; # `src` subdir was introduced after v1.5 was released 27 28 # jq is linked to libjq: 29 configureFlags = [ 30 "LDFLAGS=-Wl,-rpath,\\\${libdir}" 31 ]; 32 + 33 meta = { 34 description = ''A lightweight and flexible command-line JSON processor''; 35 + license = lib.licenses.mit; 36 + maintainers = with lib.maintainers; [ raskin ]; 37 + platforms = with lib.platforms; linux ++ darwin; 38 }; 39 }