pyrox.dev / nixpkgs
lol
fork atom

treewide: add CVE identifiers to patches

This allows tools like broken.sh to correctly identify the patched
status.

Martin Weinelt e24f5eab f46cbbc5

+32 -21
pkgs/applications/office/antiword/10_fix_buffer_overflow_wordole_c.patch pkgs/applications/office/antiword/10_fix_buffer_overflow_wordole_c_CVE-2014-8123.patch
+1 -1
pkgs/applications/office/antiword/default.nix
··· 16 16 substituteInPlace Makefile --replace "gcc" "cc" 17 17 ''; 18 18 19 - patches = [ ./10_fix_buffer_overflow_wordole_c.patch ]; 19 + patches = [ ./10_fix_buffer_overflow_wordole_c_CVE-2014-8123.patch ]; 20 20 21 21 installTargets = [ "global_install" ]; 22 22
+1 -1
pkgs/misc/drivers/foomatic-filters/default.nix
··· 12 12 buildInputs = [ perl cups dbus enscript ]; 13 13 14 14 patches = [ 15 - # for CVE-2015-8327 & CVE-2015-8560 16 15 (fetchpatch { 16 + name = "CVE-2015-8327+CVE-2015-8560.patch"; 17 17 url = "https://salsa.debian.org/debian/foomatic-filters/raw/a3abbef2d2f8c7e62d2fe64f64afe294563fdf8f/debian/patches/0500-r7406_also_consider_the_back_tick_as_an_illegal_shell_escape_character.patch"; 18 18 sha256 = "055nwi3sjf578nk40bqsch3wx8m2h65hdih0wmxflb6l0hwkq4p4"; 19 19 })
+1
pkgs/os-specific/linux/libcgroup/default.nix
··· 13 13 14 14 patches = [ 15 15 (fetchpatch { 16 + name = "CVE-2018-14348.patch"; 16 17 url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch?id=33e9f4c81de754bbf76b893ea1133ed023f2a0e5"; 17 18 sha256 = "1x0x29ld0cgmfwq4qy13s6d5c8sym1frfh1j2q47d8gfw6qaxka5"; 18 19 })
+2
pkgs/tools/archivers/p7zip/default.nix
··· 13 13 ./12-CVE-2016-9296.patch 14 14 ./13-CVE-2017-17969.patch 15 15 (fetchpatch { 16 + name = "3-CVE-2018-5996.patch"; 16 17 url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/3-CVE-2018-5996.patch"; 17 18 sha256 = "1zivvkazmza0653i498ccp3zbpbpc7dvxl3zxwllbx41b6n589yp"; 18 19 }) 19 20 (fetchpatch { 21 + name = "4-CVE-2018-10115.patch"; 20 22 url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/4-CVE-2018-10115.patch"; 21 23 sha256 = "1cr7q8gnrk9yp6dcvxaqi1yhdbgp964nkv65ls41mw1kdfm44zn6"; 22 24 })
+15 -15
pkgs/tools/filesystems/fuseiso/default.nix
··· 9 9 sha256 = "127xql52dcdhmh7s5m9xc6q39jdlj3zhbjar1j821kb6gl3jw94b"; 10 10 }; 11 11 12 - patches = map (p: 13 - fetchpatch { 14 - inherit (p) name sha256; 15 - url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/${p.name}"; 16 - }) [ 17 - { 12 + patches = [ 13 + (fetchpatch { 18 14 name = "00-support_large_iso.patch"; 15 + url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/00-support_large_iso.patch"; 19 16 sha256 = "1lmclb1qwzz5f4wlq693g83bblwnjjl73qhgfxbsaac5hnn2shjw"; 20 - } 21 - { 17 + }) 18 + (fetchpatch { 22 19 name = "01-fix_typo.patch"; 20 + url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/01-fix_typo.patch"; 23 21 sha256 = "14rpxp0yylzsgqv0r19l4wx1h5hvqp617gpv1yg0w48amr9drasa"; 24 - } 25 - { # CVE-2015-8837 26 - name = "02-prevent-buffer-overflow.patch"; 22 + }) 23 + (fetchpatch { 24 + name = "02-prevent-buffer-overflow_CVE-2015-8837.patch"; 25 + url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/02-prevent-buffer-overflow.patch"; 27 26 sha256 = "1ls2pp3mh91pdb51qz1fsd8pwhbky6988bpd156bn7wgfxqzh8ig"; 28 - } 29 - { # CVE-2015-8836 30 - name = "03-prevent-integer-overflow.patch"; 27 + }) 28 + (fetchpatch { 29 + name = "03-prevent-integer-overflow_CVE-2015-8836.patch"; 30 + url = "https://sources.debian.net/data/main/f/fuseiso/${version}-3.2/debian/patches/03-prevent-integer-overflow.patch"; 31 31 sha256 = "100cw07fk4sa3hl7a1gk2hgz4qsxdw99y20r7wpidwwwzy463zcv"; 32 - } 32 + }) 33 33 ]; 34 34 35 35 nativeBuildInputs = [ autoreconfHook pkgconfig ];
+6 -1
pkgs/tools/misc/mcrypt/default.nix
··· 9 9 sha256 = "5145aa844e54cca89ddab6fb7dd9e5952811d8d787c4f4bf27eb261e6c182098"; 10 10 }; 11 11 12 - patches = [ ./format-string.patch ./overflow.patch ./segv.patch ./sprintf.patch ]; 12 + patches = [ 13 + ./format-string_CVE-2012-4426.patch 14 + ./overflow_CVE-2012-4409.patch 15 + ./segv.patch 16 + ./sprintf_CVE-2012-4527.patch 17 + ]; 13 18 14 19 buildInputs = [ libmcrypt libmhash ]; 15 20
pkgs/tools/misc/mcrypt/format-string.patch pkgs/tools/misc/mcrypt/format-string_CVE-2012-4426.patch
pkgs/tools/misc/mcrypt/overflow.patch pkgs/tools/misc/mcrypt/overflow_CVE-2012-4409.patch
pkgs/tools/misc/mcrypt/sprintf.patch pkgs/tools/misc/mcrypt/sprintf_CVE-2012-4527.patch
+5 -3
pkgs/tools/security/super/default.nix
··· 17 17 ''; 18 18 19 19 patches = [ 20 - (fetchpatch { url = "https://salsa.debian.org/debian/super/raw/debian/3.30.0-7/debian/patches/14-Fix-unchecked-setuid-call.patch"; 21 - sha256 = "08m9hw4kyfjv0kqns1cqha4v5hkgp4s4z0q1rgif1fnk14xh7wqh"; 22 - }) 20 + (fetchpatch { 21 + name = "CVE-2014-0470.patch"; 22 + url = "https://salsa.debian.org/debian/super/raw/debian/3.30.0-7/debian/patches/14-Fix-unchecked-setuid-call.patch"; 23 + sha256 = "08m9hw4kyfjv0kqns1cqha4v5hkgp4s4z0q1rgif1fnk14xh7wqh"; 24 + }) 23 25 ]; 24 26 25 27 NIX_CFLAGS_COMPILE = "-D_GNU_SOURCE";
+1
pkgs/tools/text/a2ps/default.nix
··· 17 17 sha256 = "0grqqsc3m45niac56m19m5gx7gc0m8zvia5iman1l4rlq31shf8s"; 18 18 }) 19 19 (fetchpatch { 20 + name = "CVE-2015-8107.patch"; 20 21 url = "https://sources.debian.net/data/main/a/a2ps/1:4.14-1.3/debian/patches/fix-format-security.diff"; 21 22 sha256 = "0pq7zl41gf2kc6ahwyjnzn93vbxb4jc2c5g8j20isp4vw6dqrnwv"; 22 23 })