systemd: apply patch for CVE-2020-13776 · tjh.dev/nixpkgs@dbfb40e

tjh.dev / nixpkgs

fork atom

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

fork atom

systemd: apply patch for CVE-2020-13776

Fixes #90982.

Florian Klink 5 years ago dbfb40ef 799a3b40

+20

1 changed file

expand all

unified split

pkgs

os-specific

linux

systemd

default.nix

+20

pkgs/os-specific/linux/systemd/default.nix

··· 42 42 sha256 = "0haj3iff3y13pm4w5dbqj1drp5wryqfad58jbbmnb6zdgis56h8f"; 43 43 }; 44 44 45 + # with the bump to 245.x, nixpkgs moved away from the custom fork to 46 + # downstream patches, as the fork model was very error-prone 47 + # (see https://github.com/NixOS/nixpkgs/pull/85334) 48 + # This `patches` section is only there to carry security patches for 20.03, 49 + # as it'd be much more ugly to push commits to the (abandoned) systemd fork. 50 + patches = [ 51 + # pick the `safe_atou32` introduction in src/basic/parse-util.h 52 + # used by CVE-2020-13776.patch 53 + (fetchpatch { 54 + url = "https://github.com/systemd/systemd/commit/b934ac3d6e7dcad114776ef30ee9098693e7ab7e.patch"; 55 + includes = ["src/basic/parse-util.h"]; 56 + sha256 = "1q9nggh19nk4bi2amg0dfziahfvl2931i9r79kdi9gmf79wxz0yc"; 57 + }) 58 + (fetchpatch { 59 + name = "CVE-2020-13776.patch"; 60 + url = "https://github.com/systemd/systemd/commit/156a5fd297b61bce31630d7a52c15614bf784843.patch"; 61 + sha256 = "1g1spb78mqywp97mxsgqaaq5zn3s5qk2k0w02xnp92v76h5y0sgl"; 62 + }) 63 + ]; 64 + 45 65 outputs = [ "out" "lib" "man" "dev" ]; 46 66 47 67 nativeBuildInputs =