sharutils: Patch CVE-2018-1000097

2018-08-05 14:41:59 -04:00 · 2018-08-05 14:41:59 -04:00 · 76a713bd29
commit 76a713bd29
parent 93a056993f
1 changed files with 9 additions and 1 deletions
--- a/pkgs/tools/archivers/sharutils/default.nix
+++ b/pkgs/tools/archivers/sharutils/default.nix
@ -19,7 +19,15 @@ stdenv.mkDerivation rec {
  # remaps /etc/passwd to a trivial file, but we can't do that on Darwin so I do this
  # instead. In this case, I pass in the very imaginative "submitter" as the submitter name

-  patchPhase = let
+  patches = [
+    # CVE-2018-1000097
+    (fetchurl {
+      url = "https://sources.debian.org/data/main/s/sharutils/1:4.15.2-2+deb9u1/debian/patches/01-fix-heap-buffer-overflow-cve-2018-1000097.patch";
+      sha256 = "19g0sxc8g79aj5gd5idz5409311253jf2q8wqkasf0handdvsbxx";
+    })
+  ];
+
+  postPatch = let
      # This evaluates to a string containing:
      #
      #     substituteInPlace tests/shar-2 --replace '${SHAR}' '${SHAR} -s submitter'