Merge pull request #176907 from stigtsp/firejail-CVE-2022-31214

firejail: patches for CVE-2022-31214
2022-06-09 00:20:12 +02:00 · 2022-06-09 00:20:12 +02:00 · 942c1d820c
commit 942c1d820c
parent 3a5d3c73c7 b31db15de0
1 changed files with 23 additions and 0 deletions
--- a/pkgs/os-specific/linux/firejail/default.nix
+++ b/pkgs/os-specific/linux/firejail/default.nix
@ -53,6 +53,29 @@ stdenv.mkDerivation rec {
    # Upstream fix: https://github.com/netblue30/firejail/pull/5132
    # Hopefully fixed upstream in version > 0.9.68
    ./fix-opengl-support.patch
+
+    # Fix CVE-2022-31214 by patching in 4 commits from upstream
+    # https://seclists.org/oss-sec/2022/q2/188
+    (fetchpatch {
+      name = "CVE-2022-31214-patch1"; # "fixing CVE-2022-31214"
+      url  = "https://github.com/netblue30/firejail/commit/27cde3d7d1e4e16d4190932347c7151dc2a84c50.patch";
+      sha256 = "sha256-XXmnYCn4TPUvU43HifZDk4tEZQvOho9/7ehU6889nN4=";
+    })
+    (fetchpatch {
+      name = "CVE-2022-31214-patch2"; # "shutdown testing"
+      url  = "https://github.com/netblue30/firejail/commit/04ff0edf74395ddcbbcec955279c74ed9a6c0f86.patch";
+      sha256 = "sha256-PV73hRlvYEQihuljSCQMNO34KJ0hDVFexhirpHcTK1I=";
+    })
+    (fetchpatch {
+      name = "CVE-2022-31214-patch3"; # "CVE-2022-31214: fixing the fix"
+      url  = "https://github.com/netblue30/firejail/commit/dab835e7a0eb287822016f5ae4e87f46e1d363e7.patch";
+      sha256 = "sha256-6plBIliW/nLKR7TdGeB88eQ65JHEasnaRsP3HPXAFyA=";
+    })
+    (fetchpatch {
+      name = "CVE-2022-31214-patch4"; # "CVE-2022-31214: fixing the fix, one more time "
+      url  = "https://github.com/netblue30/firejail/commit/1884ea22a90d225950d81c804f1771b42ae55f54.patch";
+      sha256 = "sha256-inkpcdC5rl5w+CTAwwQVBOELlHTXb8UGlpU+8kMY95s=";
+    })
  ];

  prePatch = ''