screen: apply patch for CVE-2021-26937

encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause
a denial of service (invalid write access and application crash) or
possibly have unspecified other impact via a crafted UTF-8 character
sequence.

Fixes: CVE-2021-26937
This commit is contained in:
Martin Weinelt 2021-02-21 18:04:39 +01:00
parent 2f96b9a7b4
commit c3b5487720

View File

@ -16,7 +16,14 @@ stdenv.mkDerivation rec {
"--enable-colors256" "--enable-colors256"
]; ];
patches = lib.optional stdenv.hostPlatform.isMusl patches = [
(fetchpatch {
# Fixes denial of services in encoding.c, remove > 4.8.0
name = "CVE-2021-26937.patch";
url = "https://salsa.debian.org/debian/screen/-/raw/master/debian/patches/99_CVE-2021-26937.patch";
sha256 = "05f3p1c7s83nccwkhmavjzgaysxnvq41c7jffs31ra65kcpabqy0";
})
] ++ lib.optional stdenv.hostPlatform.isMusl
(fetchpatch { (fetchpatch {
url = "https://gist.githubusercontent.com/yujinakayama/4608863/raw/76b9f89af5e5a2e97d9a0f36aac989fb56cf1447/gistfile1.diff"; url = "https://gist.githubusercontent.com/yujinakayama/4608863/raw/76b9f89af5e5a2e97d9a0f36aac989fb56cf1447/gistfile1.diff";
sha256 = "0f9bf83p8zdxaa1pr75jyf5g8xr3r8kv7cyzzbpraa1q4j15ss1p"; sha256 = "0f9bf83p8zdxaa1pr75jyf5g8xr3r8kv7cyzzbpraa1q4j15ss1p";