diff options
author | xeji <36407913+xeji@users.noreply.github.com> | 2018-08-01 11:53:47 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-08-01 11:53:47 +0200 |
commit | c7c3c1663ffdc209843a53e74f845328af7f42c9 (patch) | |
tree | 50f1d940dc92f4c33a16395a468370ceb38eb14d | |
parent | 12c71a8cbc2236e03ba2d313bd36083ad1d8f5b7 (diff) | |
parent | d1d4ec90aef38220606b96dec40d5cd8ad5eb960 (diff) | |
download | nixlib-c7c3c1663ffdc209843a53e74f845328af7f42c9.tar nixlib-c7c3c1663ffdc209843a53e74f845328af7f42c9.tar.gz nixlib-c7c3c1663ffdc209843a53e74f845328af7f42c9.tar.bz2 nixlib-c7c3c1663ffdc209843a53e74f845328af7f42c9.tar.lz nixlib-c7c3c1663ffdc209843a53e74f845328af7f42c9.tar.xz nixlib-c7c3c1663ffdc209843a53e74f845328af7f42c9.tar.zst nixlib-c7c3c1663ffdc209843a53e74f845328af7f42c9.zip |
Merge pull request #44298 from Izorkin/fix-build
Fix build packages edk2 and bazaar
-rw-r--r-- | pkgs/applications/version-management/bazaar/CVE-2017-14176.patch | 149 | ||||
-rw-r--r-- | pkgs/applications/version-management/bazaar/default.nix | 7 | ||||
-rw-r--r-- | pkgs/development/compilers/edk2/default.nix | 4 |
3 files changed, 152 insertions, 8 deletions
diff --git a/pkgs/applications/version-management/bazaar/CVE-2017-14176.patch b/pkgs/applications/version-management/bazaar/CVE-2017-14176.patch new file mode 100644 index 000000000000..a34ab0c6eb10 --- /dev/null +++ b/pkgs/applications/version-management/bazaar/CVE-2017-14176.patch @@ -0,0 +1,149 @@ +diff --git a/bzrlib/tests/test_ssh_transport.py b/bzrlib/tests/test_ssh_transport.py +index 9e37c3b..fe9f219 100644 +--- a/bzrlib/tests/test_ssh_transport.py ++++ b/bzrlib/tests/test_ssh_transport.py +@@ -22,6 +22,7 @@ from bzrlib.transport.ssh import ( + SSHCorpSubprocessVendor, + LSHSubprocessVendor, + SSHVendorManager, ++ StrangeHostname, + ) + + +@@ -161,6 +162,19 @@ class SSHVendorManagerTests(TestCase): + + class SubprocessVendorsTests(TestCase): + ++ def test_openssh_command_tricked(self): ++ vendor = OpenSSHSubprocessVendor() ++ self.assertEqual( ++ vendor._get_vendor_specific_argv( ++ "user", "-oProxyCommand=blah", 100, command=["bzr"]), ++ ["ssh", "-oForwardX11=no", "-oForwardAgent=no", ++ "-oClearAllForwardings=yes", ++ "-oNoHostAuthenticationForLocalhost=yes", ++ "-p", "100", ++ "-l", "user", ++ "--", ++ "-oProxyCommand=blah", "bzr"]) ++ + def test_openssh_command_arguments(self): + vendor = OpenSSHSubprocessVendor() + self.assertEqual( +@@ -171,6 +185,7 @@ class SubprocessVendorsTests(TestCase): + "-oNoHostAuthenticationForLocalhost=yes", + "-p", "100", + "-l", "user", ++ "--", + "host", "bzr"] + ) + +@@ -184,9 +199,16 @@ class SubprocessVendorsTests(TestCase): + "-oNoHostAuthenticationForLocalhost=yes", + "-p", "100", + "-l", "user", +- "-s", "host", "sftp"] ++ "-s", "--", "host", "sftp"] + ) + ++ def test_openssh_command_tricked(self): ++ vendor = SSHCorpSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_sshcorp_command_arguments(self): + vendor = SSHCorpSubprocessVendor() + self.assertEqual( +@@ -209,6 +231,13 @@ class SubprocessVendorsTests(TestCase): + "-s", "sftp", "host"] + ) + ++ def test_lsh_command_tricked(self): ++ vendor = LSHSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_lsh_command_arguments(self): + vendor = LSHSubprocessVendor() + self.assertEqual( +@@ -231,6 +260,13 @@ class SubprocessVendorsTests(TestCase): + "--subsystem", "sftp", "host"] + ) + ++ def test_plink_command_tricked(self): ++ vendor = PLinkSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_plink_command_arguments(self): + vendor = PLinkSubprocessVendor() + self.assertEqual( +diff --git a/bzrlib/transport/ssh.py b/bzrlib/transport/ssh.py +index eecaa26..6f22341 100644 +--- a/bzrlib/transport/ssh.py ++++ b/bzrlib/transport/ssh.py +@@ -46,6 +46,10 @@ else: + from paramiko.sftp_client import SFTPClient + + ++class StrangeHostname(errors.BzrError): ++ _fmt = "Refusing to connect to strange SSH hostname %(hostname)s" ++ ++ + SYSTEM_HOSTKEYS = {} + BZR_HOSTKEYS = {} + +@@ -360,6 +364,11 @@ class SubprocessVendor(SSHVendor): + # tests, but beware of using PIPE which may hang due to not being read. + _stderr_target = None + ++ @staticmethod ++ def _check_hostname(arg): ++ if arg.startswith('-'): ++ raise StrangeHostname(hostname=arg) ++ + def _connect(self, argv): + # Attempt to make a socketpair to use as stdin/stdout for the SSH + # subprocess. We prefer sockets to pipes because they support +@@ -424,9 +433,9 @@ class OpenSSHSubprocessVendor(SubprocessVendor): + if username is not None: + args.extend(['-l', username]) + if subsystem is not None: +- args.extend(['-s', host, subsystem]) ++ args.extend(['-s', '--', host, subsystem]) + else: +- args.extend([host] + command) ++ args.extend(['--', host] + command) + return args + + register_ssh_vendor('openssh', OpenSSHSubprocessVendor()) +@@ -439,6 +448,7 @@ class SSHCorpSubprocessVendor(SubprocessVendor): + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path, '-x'] + if port is not None: + args.extend(['-p', str(port)]) +@@ -460,6 +470,7 @@ class LSHSubprocessVendor(SubprocessVendor): + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path] + if port is not None: + args.extend(['-p', str(port)]) +@@ -481,6 +492,7 @@ class PLinkSubprocessVendor(SubprocessVendor): + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch'] + if port is not None: + args.extend(['-P', str(port)]) diff --git a/pkgs/applications/version-management/bazaar/default.nix b/pkgs/applications/version-management/bazaar/default.nix index 72e010fd283c..fea6fb358303 100644 --- a/pkgs/applications/version-management/bazaar/default.nix +++ b/pkgs/applications/version-management/bazaar/default.nix @@ -1,5 +1,4 @@ { stdenv, fetchurl, python2Packages -, fetchpatch , withSFTP ? true }: @@ -21,11 +20,7 @@ python2Packages.buildPythonApplication rec { patches = [ # Bazaar can't find the certificates alone ./add_certificates.patch - (fetchpatch { - url = "https://bazaar.launchpad.net/~brz/brz/trunk/revision/6754"; - sha256 = "0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73"; - name = "CVE-2017-14176.patch"; - }) + ./CVE-2017-14176.patch ]; postPatch = '' substituteInPlace bzrlib/transport/http/_urllib2_wrappers.py \ diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix index 1dc4430dc6a7..809fc6a4cf1a 100644 --- a/pkgs/development/compilers/edk2/default.nix +++ b/pkgs/development/compilers/edk2/default.nix @@ -25,8 +25,8 @@ edk2 = stdenv.mkDerivation { patches = [ (fetchpatch { name = "short-circuit-the-transfer-of-an-empty-S3_CONTEXT.patch"; - url = "https://github.com/tianocore/edk2/commit/9e2a8e928995c3b1bb664b73fd59785055c6b5f6"; - sha256 = "0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73"; + url = "https://github.com/tianocore/edk2/commit/9e2a8e928995c3b1bb664b73fd59785055c6b5f6.diff"; + sha256 = "0x24npijhgpjpsn3n74wayf8qcbaj97vi4z2iyf4almavqq8qaz4"; }) ]; |