bash-4.3: fix security problems via a Gentoo patch

author: Vladimír Čunát <vcunat@gmail.com> 2017-01-04 23:59:25 +0100
committer: Vladimír Čunát <vcunat@gmail.com> 2017-01-05 00:00:24 +0100
commit: 22796f0d4f47a7942dd443ca125ade898032022b (patch)
tree: 42af4a93e4a68a3c30b0b17284a0716feb4490dc /pkgs/shells/bash
parent: fa57b06dc657d4c45040db14c479f2ffb79dc84d (diff)
download: nixlib-22796f0d4f47a7942dd443ca125ade898032022b.tar
nixlib-22796f0d4f47a7942dd443ca125ade898032022b.tar.gz
nixlib-22796f0d4f47a7942dd443ca125ade898032022b.tar.bz2
nixlib-22796f0d4f47a7942dd443ca125ade898032022b.tar.lz
nixlib-22796f0d4f47a7942dd443ca125ade898032022b.tar.xz
nixlib-22796f0d4f47a7942dd443ca125ade898032022b.tar.zst
nixlib-22796f0d4f47a7942dd443ca125ade898032022b.zip
1 files changed, 19 insertions, 10 deletions
diff --git a/pkgs/shells/bash/4.3.nix b/pkgs/shells/bash/4.3.nix
index 76c24323fca9..f47b2da6b952 100644
--- a/pkgs/shells/bash/4.3.nix
+++ b/pkgs/shells/bash/4.3.nix
@@ -10,11 +10,21 @@ let
   baseConfigureFlags = if interactive then "--with-installed-readline" else "--disable-readline";
   sha256 = "1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg";
 
+  upstreamPatches =
+    let
+      patch = nr: sha256:
+        fetchurl {
+          url = "mirror://gnu/bash/${realName}-patches/${shortName}-${nr}";
+          inherit sha256;
+        };
+    in
+      import ./bash-4.3-patches.nix patch;
+
   inherit (stdenv.lib) optional optionalString;
 in
 
 stdenv.mkDerivation rec {
-  name = "${realName}-p${toString (builtins.length patches)}";
+  name = "${realName}-p${toString (builtins.length upstreamPatches)}";
 
   src = fetchurl {
     url = "mirror://gnu/bash/${realName}.tar.gz";
@@ -39,15 +49,14 @@ stdenv.mkDerivation rec {
 
   patchFlags = "-p0";
 
-  patches =
-    (let
-      patch = nr: sha256:
-        fetchurl {
-          url = "mirror://gnu/bash/${realName}-patches/${shortName}-${nr}";
-          inherit sha256;
-        };
-    in
-      import ./bash-4.3-patches.nix patch)
+  patches = upstreamPatches
+      ++ [ (fetchurl {
+              # https://security.gentoo.org/glsa/201701-02
+              url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/app-shells"
+                  + "/bash/files/bash-4.4-popd-offset-overflow.patch"
+                  + "?id=1bf1ceeb04a2f57e1e5e1636a8c288c4d0db6682";
+              sha256 = "02n08lw5spvsc2b1bll0gr6mg4qxcg7pzfjkw7ji5w7bjcikccbm";
+          }) ]
       ++ optional stdenv.isCygwin ./cygwin-bash-4.3.33-1.src.patch;
 
   crossAttrs = {
author	Vladimír Čunát <vcunat@gmail.com>	2017-01-04 23:59:25 +0100
committer	Vladimír Čunát <vcunat@gmail.com>	2017-01-05 00:00:24 +0100
commit	22796f0d4f47a7942dd443ca125ade898032022b (patch)
tree	42af4a93e4a68a3c30b0b17284a0716feb4490dc /pkgs/shells/bash
parent	fa57b06dc657d4c45040db14c479f2ffb79dc84d (diff)
download	nixlib-22796f0d4f47a7942dd443ca125ade898032022b.tar nixlib-22796f0d4f47a7942dd443ca125ade898032022b.tar.gz nixlib-22796f0d4f47a7942dd443ca125ade898032022b.tar.bz2 nixlib-22796f0d4f47a7942dd443ca125ade898032022b.tar.lz nixlib-22796f0d4f47a7942dd443ca125ade898032022b.tar.xz nixlib-22796f0d4f47a7942dd443ca125ade898032022b.tar.zst nixlib-22796f0d4f47a7942dd443ca125ade898032022b.zip