diff options
| author | James Cook <james.cook@utoronto.ca> | 2015-03-02 00:02:47 -0800 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2015-03-03 11:38:02 +0100 |
| commit | 91fa9b27d57c58d9a7be9b5d49dcb4e767e4c109 (patch) | |
| tree | 77d77ca0f0e2f3838c971e3467164fd7bab0dc78 /pkgs/tools/graphics | |
| parent | bd87d32efc2e6a7b178bbe5ed0f372477c1a9949 (diff) | |
| download | nixlib-91fa9b27d57c58d9a7be9b5d49dcb4e767e4c109.tar nixlib-91fa9b27d57c58d9a7be9b5d49dcb4e767e4c109.tar.gz nixlib-91fa9b27d57c58d9a7be9b5d49dcb4e767e4c109.tar.bz2 nixlib-91fa9b27d57c58d9a7be9b5d49dcb4e767e4c109.tar.lz nixlib-91fa9b27d57c58d9a7be9b5d49dcb4e767e4c109.tar.xz nixlib-91fa9b27d57c58d9a7be9b5d49dcb4e767e4c109.tar.zst nixlib-91fa9b27d57c58d9a7be9b5d49dcb4e767e4c109.zip | |
graphviz: Patch to fix CVE-2014-9157 (close #6640)
Diffstat (limited to 'pkgs/tools/graphics')
| -rw-r--r-- | pkgs/tools/graphics/graphviz/cve-2014-9157.patch | 24 | ||||
| -rw-r--r-- | pkgs/tools/graphics/graphviz/default.nix | 11 |
2 files changed, 33 insertions, 2 deletions
diff --git a/pkgs/tools/graphics/graphviz/cve-2014-9157.patch b/pkgs/tools/graphics/graphviz/cve-2014-9157.patch new file mode 100644 index 000000000000..66ce496ca748 --- /dev/null +++ b/pkgs/tools/graphics/graphviz/cve-2014-9157.patch @@ -0,0 +1,24 @@ +From https://lists.debian.org/debian-qa-packages/2014/12/msg00048.html , which +seems to come from Ubuntu. + +Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine +Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081 +Author: Emden R. Gansner + +--- + lib/cgraph/scan.l | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: b/lib/cgraph/scan.l +=================================================================== +--- a/lib/cgraph/scan.l ++++ b/lib/cgraph/scan.l +@@ -225,7 +225,7 @@ + agxbput (&xb, buf); + agxbput (&xb, yytext); + agxbput (&xb,"'\n"); +- agerr(AGERR,agxbuse(&xb)); ++ agerr(AGERR, "%s", agxbuse(&xb)); + agxbfree(&xb); + } + /* must be here to see flex's macro defns */ diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 31945c9f232c..2fcea02519a5 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -1,5 +1,6 @@ { stdenv, fetchurl, pkgconfig, libpng, libjpeg, expat, libXaw , yacc, libtool, fontconfig, pango, gd, xlibs, gts, libdevil, gettext, cairo +, flex }: stdenv.mkDerivation rec { @@ -11,10 +12,16 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; - patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch ]; + patches = + [ ./0001-vimdot-lookup-vim-in-PATH.patch + + # NOTE: Once this patch is removed, flex can probably be removed from + # buildInputs. + ./cve-2014-9157.patch + ]; buildInputs = - [ pkgconfig libpng libjpeg expat yacc libtool fontconfig gd gts libdevil + [ pkgconfig libpng libjpeg expat yacc libtool fontconfig gd gts libdevil flex ] ++ stdenv.lib.optionals (xlibs != null) [ xlibs.xlibs xlibs.libXrender pango libXaw ] ++ stdenv.lib.optional (stdenv.system == "x86_64-darwin") gettext; |