diff options
Diffstat (limited to 'pkgs/tools')
21 files changed, 194 insertions, 41 deletions
diff --git a/pkgs/tools/X11/caffeine-ng/default.nix b/pkgs/tools/X11/caffeine-ng/default.nix index aff7b8adfc23..57f32ed82250 100644 --- a/pkgs/tools/X11/caffeine-ng/default.nix +++ b/pkgs/tools/X11/caffeine-ng/default.nix @@ -1,4 +1,4 @@ -{ gdk_pixbuf, glib, gobject-introspection, gtk3, lib, libnotify, +{ gdk-pixbuf, glib, gobject-introspection, gtk3, lib, libnotify, pythonPackages, wrapGAppsHook }: @@ -12,7 +12,7 @@ pythonPackages.buildPythonApplication rec { }; nativeBuildInputs = [ wrapGAppsHook glib ]; - buildInputs = [ gdk_pixbuf gobject-introspection libnotify gtk3 ]; + buildInputs = [ gdk-pixbuf gobject-introspection libnotify gtk3 ]; pythonPath = with pythonPackages; [ dbus-python docopt ewmh pygobject3 pyxdg setproctitle setuptools setuptools_scm wheel diff --git a/pkgs/tools/X11/xpra/default.nix b/pkgs/tools/X11/xpra/default.nix index efafbb3692ed..863c02fb23dd 100644 --- a/pkgs/tools/X11/xpra/default.nix +++ b/pkgs/tools/X11/xpra/default.nix @@ -1,5 +1,5 @@ { stdenv, lib, fetchurl, callPackage, substituteAll, python3, pkgconfig -, xorg, gtk3, glib, pango, cairo, gdk_pixbuf, atk +, xorg, gtk3, glib, pango, cairo, gdk-pixbuf, atk , wrapGAppsHook, xorgserver, getopt, xauth, utillinux, which , ffmpeg_4, x264, libvpx, libwebp, x265 , libfakeXinerama @@ -40,7 +40,7 @@ in buildPythonApplication rec { ] ++ [ cython - pango cairo gdk_pixbuf atk.out gtk3 glib + pango cairo gdk-pixbuf atk.out gtk3 glib ffmpeg_4 libvpx x264 libwebp x265 diff --git a/pkgs/tools/audio/gvolicon/default.nix b/pkgs/tools/audio/gvolicon/default.nix index 4a0c244f07f7..c66c6bc1f7e0 100644 --- a/pkgs/tools/audio/gvolicon/default.nix +++ b/pkgs/tools/audio/gvolicon/default.nix @@ -1,4 +1,4 @@ -{ stdenv, makeWrapper, alsaLib, pkgconfig, fetchgit, gtk3, gnome3, gdk_pixbuf, librsvg, wrapGAppsHook }: +{ stdenv, makeWrapper, alsaLib, pkgconfig, fetchgit, gtk3, gnome3, gdk-pixbuf, librsvg, wrapGAppsHook }: stdenv.mkDerivation { name = "gvolicon-2014-04-28"; @@ -10,7 +10,7 @@ stdenv.mkDerivation { nativeBuildInputs = [ pkgconfig ]; buildInputs = [ - makeWrapper alsaLib gtk3 gdk_pixbuf gnome3.adwaita-icon-theme + makeWrapper alsaLib gtk3 gdk-pixbuf gnome3.adwaita-icon-theme librsvg wrapGAppsHook ]; diff --git a/pkgs/tools/compression/zstd/default.nix b/pkgs/tools/compression/zstd/default.nix index ff2589031b6b..257396e04289 100644 --- a/pkgs/tools/compression/zstd/default.nix +++ b/pkgs/tools/compression/zstd/default.nix @@ -4,11 +4,11 @@ , legacySupport ? false }: stdenv.mkDerivation rec { - name = "zstd-${version}"; - version = "1.4.0"; + pname = "zstd"; + version = "1.4.1"; src = fetchFromGitHub { - sha256 = "1gfxi3ymgavjfxh84rhfjan7l4pymwfrn051nwc7n0s3mxp09m6v"; + sha256 = "1f2nvhsx1fsd6zbnwvc6bbrm9ghkcvamqqg79fxgk5284rc6nynv"; rev = "v${version}"; repo = "zstd"; owner = "facebook"; @@ -40,6 +40,8 @@ stdenv.mkDerivation rec { --replace "zstdcat" "$out/bin/zstdcat" ''; + enableParallelBuilding = true; + meta = with stdenv.lib; { description = "Zstandard real-time compression algorithm"; longDescription = '' @@ -52,8 +54,7 @@ stdenv.mkDerivation rec { property shared by most LZ compression algorithms, such as zlib. ''; homepage = https://facebook.github.io/zstd/; - # The licence of the CLI programme is GPLv2+, that of the library BSD-2. - license = with licenses; [ gpl2Plus bsd2 ]; + license = with licenses; [ bsd3 ]; # Or, at your opinion, GPL-2.0-only. platforms = platforms.unix; maintainers = with maintainers; [ orivej ]; diff --git a/pkgs/tools/filesystems/e2fsprogs/default.nix b/pkgs/tools/filesystems/e2fsprogs/default.nix index babb3d844fe9..d8ddde24ade3 100644 --- a/pkgs/tools/filesystems/e2fsprogs/default.nix +++ b/pkgs/tools/filesystems/e2fsprogs/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "e2fsprogs"; - version = "1.45.2"; + version = "1.45.3"; src = fetchurl { url = "mirror://sourceforge/${pname}/${pname}-${version}.tar.gz"; - sha256 = "1bhqljgcngys1diaxh7rnxc85d1jsril8xd7bach9imdjwr1wlm8"; + sha256 = "0gcqfnp9h7wgz1vq402kxd2w398vqaim26aq9i722v3lrgh5cm9s"; }; outputs = [ "bin" "dev" "out" "man" "info" ]; diff --git a/pkgs/tools/graphics/blur-effect/default.nix b/pkgs/tools/graphics/blur-effect/default.nix index 5bb209984396..499004013196 100644 --- a/pkgs/tools/graphics/blur-effect/default.nix +++ b/pkgs/tools/graphics/blur-effect/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, pkgconfig, cmake, gdk_pixbuf, libGL, mesa }: +{ stdenv, fetchFromGitHub, pkgconfig, cmake, gdk-pixbuf, libGL, mesa }: stdenv.mkDerivation rec { pname = "blur-effect"; @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { ]; buildInputs = [ - gdk_pixbuf + gdk-pixbuf libGL mesa ]; diff --git a/pkgs/tools/inputmethods/ibus/default.nix b/pkgs/tools/inputmethods/ibus/default.nix index d2090d776762..07fa8d2beb56 100644 --- a/pkgs/tools/inputmethods/ibus/default.nix +++ b/pkgs/tools/inputmethods/ibus/default.nix @@ -1,5 +1,5 @@ { stdenv, substituteAll, fetchurl, fetchFromGitHub, autoreconfHook, gettext, makeWrapper, pkgconfig -, vala, wrapGAppsHook, dbus, dconf ? null, glib, gdk_pixbuf, gobject-introspection, gtk2 +, vala, wrapGAppsHook, dbus, dconf ? null, glib, gdk-pixbuf, gobject-introspection, gtk2 , gtk3, gtk-doc, isocodes, python3, json-glib, libnotify ? null, enablePython2Library ? false , enableUI ? true, withWayland ? false, libxkbcommon ? null, wayland ? null , buildPackages, runtimeShell }: @@ -134,7 +134,7 @@ stdenv.mkDerivation rec { buildInputs = [ dbus dconf - gdk_pixbuf + gdk-pixbuf gobject-introspection python3.pkgs.pygobject3 # for pygobject overrides gtk2 diff --git a/pkgs/tools/misc/birdfont/default.nix b/pkgs/tools/misc/birdfont/default.nix index 2de6715db8fe..56e7650673e1 100644 --- a/pkgs/tools/misc/birdfont/default.nix +++ b/pkgs/tools/misc/birdfont/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, pkgconfig, python3, xmlbird, -cairo, gdk_pixbuf, libgee, glib, gtk3, webkitgtk, libnotify, sqlite, vala, +cairo, gdk-pixbuf, libgee, glib, gtk3, webkitgtk, libnotify, sqlite, vala, gobject-introspection, gsettings-desktop-schemas, wrapGAppsHook }: stdenv.mkDerivation rec { @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { }; nativeBuildInputs = [ python3 pkgconfig vala gobject-introspection wrapGAppsHook ]; - buildInputs = [ xmlbird libgee cairo gdk_pixbuf glib gtk3 webkitgtk libnotify sqlite gsettings-desktop-schemas ]; + buildInputs = [ xmlbird libgee cairo gdk-pixbuf glib gtk3 webkitgtk libnotify sqlite gsettings-desktop-schemas ]; postPatch = "patchShebangs ."; diff --git a/pkgs/tools/misc/staruml/default.nix b/pkgs/tools/misc/staruml/default.nix index dcbee0e343ec..794c06b8044e 100644 --- a/pkgs/tools/misc/staruml/default.nix +++ b/pkgs/tools/misc/staruml/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, makeWrapper , dpkg, patchelf -, gtk2, glib, gdk_pixbuf, alsaLib, nss, nspr, GConf, cups, libgcrypt, dbus, systemd +, gtk2, glib, gdk-pixbuf, alsaLib, nss, nspr, GConf, cups, libgcrypt, dbus, systemd , libXdamage, expat }: let inherit (stdenv) lib; LD_LIBRARY_PATH = lib.makeLibraryPath - [ glib gtk2 gdk_pixbuf alsaLib nss nspr GConf cups libgcrypt dbus libXdamage expat ]; + [ glib gtk2 gdk-pixbuf alsaLib nss nspr GConf cups libgcrypt dbus libXdamage expat ]; in stdenv.mkDerivation rec { version = "2.8.1"; diff --git a/pkgs/tools/misc/sweep-visualizer/default.nix b/pkgs/tools/misc/sweep-visualizer/default.nix index cbf849494b75..fd0a766f54e9 100644 --- a/pkgs/tools/misc/sweep-visualizer/default.nix +++ b/pkgs/tools/misc/sweep-visualizer/default.nix @@ -1,5 +1,5 @@ { stdenv, lib, makeWrapper, fetchurl, - alsaLib, atk, cairo, cups, dbus, expat, fontconfig, freetype, gdk_pixbuf, glib, + alsaLib, atk, cairo, cups, dbus, expat, fontconfig, freetype, gdk-pixbuf, glib, gnome2, gtk2-x11, nspr, nss, libX11, libxcb, libXcomposite, libXcursor, libXdamage, libXext, libXfixes, libXi, libXrandr, libXrender, libXScrnSaver, libXtst, @@ -13,7 +13,7 @@ url = "https://s3.amazonaws.com/scanse/Visualizer/v${version}/sweepvisualizer_${version}_amd64.deb"; sha256 = "1k6rdjw2340qrzafv6hjxvbvyh3s1wad6d3629nchdcrpyx9xy1c"; }; - + nativeBuildInputs = [ makeWrapper ]; sourceRoot = "."; @@ -32,8 +32,8 @@ preFixup = let libPath = lib.makeLibraryPath [ - alsaLib atk cairo cups.lib dbus.lib expat fontconfig.lib freetype - gdk_pixbuf glib gnome2.GConf gnome2.pango gtk2-x11 nspr nss stdenv.cc.cc.lib + alsaLib atk cairo cups.lib dbus.lib expat fontconfig.lib freetype + gdk-pixbuf glib gnome2.GConf gnome2.pango gtk2-x11 nspr nss stdenv.cc.cc.lib libX11 libxcb libXcomposite libXcursor libXdamage libXext libXfixes libXi libXrandr libXrender libXScrnSaver libXtst ]; diff --git a/pkgs/tools/misc/system-config-printer/default.nix b/pkgs/tools/misc/system-config-printer/default.nix index 025833431176..6750bbe8ae69 100644 --- a/pkgs/tools/misc/system-config-printer/default.nix +++ b/pkgs/tools/misc/system-config-printer/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, udev, intltool, pkgconfig, glib, xmlto, wrapGAppsHook , docbook_xml_dtd_412, docbook_xsl -, libxml2, desktop-file-utils, libusb1, cups, gdk_pixbuf, pango, atk, libnotify +, libxml2, desktop-file-utils, libusb1, cups, gdk-pixbuf, pango, atk, libnotify , gobject-introspection, libsecret , cups-filters , pythonPackages @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { buildInputs = [ glib udev libusb1 cups pythonPackages.python - libnotify gobject-introspection gdk_pixbuf pango atk + libnotify gobject-introspection gdk-pixbuf pango atk libsecret ]; diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index bd502ee34c66..652bcdba8748 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -24,14 +24,14 @@ assert brotliSupport -> brotli != null; assert gssSupport -> libkrb5 != null; stdenv.mkDerivation rec { - name = "curl-7.65.0"; + name = "curl-7.65.3"; src = fetchurl { urls = [ "https://curl.haxx.se/download/${name}.tar.bz2" "https://github.com/curl/curl/releases/download/${lib.replaceStrings ["."] ["_"] name}/${name}.tar.bz2" ]; - sha256 = "0p6z77iv6wlxq7skbnxn61rn8rangrp4g4spr09y920fcf7w0iza"; + sha256 = "02g5zj4rq5sr15jzjqk70xk4k92i2pdmpq00xb4pnba8ps1mx18a"; }; outputs = [ "bin" "dev" "out" "man" "devdoc" ]; diff --git a/pkgs/tools/networking/driftnet/default.nix b/pkgs/tools/networking/driftnet/default.nix index bf0a43ce5153..fd932617c936 100644 --- a/pkgs/tools/networking/driftnet/default.nix +++ b/pkgs/tools/networking/driftnet/default.nix @@ -1,5 +1,5 @@ { stdenv, lib, fetchFromGitHub, libpcap, libjpeg , libungif, libpng -, giflib, glib, gtk2, cairo, pango, gdk_pixbuf, atk +, giflib, glib, gtk2, cairo, pango, gdk-pixbuf, atk , pkgconfig, autoreconfHook }: with lib; @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig ]; buildInputs = [ libpcap libjpeg libungif libpng giflib - glib gtk2 glib cairo pango gdk_pixbuf atk autoreconfHook + glib gtk2 glib cairo pango gdk-pixbuf atk autoreconfHook ]; src = fetchFromGitHub { diff --git a/pkgs/tools/networking/openresolv/default.nix b/pkgs/tools/networking/openresolv/default.nix index 209e1f64c72b..302e08617afc 100644 --- a/pkgs/tools/networking/openresolv/default.nix +++ b/pkgs/tools/networking/openresolv/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { name = "openresolv-${version}"; - version = "3.9.0"; + version = "3.9.1"; src = fetchurl { url = "mirror://roy/openresolv/${name}.tar.xz"; - sha256 = "1f2dccc52iykbpma26fbxzga2l6g4njm3bgaxz4rgdrb4cwlv82i"; + sha256 = "1wlzi88837rf4ygswmzpbcmgkbbjhn5n322n9q6ir6x367hygf1q"; }; buildInputs = [ makeWrapper ]; diff --git a/pkgs/tools/security/encryptr/default.nix b/pkgs/tools/security/encryptr/default.nix index 8d0c78764319..6f79be83be55 100644 --- a/pkgs/tools/security/encryptr/default.nix +++ b/pkgs/tools/security/encryptr/default.nix @@ -1,7 +1,7 @@ { stdenv, fetchurl, glib, nss, nspr, gconf, fontconfig, freetype , pango , cairo, libX11 , libXi, libXcursor, libXext, libXfixes , libXrender, libXcomposite , alsaLib, libXdamage, libXtst, libXrandr -, expat, libcap, systemd , dbus, gtk2 , gdk_pixbuf, libnotify +, expat, libcap, systemd , dbus, gtk2 , gdk-pixbuf, libnotify }: let @@ -27,7 +27,7 @@ in stdenv.mkDerivation rec { rpath = stdenv.lib.makeLibraryPath [ glib nss nspr gconf fontconfig freetype pango cairo libX11 libXi libXcursor libXext libXfixes libXrender libXcomposite alsaLib - libXdamage libXtst libXrandr expat libcap dbus gtk2 gdk_pixbuf + libXdamage libXtst libXrandr expat libcap dbus gtk2 gdk-pixbuf libnotify stdenv.cc.cc ]; diff --git a/pkgs/tools/security/keybase/gui.nix b/pkgs/tools/security/keybase/gui.nix index f84f0039347e..afe2d457a7fe 100644 --- a/pkgs/tools/security/keybase/gui.nix +++ b/pkgs/tools/security/keybase/gui.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, alsaLib, atk, cairo, cups, udev -, dbus, expat, fontconfig, freetype, gdk_pixbuf, glib, gtk3 +, dbus, expat, fontconfig, freetype, gdk-pixbuf, glib, gtk3 , libnotify, nspr, nss, pango, systemd, xorg, autoPatchelfHook, wrapGAppsHook , runtimeShell, gsettings-desktop-schemas }: @@ -30,7 +30,7 @@ stdenv.mkDerivation rec { expat fontconfig freetype - gdk_pixbuf + gdk-pixbuf glib gsettings-desktop-schemas gtk3 diff --git a/pkgs/tools/system/collectd/default.nix b/pkgs/tools/system/collectd/default.nix index 3fdc87808881..d71fa0c4e584 100644 --- a/pkgs/tools/system/collectd/default.nix +++ b/pkgs/tools/system/collectd/default.nix @@ -13,7 +13,7 @@ , libmemcached, cyrus_sasl , libmicrohttpd , libmodbus -, libnotify, gdk_pixbuf +, libnotify, gdk-pixbuf , liboping , libpcap , libsigrok @@ -59,7 +59,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig autoreconfHook ]; buildInputs = [ curl libdbi libgcrypt libmemcached - cyrus_sasl libnotify gdk_pixbuf liboping libpcap libvirt + cyrus_sasl libnotify gdk-pixbuf liboping libpcap libvirt libxml2 postgresql protobufc rrdtool varnish yajl jdk libtool python hiredis libmicrohttpd riemann_c_client mosquitto rdkafka mongoc diff --git a/pkgs/tools/system/ddrescueview/default.nix b/pkgs/tools/system/ddrescueview/default.nix index 517cefb6a2b3..466232e2bf77 100644 --- a/pkgs/tools/system/ddrescueview/default.nix +++ b/pkgs/tools/system/ddrescueview/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, fetchurl, fpc, lazarus, atk, cairo, gdk_pixbuf, glib, gtk2, libX11, pango }: +{ stdenv, lib, fetchurl, fpc, lazarus, atk, cairo, gdk-pixbuf, glib, gtk2, libX11, pango }: stdenv.mkDerivation rec { name = "ddrescueview-0.4alpha3"; @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ fpc lazarus ]; - buildInputs = [ atk cairo gdk_pixbuf glib gtk2 libX11 pango ]; + buildInputs = [ atk cairo gdk-pixbuf glib gtk2 libX11 pango ]; sourceRoot = "source"; diff --git a/pkgs/tools/text/gnupatch/CVE-2019-13636.patch b/pkgs/tools/text/gnupatch/CVE-2019-13636.patch new file mode 100644 index 000000000000..e62c3d41753c --- /dev/null +++ b/pkgs/tools/text/gnupatch/CVE-2019-13636.patch @@ -0,0 +1,108 @@ +From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher <agruen@gnu.org> +Date: Mon, 15 Jul 2019 16:21:48 +0200 +Subject: Don't follow symlinks unless --follow-symlinks is given + +* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file, +append_to_file): Unless the --follow-symlinks option is given, open files with +the O_NOFOLLOW flag to avoid following symlinks. So far, we were only doing +that consistently for input files. +* src/util.c (create_backup): When creating empty backup files, (re)create them +with O_CREAT | O_EXCL to avoid following symlinks in that case as well. +--- + src/inp.c | 12 ++++++++++-- + src/util.c | 14 +++++++++++--- + 2 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/src/inp.c b/src/inp.c +index 32d0919..22d7473 100644 +--- a/src/inp.c ++++ b/src/inp.c +@@ -238,8 +238,13 @@ plan_a (char const *filename) + { + if (S_ISREG (instat.st_mode)) + { +- int ifd = safe_open (filename, O_RDONLY|binary_transput, 0); ++ int flags = O_RDONLY | binary_transput; + size_t buffered = 0, n; ++ int ifd; ++ ++ if (! follow_symlinks) ++ flags |= O_NOFOLLOW; ++ ifd = safe_open (filename, flags, 0); + if (ifd < 0) + pfatal ("can't open file %s", quotearg (filename)); + +@@ -340,6 +345,7 @@ plan_a (char const *filename) + static void + plan_b (char const *filename) + { ++ int flags = O_RDONLY | binary_transput; + int ifd; + FILE *ifp; + int c; +@@ -353,7 +359,9 @@ plan_b (char const *filename) + + if (instat.st_size == 0) + filename = NULL_DEVICE; +- if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0 ++ if (! follow_symlinks) ++ flags |= O_NOFOLLOW; ++ if ((ifd = safe_open (filename, flags, 0)) < 0 + || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r"))) + pfatal ("Can't open file %s", quotearg (filename)); + if (TMPINNAME_needs_removal) +diff --git a/src/util.c b/src/util.c +index 1cc08ba..fb38307 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, bool leave_original) + + try_makedirs_errno = ENOENT; + safe_unlink (bakname); +- while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0) ++ while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0) + { + if (errno != try_makedirs_errno) + pfatal ("Can't create file %s", quotearg (bakname)); +@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t mode, + static void + copy_to_fd (const char *from, int tofd) + { ++ int from_flags = O_RDONLY | O_BINARY; + int fromfd; + ssize_t i; + +- if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0) ++ if (! follow_symlinks) ++ from_flags |= O_NOFOLLOW; ++ if ((fromfd = safe_open (from, from_flags, 0)) < 0) + pfatal ("Can't reopen file %s", quotearg (from)); + while ((i = read (fromfd, buf, bufsize)) != 0) + { +@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat *tost, + else + { + assert (S_ISREG (mode)); ++ if (! follow_symlinks) ++ to_flags |= O_NOFOLLOW; + tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode, + to_dir_known_to_exist); + copy_to_fd (from, tofd); +@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat *tost, + void + append_to_file (char const *from, char const *to) + { ++ int to_flags = O_WRONLY | O_APPEND | O_BINARY; + int tofd; + +- if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0) ++ if (! follow_symlinks) ++ to_flags |= O_NOFOLLOW; ++ if ((tofd = safe_open (to, to_flags, 0)) < 0) + pfatal ("Can't reopen file %s", quotearg (to)); + copy_to_fd (from, tofd); + if (close (tofd) != 0) +-- +cgit v1.0-41-gc330 + diff --git a/pkgs/tools/text/gnupatch/CVE-2019-13638.patch b/pkgs/tools/text/gnupatch/CVE-2019-13638.patch new file mode 100644 index 000000000000..38caff628aaf --- /dev/null +++ b/pkgs/tools/text/gnupatch/CVE-2019-13638.patch @@ -0,0 +1,38 @@ +From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher <agruen@gnu.org> +Date: Fri, 6 Apr 2018 19:36:15 +0200 +Subject: Invoke ed directly instead of using the shell + +* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell +command to avoid quoting vulnerabilities. +--- + src/pch.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/pch.c b/src/pch.c +index 4fd5a05..16e001a 100644 +--- a/src/pch.c ++++ b/src/pch.c +@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname, + *outname_needs_removal = true; + copy_file (inname, outname, 0, exclusive, instat.st_mode, true); + } +- sprintf (buf, "%s %s%s", editor_program, +- verbosity == VERBOSE ? "" : "- ", +- outname); + fflush (stdout); + + pid = fork(); +@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname, + else if (pid == 0) + { + dup2 (tmpfd, 0); +- execl ("/bin/sh", "sh", "-c", buf, (char *) 0); ++ assert (outname[0] != '!' && outname[0] != '-'); ++ execlp (editor_program, editor_program, "-", outname, (char *) NULL); + _exit (2); + } + else +-- +cgit v1.0-41-gc330 + diff --git a/pkgs/tools/text/gnupatch/default.nix b/pkgs/tools/text/gnupatch/default.nix index 1a5cda5799dc..5b61220d50a1 100644 --- a/pkgs/tools/text/gnupatch/default.nix +++ b/pkgs/tools/text/gnupatch/default.nix @@ -23,6 +23,12 @@ stdenv.mkDerivation rec { }) # https://git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300 ./CVE-2018-6952.patch + + # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a + ./CVE-2019-13636.patch + + # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0 + ./CVE-2019-13638.patch ]; nativeBuildInputs = [ autoreconfHook ]; |