From 9843fdc532a75f34274fb781d69a2daa97a6a0d2 Mon Sep 17 00:00:00 2001
From: Andreas Rammhold <andreas@rammhold.de>
Date: Mon, 15 Oct 2018 22:57:08 +0200
Subject: ligcgroup: fix CVE-2018-14348

When using cgrulesengd it would create a logfile at /var/log/cgred with
the permission wide open (0666).
---
 pkgs/os-specific/linux/libcgroup/default.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'pkgs/os-specific/linux')

diff --git a/pkgs/os-specific/linux/libcgroup/default.nix b/pkgs/os-specific/linux/libcgroup/default.nix
index a70ab13db623..1e920247a754 100644
--- a/pkgs/os-specific/linux/libcgroup/default.nix
+++ b/pkgs/os-specific/linux/libcgroup/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pam, yacc, flex }:
+{ stdenv, fetchurl, fetchpatch, pam, yacc, flex }:
 
 stdenv.mkDerivation rec {
   name    = "libcgroup-${version}";
@@ -11,6 +11,13 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pam yacc flex ];
 
+  patches = [
+    (fetchpatch {
+      url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch?id=33e9f4c81de754bbf76b893ea1133ed023f2a0e5";
+      sha256 = "1x0x29ld0cgmfwq4qy13s6d5c8sym1frfh1j2q47d8gfw6qaxka5";
+    })
+  ];
+
   postPatch = ''
     substituteInPlace src/tools/Makefile.in \
       --replace 'chmod u+s' 'chmod +x'
-- 
cgit 1.4.1