From 19f23d00fd91c68911c8bf8e7d8dc0e19a3faaaa Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 8 Feb 2017 22:11:25 -0500
Subject: ntfs3g: patch for CVE-2017-0358

From the Debian advisory:

Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write
NTFS driver for FUSE, does not scrub the environment before executing
modprobe with elevated privileges. A local user can take advantage of
this flaw for local root privilege escalation.
---
 pkgs/tools/filesystems/ntfs-3g/default.nix | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'pkgs/tools/filesystems')

diff --git a/pkgs/tools/filesystems/ntfs-3g/default.nix b/pkgs/tools/filesystems/ntfs-3g/default.nix
index d5c5456515cb..01d9b81d0389 100644
--- a/pkgs/tools/filesystems/ntfs-3g/default.nix
+++ b/pkgs/tools/filesystems/ntfs-3g/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, utillinux, libuuid
+{stdenv, fetchurl, fetchpatch, utillinux, libuuid
 , crypto ? false, libgcrypt, gnutls, pkgconfig}:
 
 stdenv.mkDerivation rec {
@@ -14,6 +14,13 @@ stdenv.mkDerivation rec {
     sha256 = "180y5y09h30ryf2vim8j30a2npwz1iv9ly5yjmh3wjdkwh2jrdyp";
   };
 
+  patches = [
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/n/ntfs-3g/1:2016.2.22AR.1-4/debian/patches/0003-CVE-2017-0358.patch";
+      sha256 = "0hd05q9q06r18k8pmppvch1sslzqln5fvqj51d5r72g4mnpavpj3";
+    })
+  ];
+
   patchPhase = ''
     substituteInPlace src/Makefile.in --replace /sbin '@sbindir@'
     substituteInPlace ntfsprogs/Makefile.in --replace /sbin '@sbindir@'
@@ -45,4 +52,3 @@ stdenv.mkDerivation rec {
     license = licenses.gpl2Plus; # and (lib)fuse-lite under LGPL2+
   };
 }
-
-- 
cgit 1.4.1