bash-4.3: fix security problems via a Gentoo patch

2017-01-04 23:59:25 +01:00 · 2017-01-04 23:59:25 +01:00 · 22796f0d4f
commit 22796f0d4f
parent fa57b06dc6
1 changed files with 19 additions and 10 deletions
--- a/pkgs/shells/bash/4.3.nix
+++ b/pkgs/shells/bash/4.3.nix
@ -10,11 +10,21 @@ let
  baseConfigureFlags = if interactive then "--with-installed-readline" else "--disable-readline";
  sha256 = "1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg";
  upstreamPatches =
    let
      patch = nr: sha256:
        fetchurl {
          url = "mirror://gnu/bash/${realName}-patches/${shortName}-${nr}";
          inherit sha256;
        };
    in
      import ./bash-4.3-patches.nix patch;
  inherit (stdenv.lib) optional optionalString;
 in
 stdenv.mkDerivation rec {
-  name = "${realName}-p${toString (builtins.length patches)}";
+  name = "${realName}-p${toString (builtins.length upstreamPatches)}";
  src = fetchurl {
    url = "mirror://gnu/bash/${realName}.tar.gz";
@ -39,15 +49,14 @@ stdenv.mkDerivation rec {
  patchFlags = "-p0";
-  patches =
+  patches = upstreamPatches
-    (let
+      ++ [ (fetchurl {
-      patch = nr: sha256:
+              # https://security.gentoo.org/glsa/201701-02
-        fetchurl {
+              url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/app-shells"
-          url = "mirror://gnu/bash/${realName}-patches/${shortName}-${nr}";
+                  + "/bash/files/bash-4.4-popd-offset-overflow.patch"
-          inherit sha256;
+                  + "?id=1bf1ceeb04a2f57e1e5e1636a8c288c4d0db6682";
-        };
+              sha256 = "02n08lw5spvsc2b1bll0gr6mg4qxcg7pzfjkw7ji5w7bjcikccbm";
-    in
+          }) ]
      import ./bash-4.3-patches.nix patch)
      ++ optional stdenv.isCygwin ./cygwin-bash-4.3.33-1.src.patch;
  crossAttrs = {