lz4: patch CVE-2021-3520 and null pointer dereference

(cherry picked from commit 2acd087dca93a3b589721b3ec32d13d9150684bb)
2021-05-30 02:08:18 +00:00 · 2021-05-30 02:08:18 +00:00 · 35b4a78d9a
parent 1b1608a7b8
commit 35b4a78d9a
1 changed files with 13 additions and 0 deletions
--- a/pkgs/tools/compression/lz4/default.nix
+++ b/pkgs/tools/compression/lz4/default.nix
@ -14,6 +14,19 @@ stdenv.mkDerivation rec {
    owner = pname;
  };

+  patches = [
+    (fetchpatch { # https://github.com/lz4/lz4/pull/972
+      name = "CVE-2021-3520.patch";
+      url = "https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7.patch";
+      sha256 = "0r1cwpqdkdc8im0pf2r5jp7mwwn69xcw405rrk7rc0mpjcp5ydfk";
+    })
+    (fetchpatch { # https://github.com/lz4/lz4/pull/973
+      name = "avoid-null-pointer-dereference.patch";
+      url = "https://github.com/lz4/lz4/commit/29a6a1f4941e7243241fe00d6c13b749fd6b60c2.patch";
+      sha256 = "0v5yl5hd3qrfm3xm7m06j4b21qwllb4cqkjn2az7x1vnzqgpf8y7";
+    })
+  ];
+
  # TODO(@Ericson2314): Separate binaries and libraries
  outputs = [ "bin" "out" "dev" ];