Merge pull request #134839 from risicle/ris-rsync-CVE-2020-14387-r21.05

2021-08-24 15:13:03 +02:00 · 2021-08-24 15:13:03 +02:00 · 4b16abddba
parent d818c9fd75 41a38db165
commit 4b16abddba
3 changed files with 16 additions and 6 deletions
--- a/pkgs/applications/networking/sync/rsync/base.nix
+++ b/pkgs/applications/networking/sync/rsync/base.nix
@ -1,4 +1,4 @@
-{ lib, fetchurl }:
+{ lib, fetchurl, fetchpatch }:

 rec {
  version = "3.2.3";
@ -12,6 +12,13 @@ rec {
    url = "mirror://samba/rsync/rsync-patches-${version}.tar.gz";
    sha256 = "1wj21v57v135n6fnmlm2dxmb9lhrrg62jgkggldp1gb7d6s4arny";
  };
+  extraPatches = [
+    (fetchpatch {
+      name = "CVE-2020-14387.patch";
+      url = "https://git.samba.org/?p=rsync.git;a=patch;h=c3f7414;hp=4c4fce51072c9189cfb11b52aa54fed79f5741bd";
+      sha256 = "000lyx48lns84p53nsdlr45mb9558lrvnsz3yic0y3z6h2izv82x";
+    })
+  ];

  meta = with lib; {
    description = "Fast incremental file transfer utility";
--- a/pkgs/applications/networking/sync/rsync/default.nix
+++ b/pkgs/applications/networking/sync/rsync/default.nix
@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, perl, libiconv, zlib, popt
+{ lib, stdenv, fetchurl, fetchpatch, perl, libiconv, zlib, popt
 , enableACLs ? !(stdenv.isDarwin || stdenv.isSunOS || stdenv.isFreeBSD), acl ? null
 , enableLZ4 ? true, lz4 ? null
 , enableOpenSSL ? true, openssl ? null
@ -15,7 +15,7 @@ assert enableXXHash -> xxHash != null;
 assert enableZstd -> zstd != null;

 let
-  base = import ./base.nix { inherit lib fetchurl; };
+  base = import ./base.nix { inherit lib fetchurl fetchpatch; };
 in
 stdenv.mkDerivation rec {
  name = "rsync-${base.version}";
@ -25,7 +25,8 @@ stdenv.mkDerivation rec {
  patchesSrc = base.upstreamPatchTarball;

  srcs = [mainSrc] ++ lib.optional enableCopyDevicesPatch patchesSrc;
-  patches = lib.optional enableCopyDevicesPatch "./patches/copy-devices.diff";
+  patches = lib.optional enableCopyDevicesPatch "./patches/copy-devices.diff"
+    ++ base.extraPatches;

  buildInputs = [libiconv zlib popt]
                ++ lib.optional enableACLs acl
--- a/pkgs/applications/networking/sync/rsync/rrsync.nix
+++ b/pkgs/applications/networking/sync/rsync/rrsync.nix
@ -1,7 +1,7 @@
-{ lib, stdenv, fetchurl, perl, rsync }:
+{ lib, stdenv, fetchurl, perl, rsync, fetchpatch }:

 let
-  base = import ./base.nix { inherit lib fetchurl; };
+  base = import ./base.nix { inherit lib fetchurl fetchpatch; };
 in
 stdenv.mkDerivation {
  name = "rrsync-${base.version}";
@ -15,6 +15,8 @@ stdenv.mkDerivation {
  dontConfigure = true;
  dontBuild = true;

+  patches = base.extraPatches;
+
  postPatch = ''
    substituteInPlace support/rrsync --replace /usr/bin/rsync ${rsync}/bin/rsync
  '';