From 91fa9b27d57c58d9a7be9b5d49dcb4e767e4c109 Mon Sep 17 00:00:00 2001 From: James Cook Date: Mon, 2 Mar 2015 00:02:47 -0800 Subject: [PATCH] graphviz: Patch to fix CVE-2014-9157 (close #6640) --- .../graphics/graphviz/cve-2014-9157.patch | 24 +++++++++++++++++++ pkgs/tools/graphics/graphviz/default.nix | 11 +++++++-- 2 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 pkgs/tools/graphics/graphviz/cve-2014-9157.patch diff --git a/pkgs/tools/graphics/graphviz/cve-2014-9157.patch b/pkgs/tools/graphics/graphviz/cve-2014-9157.patch new file mode 100644 index 00000000000..66ce496ca74 --- /dev/null +++ b/pkgs/tools/graphics/graphviz/cve-2014-9157.patch @@ -0,0 +1,24 @@ +From https://lists.debian.org/debian-qa-packages/2014/12/msg00048.html , which +seems to come from Ubuntu. + +Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine +Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081 +Author: Emden R. Gansner + +--- + lib/cgraph/scan.l | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: b/lib/cgraph/scan.l +=================================================================== +--- a/lib/cgraph/scan.l ++++ b/lib/cgraph/scan.l +@@ -225,7 +225,7 @@ + agxbput (&xb, buf); + agxbput (&xb, yytext); + agxbput (&xb,"'\n"); +- agerr(AGERR,agxbuse(&xb)); ++ agerr(AGERR, "%s", agxbuse(&xb)); + agxbfree(&xb); + } + /* must be here to see flex's macro defns */ diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 31945c9f232..2fcea02519a 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -1,5 +1,6 @@ { stdenv, fetchurl, pkgconfig, libpng, libjpeg, expat, libXaw , yacc, libtool, fontconfig, pango, gd, xlibs, gts, libdevil, gettext, cairo +, flex }: stdenv.mkDerivation rec { @@ -11,10 +12,16 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; - patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch ]; + patches = + [ ./0001-vimdot-lookup-vim-in-PATH.patch + + # NOTE: Once this patch is removed, flex can probably be removed from + # buildInputs. + ./cve-2014-9157.patch + ]; buildInputs = - [ pkgconfig libpng libjpeg expat yacc libtool fontconfig gd gts libdevil + [ pkgconfig libpng libjpeg expat yacc libtool fontconfig gd gts libdevil flex ] ++ stdenv.lib.optionals (xlibs != null) [ xlibs.xlibs xlibs.libXrender pango libXaw ] ++ stdenv.lib.optional (stdenv.system == "x86_64-darwin") gettext;