From 57ff6689cc53aeaf67d58ccbeafc1e2e88dfc9b6 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Wed, 8 Sep 2021 00:25:12 +0100 Subject: [PATCH 1/4] botan2: 2.18.0 -> 2.18.1 (cherry picked from commit 509b969a1804c5060bc9c34183b0752e1df4588a) --- pkgs/development/libraries/botan/2.0.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/botan/2.0.nix b/pkgs/development/libraries/botan/2.0.nix index a486ba49820..84f0ebef69b 100644 --- a/pkgs/development/libraries/botan/2.0.nix +++ b/pkgs/development/libraries/botan/2.0.nix @@ -2,8 +2,8 @@ callPackage ./generic.nix (args // { baseVersion = "2.18"; - revision = "0"; - sha256 = "09z3fy31q1pvnvpy4fswrsl2aq8ksl94lbh5rl7b6nqc3qp8ar6c"; + revision = "1"; + sha256 = "0adf53drhk1hlpfih0175c9081bqpclw6p2afn51cmx849ib9izq"; postPatch = '' sed -e 's@lang_flags "@&--std=c++11 @' -i src/build-data/cc/{gcc,clang}.txt ''; From e8fe5c4eb4d447e01b6237bf4e4f719329e7ed86 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Wed, 8 Sep 2021 00:59:44 +0100 Subject: [PATCH 2/4] botan2: add patch for CVE-2021-40529 (cherry picked from commit 63bf10c8487963d50d67024859178178f776164a) --- pkgs/development/libraries/botan/2.0.nix | 11 ++++++++++- pkgs/development/libraries/botan/generic.nix | 2 ++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/botan/2.0.nix b/pkgs/development/libraries/botan/2.0.nix index 84f0ebef69b..113c4a27b91 100644 --- a/pkgs/development/libraries/botan/2.0.nix +++ b/pkgs/development/libraries/botan/2.0.nix @@ -1,4 +1,4 @@ -{ callPackage, ... } @ args: +{ callPackage, fetchpatch, ... } @ args: callPackage ./generic.nix (args // { baseVersion = "2.18"; @@ -7,4 +7,13 @@ callPackage ./generic.nix (args // { postPatch = '' sed -e 's@lang_flags "@&--std=c++11 @' -i src/build-data/cc/{gcc,clang}.txt ''; + extraPatches = [ + (fetchpatch { + name = "CVE-2021-40529.patch"; + url = "https://github.com/randombit/botan/commit/9a23e4e3bc3966340531f2ff608fa9d33b5185a2.patch"; + sha256 = "1ax1n2l9zh0hk35vkkywgkhzpdk76xb9apz2wm3h9kjvjs9acr3y"; + # our source tarball doesn't include the tests + excludes = [ "src/tests/*" ]; + }) + ]; }) diff --git a/pkgs/development/libraries/botan/generic.nix b/pkgs/development/libraries/botan/generic.nix index 2fc5abc2928..58f329fc8af 100644 --- a/pkgs/development/libraries/botan/generic.nix +++ b/pkgs/development/libraries/botan/generic.nix @@ -3,6 +3,7 @@ , baseVersion, revision, sha256 , sourceExtension ? "tar.xz" , extraConfigureFlags ? "" +, extraPatches ? [ ] , postPatch ? null , knownVulnerabilities ? [ ] , CoreServices @@ -22,6 +23,7 @@ stdenv.mkDerivation rec { ]; inherit sha256; }; + patches = extraPatches; inherit postPatch; buildInputs = [ python3 bzip2 zlib gmp openssl boost ] From 2addd4e3ca396a501a7898ab463d05ac605fbd71 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Wed, 8 Sep 2021 01:00:46 +0100 Subject: [PATCH 3/4] botan: mark as vulnerable to CVE-2021-40529 (cherry picked from commit 785fa836a105d64e9a0dd93b20240005b473b1fb) --- pkgs/development/libraries/botan/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/libraries/botan/default.nix b/pkgs/development/libraries/botan/default.nix index c494fa25f77..d6ee9ff152f 100644 --- a/pkgs/development/libraries/botan/default.nix +++ b/pkgs/development/libraries/botan/default.nix @@ -10,6 +10,7 @@ callPackage ./generic.nix (args // { sed -e 's@lang_flags "@&--std=c++11 @' -i src/build-data/cc/{gcc,clang}.txt ''; knownVulnerabilities = [ + "CVE-2021-40529" # https://botan.randombit.net/security.html#id1 "2020-03-24: Side channel during CBC padding" ]; From c8c19227432ade3f37b4fe1089436fe53ac47aaf Mon Sep 17 00:00:00 2001 From: zimbatm Date: Wed, 8 Sep 2021 11:42:07 +0200 Subject: [PATCH 4/4] foreman: 0.78.0 -> 0.87.2 Fixes #90776 (cherry picked from commit 50793c3c457d6383b66b352ff185c612617be16f) --- pkgs/tools/system/foreman/Gemfile.lock | 8 +++----- pkgs/tools/system/foreman/gemset.nix | 16 +++++----------- 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/pkgs/tools/system/foreman/Gemfile.lock b/pkgs/tools/system/foreman/Gemfile.lock index a2a7824f7aa..1bafc658cbc 100644 --- a/pkgs/tools/system/foreman/Gemfile.lock +++ b/pkgs/tools/system/foreman/Gemfile.lock @@ -1,15 +1,13 @@ GEM remote: https://rubygems.org/ specs: - foreman (0.78.0) - thor (~> 0.19.1) - thor (0.19.1) + foreman (0.87.2) PLATFORMS - ruby + x86_64-linux DEPENDENCIES foreman BUNDLED WITH - 2.1.4 + 2.2.20 diff --git a/pkgs/tools/system/foreman/gemset.nix b/pkgs/tools/system/foreman/gemset.nix index f747a2b0634..d5b053daf4c 100644 --- a/pkgs/tools/system/foreman/gemset.nix +++ b/pkgs/tools/system/foreman/gemset.nix @@ -1,18 +1,12 @@ { - thor = { - version = "0.19.1"; - source = { - type = "gem"; - remotes = ["https://rubygems.org"]; - sha256 = "08p5gx18yrbnwc6xc0mxvsfaxzgy2y9i78xq7ds0qmdm67q39y4z"; - }; - }; foreman = { - version = "0.78.0"; + groups = ["default"]; + platforms = []; source = { - type = "gem"; remotes = ["https://rubygems.org"]; - sha256 = "1caz8mi7gq1hs4l1flcyyw1iw1bdvdbhppsvy12akr01k3s17xaq"; + sha256 = "0szgxvnzwkzrfbq5dkwa98mig78aqglfy6irdsvq1gq045pbq9r7"; + type = "gem"; }; + version = "0.87.2"; }; }