From 9f6a942fc7725e63f36c7eb8eefe840628cf9f14 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Fri, 23 Feb 2018 21:11:05 +0100 Subject: [PATCH] zziplib: 0.13.67 -> 0.13.68 Bump zziplib to 0.13.68 to fix multiple CVE issues: - CVE-2018-6381 (https://github.com/gdraheim/zziplib/commit/a803559fa9194be895422ba3684cf6309b6bb598) - CVE-2018-6484 (https://github.com/gdraheim/zziplib/issues/14#issuecomment-363198084) - CVE-2018-6540 (https://github.com/gdraheim/zziplib/commit/72ec933663f738d8e166979aa7fd5590b2104a07) - CVE-2018-6541 (https://github.com/gdraheim/zziplib/issues/16#issuecomment-363197718) - CVE-2018-6542 (https://github.com/gdraheim/zziplib/commit/931f962ddfec0e00d6f486df2c56d9857b55944e) Unfortunately, getting only those patches is hard, as they're not well referenced to linked issues. The testsuite checking for vulns requires network access (so we can't easily test it here). https://github.com/gdraheim/zziplib/issues/20 might still be an issue, so keeping this as a TODO here. --- pkgs/development/libraries/zziplib/default.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/zziplib/default.nix b/pkgs/development/libraries/zziplib/default.nix index 3ddc40705c4..d43c481c859 100644 --- a/pkgs/development/libraries/zziplib/default.nix +++ b/pkgs/development/libraries/zziplib/default.nix @@ -2,20 +2,25 @@ stdenv.mkDerivation rec { name = "zziplib-${version}"; - version = "0.13.67"; + version = "0.13.68"; src = fetchurl { url = "https://github.com/gdraheim/zziplib/archive/v${version}.tar.gz"; - sha256 = "0802kdxwxx9zanpwb4w4wfi3blwhv0ri05mzdgd35j5sva5ify0j"; + sha256 = "0chhl6m02562z6c4hjy568mh11pbq2qngw6g2x924ajr8sdr2q4l"; }; postPatch = '' sed -i -e s,--export-dynamic,, configure ''; + # TODO: still an issue: https://github.com/gdraheim/zziplib/issues/27 + buildInputs = [ docbook_xml_dtd_412 perl python2 zip xmlto zlib ]; - doCheck = true; + # tests are broken (https://github.com/gdraheim/zziplib/issues/20), + # and test/zziptests.py requires network access + # (https://github.com/gdraheim/zziplib/issues/24) + doCheck = false; meta = with stdenv.lib; { description = "Library to extract data from files archived in a zip file";