diff --git a/pkgs/development/libraries/libexif/default.nix b/pkgs/development/libraries/libexif/default.nix index ebcba0fa155..5a8f5126680 100644 --- a/pkgs/development/libraries/libexif/default.nix +++ b/pkgs/development/libraries/libexif/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, gettext }: +{ stdenv, fetchurl, fetchpatch, gettext }: stdenv.mkDerivation rec { name = "libexif-0.6.21"; @@ -8,6 +8,15 @@ stdenv.mkDerivation rec { sha256 = "06nlsibr3ylfwp28w8f5466l6drgrnydgxrm4jmxzrmk5svaxk8n"; }; + patches = [ + (fetchpatch { + name = "CVE-2017-7544.patch"; + url = https://sourceforge.net/p/libexif/bugs/_discuss/thread/fc394c4b/489a/attachment/xx.pat; + sha256 = "1qgk8hgnxr8d63jsc4vljxz9yg33mbml280dq4a6050rmk9wq4la"; + }) + ]; + patchFlags = "-p0"; + buildInputs = [ gettext ]; meta = { diff --git a/pkgs/development/libraries/libextractor/default.nix b/pkgs/development/libraries/libextractor/default.nix index a6fb4ec515a..81caa3e91ac 100644 --- a/pkgs/development/libraries/libextractor/default.nix +++ b/pkgs/development/libraries/libextractor/default.nix @@ -7,11 +7,11 @@ assert gtkSupport -> glib != null && gtk3 != null; assert videoSupport -> ffmpeg != null && libmpeg2 != null; stdenv.mkDerivation rec { - name = "libextractor-1.4"; + name = "libextractor-1.6"; src = fetchurl { url = "mirror://gnu/libextractor/${name}.tar.gz"; - sha256 = "0v7ns5jhsyp1wzvbaydfgxnva5zd63gkzm9djhckmam9liq824l4"; + sha256 = "17gnpgspdhfgcr27j8sn9105vb4lw22yqdrhic62l79q5v5avm16"; }; preConfigure = diff --git a/pkgs/development/libraries/qpdf/default.nix b/pkgs/development/libraries/qpdf/default.nix index 4cd5fb0f641..e2c80e445e7 100644 --- a/pkgs/development/libraries/qpdf/default.nix +++ b/pkgs/development/libraries/qpdf/default.nix @@ -1,18 +1,18 @@ -{ stdenv, fetchurl, pcre, zlib, perl }: +{ stdenv, fetchurl, libjpeg, zlib, perl }: -let version = "6.0.0"; +let version = "7.0.0"; in stdenv.mkDerivation rec { name = "qpdf-${version}"; src = fetchurl { url = "mirror://sourceforge/qpdf/qpdf/${version}/${name}.tar.gz"; - sha256 = "0csj2p2gkxrc0rk8ykymlsdgfas96vzf1dip3y1x7z1q9plwgzd9"; + sha256 = "0py6p27fx4qrwq9mvcybna42b0bdi359x38lzmggxl5a9khqvl7y"; }; nativeBuildInputs = [ perl ]; - buildInputs = [ pcre zlib ]; + buildInputs = [ zlib libjpeg ]; postPatch = '' patchShebangs qpdf/fix-qdf @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { meta = with stdenv.lib; { homepage = http://qpdf.sourceforge.net/; description = "A C++ library and set of programs that inspect and manipulate the structure of PDF files"; - license = licenses.artistic2; + license = licenses.asl20; # as of 7.0.0, people may stay at artistic2 maintainers = with maintainers; [ abbradar ]; platforms = platforms.all; }; diff --git a/pkgs/development/tools/analysis/radare2/default.nix b/pkgs/development/tools/analysis/radare2/default.nix index 1754727bb36..9468842f0c4 100644 --- a/pkgs/development/tools/analysis/radare2/default.nix +++ b/pkgs/development/tools/analysis/radare2/default.nix @@ -1,4 +1,4 @@ -{stdenv, fetchFromGitHub, fetchurl, pkgconfig, libusb, readline, libewf, perl, zlib, openssl, +{stdenv, fetchFromGitHub, fetchurl, fetchpatch, pkgconfig, libusb, readline, libewf, perl, zlib, openssl, gtk2 ? null, vte ? null, gtkdialog ? null, python ? null, ruby ? null, @@ -13,16 +13,24 @@ let inherit (stdenv.lib) optional; in stdenv.mkDerivation rec { - version = "2.0.0"; + version = "2.0.1"; name = "radare2-${version}"; src = fetchFromGitHub { owner = "radare"; repo = "radare2"; rev = version; - sha256 = "1ahai9x6jc15wjzdbdkri3rc88ark2i5s8nv2pxcp0wwldvawlzi"; + sha256 = "031ndvinsypagpkdszxjq0hj91ijq9zx4dzk53sz7il7s3zn65c7"; }; + patches = [ + (fetchpatch { + name = "CVE-2017-15385.patch"; + url = https://github.com/radare/radare2/commit/21a6f570ba33fa9f52f1bba87f07acc4e8c178f4.patch; + sha256 = "19qg5j9yr5r62nrq2b6mscxsz0wyyfah2z5jz8dvj9kqxq186d43"; + }) + ]; + postPatch = let cs_ver = "3.0.4"; # version from $sourceRoot/shlr/Makefile capstone = fetchurl { diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index 6c9c43e4e5a..0030f60000d 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, buildPackages, fetchurl +{ stdenv, lib, buildPackages, fetchurl, fetchpatch , enableStatic ? false , enableMinimal ? false , useMusl ? false, musl @@ -39,7 +39,19 @@ stdenv.mkDerivation rec { hardeningDisable = [ "format" ] ++ lib.optionals enableStatic [ "fortify" ]; - patches = [ ./busybox-in-store.patch ]; + patches = [ + ./busybox-in-store.patch + (fetchpatch { + name = "CVE-2017-15873.patch"; + url = "https://git.busybox.net/busybox/patch/?id=0402cb32df015d9372578e3db27db47b33d5c7b0"; + sha256 = "1s3xqifd0dww19mbnzrks0i1az0qwd884sxjzrx33d6a9jxv4dzn"; + }) + (fetchpatch { + name = "CVE-2017-15874.patch"; + url = "https://git.busybox.net/busybox/patch/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b"; + sha256 = "0169p4ylz9zd14ghhb39yfjvbdca2kb21pphylfh9ny7i484ahql"; + }) + ]; configurePhase = '' export KCONFIG_NOTIMESTAMP=1 diff --git a/pkgs/servers/nosql/redis/default.nix b/pkgs/servers/nosql/redis/default.nix index 60f132799fc..9ef0987d9b9 100644 --- a/pkgs/servers/nosql/redis/default.nix +++ b/pkgs/servers/nosql/redis/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, lua }: +{ stdenv, fetchurl, fetchpatch, lua }: stdenv.mkDerivation rec { version = "4.0.2"; @@ -9,6 +9,14 @@ stdenv.mkDerivation rec { sha256 = "04s8cgvwjj1979s3hg8zkwc9pyn3jkjpz5zidp87kfcipifr385i"; }; + patches = [ + (fetchpatch { + name = "CVE-2017-15047.patch"; + url = https://github.com/antirez/redis/commit/ffcf7d5ab1e98d84c28af9bea7be76c6737820ad.patch; + sha256 = "0cgx3lm0n7jxhsly8v9hdvy6vlamj3ck2jsid4fwyapz6907h64l"; + }) + ]; + buildInputs = [ lua ]; makeFlags = "PREFIX=$(out)"; diff --git a/pkgs/tools/backup/partclone/default.nix b/pkgs/tools/backup/partclone/default.nix index 54756a29cd6..681999e35d0 100644 --- a/pkgs/tools/backup/partclone/default.nix +++ b/pkgs/tools/backup/partclone/default.nix @@ -4,13 +4,13 @@ stdenv.mkDerivation rec { name = "partclone-${version}"; - version = "0.2.89"; + version = "0.3.11"; src = fetchFromGitHub { owner = "Thomas-Tsai"; repo = "partclone"; rev = version; - sha256 = "0gw47pchqshhm00yf34qgxh6bh2jfryv0sm7ghwn77bv5gzwr481"; + sha256 = "0bv15i0gxym4dv48rgaavh8p94waryn1l6viis6qh5zm9cd08skg"; }; nativeBuildInputs = [ autoreconfHook pkgconfig ]; diff --git a/pkgs/tools/compression/rzip/default.nix b/pkgs/tools/compression/rzip/default.nix index 2737966b83e..ad1b8041041 100644 --- a/pkgs/tools/compression/rzip/default.nix +++ b/pkgs/tools/compression/rzip/default.nix @@ -1,4 +1,4 @@ -{stdenv, fetchurl, bzip2}: +{stdenv, fetchurl, fetchpatch, bzip2}: stdenv.mkDerivation { name = "rzip-2.1"; @@ -8,6 +8,14 @@ stdenv.mkDerivation { }; buildInputs = [ bzip2 ]; + patches = [ + (fetchpatch { + name = "CVE-2017-8364-fill-buffer.patch"; + url = https://sources.debian.net/data/main/r/rzip/2.1-4.1/debian/patches/80-CVE-2017-8364-fill-buffer.patch; + sha256 = "0jcjlx9ksdvxvjyxmyzscx9ar9992iy5icw0sc3n0p09qi4d6x1r"; + }) + ]; + meta = { homepage = http://rzip.samba.org/; description = "Compression program"; diff --git a/pkgs/tools/security/yara/default.nix b/pkgs/tools/security/yara/default.nix index 34eb5583c45..7423c2d435b 100644 --- a/pkgs/tools/security/yara/default.nix +++ b/pkgs/tools/security/yara/default.nix @@ -5,14 +5,14 @@ }: stdenv.mkDerivation rec { - version = "3.6.0"; + version = "3.6.3"; name = "yara-${version}"; src = fetchFromGitHub { owner = "VirusTotal"; repo = "yara"; rev = "v${version}"; - sha256 = "05nadqpvihdyxym11mn6n02rzv2ng8ga7j9l0g5gnjx366gcai42"; + sha256 = "13znbdwin9lvql43wpms5hh13h8rk5x5wajgmphz18rxwp8h7j78"; }; # FIXME: this is probably not the right way to make it work