Merge pull request #105157 from mweinelt/libslirp

libslirp: fix CVE-2020-29129
2020-11-30 15:56:09 +01:00 · 2020-11-30 15:56:09 +01:00 · 3200eaef74
commit 3200eaef74
parent 676ed31a7d bd3ce46719
2 changed files with 19 additions and 0 deletions
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@ -100,6 +100,15 @@ stdenv.mkDerivation rec {
    })
  ];

+  # Remove CVE-2020-{29129,29130} for QEMU >5.1.0
+  postPatch = ''
+    (cd slirp && patch -p1 < ${fetchpatch {
+      name = "CVE-2020-29129_CVE-2020-29130.patch";
+      url = "https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f.patch";
+      sha256 = "01vbjqgnc0kp881l5p6b31cyyirhwhavm6x36hlgkymswvl3wh9w";
+    }})
+  '';
+
  hardeningDisable = [ "stackprotector" ];

  preConfigure = ''
--- a/pkgs/development/libraries/libslirp/default.nix
+++ b/pkgs/development/libraries/libslirp/default.nix
@ -1,5 +1,6 @@
 { stdenv
 , fetchFromGitLab
+, fetchpatch
 , meson
 , ninja
 , pkg-config
@ -18,6 +19,15 @@ stdenv.mkDerivation rec {
    sha256 = "0pzgjj2x2vrjshrzrl2x39xp5lgwg4b4y9vs8xvadh1ycl10v3fv";
  };

+  patches = [
+    # remove >4.3.1
+    (fetchpatch {
+      name = "CVE-2020-29129_CVE-2020-29130.patch";
+      url = "https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f.patch";
+      sha256 = "01vbjqgnc0kp881l5p6b31cyyirhwhavm6x36hlgkymswvl3wh9w";
+    })
+  ];
+
  nativeBuildInputs = [ meson ninja pkg-config ];

  buildInputs = [ glib ];