From 742b8f71f7e101bf3ecd48f28af9eda67591339e Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 5 Jul 2021 21:15:43 +0200 Subject: [PATCH] libuv: add patch for CVE-2021-22918 > libuv was vulnerable to out-of-bounds reads in the uv__idna_toascii() > function which is used to convert strings to ASCII. This is called by > the DNS resolution function and can lead to information disclosures or > crashes. https://github.com/libuv/libuv/commit/b7466e31e4bee160d82a68fca11b1f61d46debae Fixes: CVE-2021-22918 --- pkgs/development/libraries/libuv/default.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/libuv/default.nix b/pkgs/development/libraries/libuv/default.nix index 6b1a0120e49e..b630fca16701 100644 --- a/pkgs/development/libraries/libuv/default.nix +++ b/pkgs/development/libraries/libuv/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, fetchFromGitHub, autoconf, automake, libtool, pkg-config, ApplicationServices, CoreServices }: +{ stdenv, lib, fetchFromGitHub, fetchpatch, autoconf, automake, libtool, pkg-config, ApplicationServices, CoreServices }: stdenv.mkDerivation rec { version = "1.41.0"; @@ -11,6 +11,15 @@ stdenv.mkDerivation rec { sha256 = "sha256-i6AYD1Ony0L2+3yWK6bxOfwoZEvd9qCg33QSqA7bRXI="; }; + patches = [ + (fetchpatch { + # Fixes out-of-bounds read in uv__idna_toascii() function + name = "CVE-2021-22918.patch"; + url = "https://github.com/libuv/libuv/commit/b7466e31e4bee160d82a68fca11b1f61d46debae.patch"; + sha256 = "0fbjy0jh7r9nrd27ag1k6am6d8p5ih7p0ywvjn53nq4cyqdqxhi7"; + }) + ]; + postPatch = let toDisable = [ "getnameinfo_basic" "udp_send_hang_loop" # probably network-dependent