From 2a360652e2af41c7afdc4d15b96e187417aebb04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9-Patrick=20Bubel?= Date: Sun, 26 Dec 2021 19:00:06 +0100 Subject: [PATCH] mediathekview: CVE-2021-45105 (log4j) mitigation Remove the affected JndiLookup.class until we can update to the lastest Mediathekview version. --- pkgs/applications/video/mediathekview/default.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/video/mediathekview/default.nix b/pkgs/applications/video/mediathekview/default.nix index 1a6f19721331..7f36fd232e97 100644 --- a/pkgs/applications/video/mediathekview/default.nix +++ b/pkgs/applications/video/mediathekview/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, makeWrapper, jre }: +{ lib, stdenv, fetchurl, makeWrapper, jre, zip }: stdenv.mkDerivation rec { version = "13.8.0"; @@ -8,13 +8,16 @@ stdenv.mkDerivation rec { sha256 = "0zfkwz5psv7m0881ykgqrxwjhadg39c55aj2wpy7m1jdara86c5q"; }; - nativeBuildInputs = [ makeWrapper ]; + nativeBuildInputs = [ makeWrapper zip ]; installPhase = '' runHook preInstall mkdir -p $out/{bin,lib} + # log4j mitigation, see https://logging.apache.org/log4j/2.x/security.html + zip -d MediathekView.jar org/apache/logging/log4j/core/lookup/JndiLookup.class + install -m644 MediathekView.jar $out/lib makeWrapper ${jre}/bin/java $out/bin/mediathek \