From a376d4944c395040295d80c91d79e2d90a574b76 Mon Sep 17 00:00:00 2001 From: Tethys Svensson Date: Mon, 3 May 2021 19:01:09 +0200 Subject: [PATCH] busybox: Add a fix for CVE-2021-28831 (#121578) --- pkgs/os-specific/linux/busybox/default.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index 6c034e1c2af0..63435e091689 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, buildPackages, fetchurl, fetchFromGitLab +{ stdenv, lib, buildPackages, fetchurl, fetchFromGitLab, fetchpatch , enableStatic ? stdenv.hostPlatform.isStatic , enableMinimal ? false # Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping: @@ -49,6 +49,9 @@ in stdenv.mkDerivation rec { pname = "busybox"; + # TODO: When bumping to next version, remove the patch + # for CVE-2021-28831 (assuming the patch was included in + # the next upstream release) version = "1.32.1"; # Note to whoever is updating busybox: please verify that: @@ -64,6 +67,11 @@ stdenv.mkDerivation rec { patches = [ ./busybox-in-store.patch + (fetchpatch { + name = "CVE-2021-28831.patch"; + url = "https://git.busybox.net/busybox/patch/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd"; + sha256 = "0y79flfbk45krwn963nnbqc21a88bsz4k4asqwvcnfk2lkciadxm"; + }) # TODO: Removing when bumping the version ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch; postPatch = "patchShebangs .";