Merge pull request #49150 from andir/secfoo

Various security issues

pkgs/applications/display-managers/sddm/default.nix

@@ -4,7 +4,7 @@
 }:
 
 let
-  version = "0.17.0";
+  version = "0.18.0";
 
 in mkDerivation rec {
   name = "sddm-${version}";
@@ -13,12 +13,11 @@ in mkDerivation rec {
     owner = "sddm";
     repo = "sddm";
     rev = "v${version}";
-    sha256 = "1m35ly6miwy8ivsln3j1bfv0nxbc4gyqnj7f847zzp53jsqrm3mq";
+    sha256 = "16xnm02iqgy4hydzd6my0widq981glbazbhxnihhclgsaczh8mfq";
   };
 
   patches = [
     ./sddm-ignore-config-mtime.patch
-    ./qt511.patch
   ];
 
   postPatch =

pkgs/applications/display-managers/sddm/qt511.patch

@@ -1,28 +0,0 @@
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 005c9ad..71b46d7 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -93,7 +93,7 @@ find_package(XCB REQUIRED)
- find_package(XKB REQUIRED)
- 
- # Qt 5
--find_package(Qt5 5.6.0 CONFIG REQUIRED Core DBus Gui Qml Quick LinguistTools)
-+find_package(Qt5 5.6.0 CONFIG REQUIRED Core DBus Gui Qml Quick LinguistTools Test)
- 
- # find qt5 imports dir
- get_target_property(QMAKE_EXECUTABLE Qt5::qmake LOCATION)
-diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
-index c9d935a..bb85ddd 100644
---- a/test/CMakeLists.txt
-+++ b/test/CMakeLists.txt
-@@ -2,9 +2,8 @@ set(QT_USE_QTTEST TRUE)
- 
- include_directories(../src/common)
- 
--
- set(ConfigurationTest_SRCS ConfigurationTest.cpp ../src/common/ConfigReader.cpp)
- add_executable(ConfigurationTest ${ConfigurationTest_SRCS})
- add_test(NAME Configuration COMMAND ConfigurationTest)
- 
--qt5_use_modules(ConfigurationTest Test)
-+target_link_libraries(ConfigurationTest Qt5::Core Qt5::Test)

pkgs/applications/graphics/batik/default.nix

@@ -15,5 +15,11 @@ stdenv.mkDerivation {
     homepage = https://xmlgraphics.apache.org/batik;
     license = licenses.asl20;
     platforms = platforms.unix;
+    knownVulnerabilities = [
+      # vulnerabilities as of 16th October 2018 from https://xmlgraphics.apache.org/security.html:
+      "CVE-2018-8013"
+      "CVE-2017-5662"
+      "CVE-2015-0250"
+    ];
   };
 }

pkgs/applications/misc/kiwix/default.nix

@@ -103,5 +103,8 @@ stdenv.mkDerivation rec {
     license = licenses.gpl3;
     platforms = platforms.linux;
     maintainers = with maintainers; [ robbinch ];
+    knownVulnerabilities = [
+      "CVE-2015-1032"
+    ];
   };
 }

pkgs/desktops/gnome-3/core/libgxps/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchurl, meson, ninja, pkgconfig, glib, gobjectIntrospection, cairo
-, libarchive, freetype, libjpeg, libtiff, gnome3
+, libarchive, freetype, libjpeg, libtiff, gnome3, fetchpatch
 }:
 
 let
@@ -13,6 +13,19 @@ in stdenv.mkDerivation rec {
     sha256 = "412b1343bd31fee41f7204c47514d34c563ae34dafa4cc710897366bd6cd0fae";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2018-10733-1.patch";
+      url = https://gitlab.gnome.org/GNOME/libgxps/commit/b458226e162fe1ffe7acb4230c114a52ada5131b.patch;
+      sha256 = "0pqg9iwkg69qknj7vkgn26c32fndy55byxivd4km0vjfhfyx69hd";
+    })
+    (fetchpatch {
+      name = "CVE-2018-10733-2.patch";
+      url = https://gitlab.gnome.org/GNOME/libgxps/commit/133fe2a96e020d4ca65c6f64fb28a404050ebbfd.patch;
+      sha256 = "19n01x8zs05wf801mkz4mypvapph7h941md3hr3rj0ry6r88pkir";
+    })
+  ];
+
   nativeBuildInputs = [ meson ninja pkgconfig gobjectIntrospection ];
   buildInputs = [ glib cairo freetype libjpeg libtiff ];
   propagatedBuildInputs = [ libarchive ];

pkgs/development/libraries/taglib/default.nix

@@ -15,6 +15,13 @@ stdenv.mkDerivation rec {
       url = "https://github.com/taglib/taglib/commit/eb9ded1206f18.patch";
       sha256 = "1bvpxsvmlpi3by7myzss9kkpdkv405612n8ff68mw1ambj8h1m90";
     })
+
+    (fetchpatch {
+      # https://github.com/taglib/taglib/pull/869
+      name = "CVE-2018-11439.patch";
+      url = "https://github.com/taglib/taglib/commit/272648ccfcccae30e002ccf34a22e075dd477278.patch";
+      sha256 = "0p397qq4anvcm0p8xs68mxa8hg6dl07chg260lc6k2929m34xv72";
+    })
   ];
 
   nativeBuildInputs = [ cmake ];

pkgs/os-specific/linux/libcgroup/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pam, yacc, flex }:
+{ stdenv, fetchurl, fetchpatch, pam, yacc, flex }:
 
 stdenv.mkDerivation rec {
   name    = "libcgroup-${version}";
@@ -11,6 +11,13 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pam yacc flex ];
 
+  patches = [
+    (fetchpatch {
+      url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch?id=33e9f4c81de754bbf76b893ea1133ed023f2a0e5";
+      sha256 = "1x0x29ld0cgmfwq4qy13s6d5c8sym1frfh1j2q47d8gfw6qaxka5";
+    })
+  ];
+
   postPatch = ''
     substituteInPlace src/tools/Makefile.in \
       --replace 'chmod u+s' 'chmod +x'

pkgs/tools/security/yara/default.nix

@@ -5,34 +5,16 @@
 }:
 
 stdenv.mkDerivation rec {
-  version = "3.7.1";
+  version = "3.8.1";
   name = "yara-${version}";
 
   src = fetchFromGitHub {
     owner = "VirusTotal";
     repo = "yara";
     rev = "v${version}";
-    sha256 = "05smkn4ii8irx6ccnzrhwa39pkmrjyxjmfrwh6mhdd8iz51v5cgz";
+    sha256 = "1ys2y5f2cif3g42daq646jcrn2na19zkx7fds2gnavj5c1rk7463";
   };
 
-  # FIXME: this is probably not the right way to make it work
-  # make[2]: *** No rule to make target 'libyara/.libs/libyara.a', needed by 'yara'.  Stop.
-  prePatch = ''
-    cat >staticlibrary.patch <<EOF
-    --- a/Makefile.am 2015-11-01 11:39:12.000000000 +0100
-    +++ b/Makefile.am 2015-11-01 11:45:32.000000000 +0100
-    @@ -12 +12 @@
-    -yara_LDADD = libyara/.libs/libyara.a
-    +yara_LDADD = libyara/.libs/libyara${stdenv.hostPlatform.extensions.sharedLibrary}
-    @@ -15 +15 @@
-    -yarac_LDADD = libyara/.libs/libyara.a
-    +yarac_LDADD = libyara/.libs/libyara${stdenv.hostPlatform.extensions.sharedLibrary}
-    EOF
-  '';
-  patches = [
-    "staticlibrary.patch"
-  ];
-
   buildInputs = [ autoconf automake libtool pcre]
     ++ stdenv.lib.optionals withCrypto [ openssl ]
     ++ stdenv.lib.optionals enableMagic [ file ]