diff --git a/pkgs/applications/version-management/subversion/CVE-2020-17525.patch b/pkgs/applications/version-management/subversion/CVE-2020-17525.patch new file mode 100644 index 000000000000..c844c3773e34 --- /dev/null +++ b/pkgs/applications/version-management/subversion/CVE-2020-17525.patch @@ -0,0 +1,15 @@ +Patch included in advisory @ https://subversion.apache.org/security/CVE-2020-17525-advisory.txt + +--- a/subversion/libsvn_repos/config_file.c ++++ b/subversion/libsvn_repos/config_file.c +@@ -237,6 +237,10 @@ get_repos_config(svn_stream_t **stream, + { + /* Search for a repository in the full path. */ + repos_root_dirent = svn_repos_find_root_path(dirent, scratch_pool); ++ if (repos_root_dirent == NULL) ++ return svn_error_trace(handle_missing_file(stream, checksum, access, ++ url, must_exist, ++ svn_node_none)); + + /* Attempt to open a repository at repos_root_dirent. */ + SVN_ERR(svn_repos_open3(&access->repos, repos_root_dirent, NULL, diff --git a/pkgs/applications/version-management/subversion/default.nix b/pkgs/applications/version-management/subversion/default.nix index 1f604c44d785..9f780de748e9 100644 --- a/pkgs/applications/version-management/subversion/default.nix +++ b/pkgs/applications/version-management/subversion/default.nix @@ -17,7 +17,7 @@ assert javahlBindings -> jdk != null && perl != null; let - common = { version, sha256 }: stdenv.mkDerivation (rec { + common = { version, sha256, extraPatches ? [ ] }: stdenv.mkDerivation (rec { inherit version; pname = "subversion"; @@ -35,7 +35,7 @@ let ++ lib.optional perlBindings perl ++ lib.optional saslSupport sasl; - patches = [ ./apr-1.patch ]; + patches = [ ./apr-1.patch ] ++ extraPatches; # We are hitting the following issue even with APR 1.6.x # -> https://issues.apache.org/jira/browse/SVN-4813 @@ -118,5 +118,6 @@ in { subversion = common { version = "1.12.2"; sha256 = "0wgpw3kzsiawzqk4y0xgh1z93kllxydgv4lsviim45y5wk4bbl1v"; + extraPatches = [ ./CVE-2020-17525.patch ]; }; }