2020-05-01 14:25:42 +02:00
|
|
|
{ stdenv, fetchurl, fetchpatch, lib, enableUnfree ? false }:
|
2007-09-04 13:55:19 +02:00
|
|
|
|
2010-08-07 00:26:25 +02:00
|
|
|
stdenv.mkDerivation rec {
|
2019-08-15 14:41:18 +02:00
|
|
|
pname = "p7zip";
|
2016-07-19 09:25:35 +02:00
|
|
|
version = "16.02";
|
2015-02-12 20:51:26 +01:00
|
|
|
|
2007-09-04 13:55:19 +02:00
|
|
|
src = fetchurl {
|
2015-02-12 20:51:26 +01:00
|
|
|
url = "mirror://sourceforge/p7zip/p7zip_${version}_src_all.tar.bz2";
|
2016-07-19 09:25:35 +02:00
|
|
|
sha256 = "5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f";
|
2007-09-04 13:55:19 +02:00
|
|
|
};
|
2010-08-07 00:26:25 +02:00
|
|
|
|
2016-12-08 01:38:50 +01:00
|
|
|
patches = [
|
2018-08-16 03:52:30 +02:00
|
|
|
./12-CVE-2016-9296.patch
|
|
|
|
./13-CVE-2017-17969.patch
|
2020-05-01 14:25:42 +02:00
|
|
|
(fetchpatch {
|
2020-05-06 23:18:09 +02:00
|
|
|
name = "3-CVE-2018-5996.patch";
|
2020-05-01 14:25:42 +02:00
|
|
|
url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/3-CVE-2018-5996.patch";
|
|
|
|
sha256 = "1zivvkazmza0653i498ccp3zbpbpc7dvxl3zxwllbx41b6n589yp";
|
|
|
|
})
|
|
|
|
(fetchpatch {
|
2020-05-06 23:18:09 +02:00
|
|
|
name = "4-CVE-2018-10115.patch";
|
2020-05-01 14:25:42 +02:00
|
|
|
url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/4-CVE-2018-10115.patch";
|
|
|
|
sha256 = "1cr7q8gnrk9yp6dcvxaqi1yhdbgp964nkv65ls41mw1kdfm44zn6";
|
|
|
|
})
|
2016-12-08 01:38:50 +01:00
|
|
|
];
|
|
|
|
|
2017-04-07 22:51:23 +02:00
|
|
|
# Default makefile is full of impurities on Darwin. The patch doesn't hurt Linux so I'm leaving it unconditional
|
|
|
|
postPatch = ''
|
|
|
|
sed -i '/CC=\/usr/d' makefile.macosx_llvm_64bits
|
|
|
|
|
|
|
|
# I think this is a typo and should be CXX? Either way let's kill it
|
|
|
|
sed -i '/XX=\/usr/d' makefile.macosx_llvm_64bits
|
2018-10-12 14:36:48 +02:00
|
|
|
'' + stdenv.lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform) ''
|
|
|
|
substituteInPlace makefile.machine \
|
|
|
|
--replace 'CC=gcc' 'CC=${stdenv.cc.targetPrefix}gcc' \
|
|
|
|
--replace 'CXX=g++' 'CXX=${stdenv.cc.targetPrefix}g++'
|
2020-04-22 17:06:46 +02:00
|
|
|
'' + lib.optionalString (!enableUnfree) ''
|
p7zip: remove non-free RAR support
7-Zip's RAR implementation is built on the non-free UnRAR source code;
DOC/License.txt says:
Licenses for files are:
1) CPP/7zip/Compress/Rar* files: GNU LGPL + unRAR restriction
2) All other files: GNU LGPL
The GNU LGPL + unRAR restriction means that you must follow both
GNU LGPL rules and unRAR restriction rules.
...
unRAR restriction
-----------------
The decompression engine for RAR archives was developed using source
code of unRAR program.
All copyrights to original unRAR code are owned by Alexander Roshal.
The license for original unRAR code has the following restriction:
The unRAR sources cannot be used to re-create the RAR compression algorithm,
which is proprietary. Distribution of modified unRAR sources in separate form
or as a part of other software is permitted, provided that it is clearly
stated in the documentation and source comments that the code may
not be used to develop a RAR (WinRAR) compatible archiver.
The unrar licensing is [infamously restrictive and non-free][fedora];
it's inappropriate for us to keep the RAR support while labelling the
package as free software (and indeed there's a commented-out line
pointing out that the current `meta.license` is false). Unfortunately,
the 7-Zip upstream seems uninterested in replacing the code with a
freely-licensed alternative (see [7-Zip ticket #1229][7zip]).
[fedora]: https://fedoraproject.org/wiki/Licensing:Unrar
[7zip]: https://sourceforge.net/p/sevenzip/feature-requests/1229/
An alternative solution would be to mark the p7zip package as non-free
instead; I decided not to because its other functionality (especially
`.7z` support) is freely-licensed and useful, and there are free
software alternatives for extracting RAR files (e.g. in nixpkgs there's
`archiver`, which is written in a memory-safe language, and `unar`,
which at least doesn't have two patches for CVEs that haven't been
addressed upstream...).
I checked that `7z(1)` fails gracefully on `.rar` files now:
emily@renko ~/tmp> curl -L -O https://www.philippwinterberg.com/download/example.rar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5715k 100 5715k 0 0 6716k 0 --:--:-- --:--:-- --:--:-- 6716k
emily@renko ~/tmp> 7z x example.rar
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_CA.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs x64)
Scanning the drive for archives:
1 file, 5853119 bytes (5716 KiB)
Extracting archive: example.rar
ERROR: example.rar
Can not open the file as archive
Can't open as archive: 1
Files: 0
Size: 0
Compressed: 0
2020-04-22 16:28:52 +02:00
|
|
|
# Remove non-free RAR source code
|
|
|
|
# (see DOC/License.txt, https://fedoraproject.org/wiki/Licensing:Unrar)
|
|
|
|
rm -r CPP/7zip/Compress/Rar*
|
|
|
|
find . -name makefile'*' -exec sed -i '/Rar/d' {} +
|
2017-04-07 22:51:23 +02:00
|
|
|
'';
|
|
|
|
|
2013-08-15 05:53:43 +02:00
|
|
|
preConfigure = ''
|
|
|
|
makeFlagsArray=(DEST_HOME=$out)
|
|
|
|
buildFlags=all3
|
|
|
|
'' + stdenv.lib.optionalString stdenv.isDarwin ''
|
2016-05-26 10:59:55 +02:00
|
|
|
cp makefile.macosx_llvm_64bits makefile.machine
|
2013-08-15 05:53:43 +02:00
|
|
|
'';
|
2007-09-06 22:45:36 +02:00
|
|
|
|
2012-10-05 22:06:35 +02:00
|
|
|
enableParallelBuilding = true;
|
|
|
|
|
2016-12-17 13:04:59 +01:00
|
|
|
setupHook = ./setup-hook.sh;
|
|
|
|
|
2019-04-30 03:28:43 +02:00
|
|
|
NIX_CFLAGS_COMPILE = stdenv.lib.optionalString stdenv.cc.isClang "-Wno-error=c++11-narrowing";
|
2019-04-23 04:36:35 +02:00
|
|
|
|
2007-09-06 22:45:36 +02:00
|
|
|
meta = {
|
2020-04-01 03:11:51 +02:00
|
|
|
homepage = "http://p7zip.sourceforge.net/";
|
2007-09-06 22:45:36 +02:00
|
|
|
description = "A port of the 7-zip archiver";
|
2009-10-07 13:29:23 +02:00
|
|
|
platforms = stdenv.lib.platforms.unix;
|
2014-11-05 09:12:35 +01:00
|
|
|
maintainers = [ stdenv.lib.maintainers.raskin ];
|
2020-04-30 20:18:40 +02:00
|
|
|
knownVulnerabilities = [
|
|
|
|
# p7zip is abandoned, according to this thread on its forums:
|
|
|
|
# https://sourceforge.net/p/p7zip/discussion/383043/thread/fa143cf2/#1817
|
|
|
|
"p7zip is abandoned and may not receive important security fixes"
|
|
|
|
];
|
p7zip: remove non-free RAR support
7-Zip's RAR implementation is built on the non-free UnRAR source code;
DOC/License.txt says:
Licenses for files are:
1) CPP/7zip/Compress/Rar* files: GNU LGPL + unRAR restriction
2) All other files: GNU LGPL
The GNU LGPL + unRAR restriction means that you must follow both
GNU LGPL rules and unRAR restriction rules.
...
unRAR restriction
-----------------
The decompression engine for RAR archives was developed using source
code of unRAR program.
All copyrights to original unRAR code are owned by Alexander Roshal.
The license for original unRAR code has the following restriction:
The unRAR sources cannot be used to re-create the RAR compression algorithm,
which is proprietary. Distribution of modified unRAR sources in separate form
or as a part of other software is permitted, provided that it is clearly
stated in the documentation and source comments that the code may
not be used to develop a RAR (WinRAR) compatible archiver.
The unrar licensing is [infamously restrictive and non-free][fedora];
it's inappropriate for us to keep the RAR support while labelling the
package as free software (and indeed there's a commented-out line
pointing out that the current `meta.license` is false). Unfortunately,
the 7-Zip upstream seems uninterested in replacing the code with a
freely-licensed alternative (see [7-Zip ticket #1229][7zip]).
[fedora]: https://fedoraproject.org/wiki/Licensing:Unrar
[7zip]: https://sourceforge.net/p/sevenzip/feature-requests/1229/
An alternative solution would be to mark the p7zip package as non-free
instead; I decided not to because its other functionality (especially
`.7z` support) is freely-licensed and useful, and there are free
software alternatives for extracting RAR files (e.g. in nixpkgs there's
`archiver`, which is written in a memory-safe language, and `unar`,
which at least doesn't have two patches for CVEs that haven't been
addressed upstream...).
I checked that `7z(1)` fails gracefully on `.rar` files now:
emily@renko ~/tmp> curl -L -O https://www.philippwinterberg.com/download/example.rar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5715k 100 5715k 0 0 6716k 0 --:--:-- --:--:-- --:--:-- 6716k
emily@renko ~/tmp> 7z x example.rar
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_CA.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs x64)
Scanning the drive for archives:
1 file, 5853119 bytes (5716 KiB)
Extracting archive: example.rar
ERROR: example.rar
Can not open the file as archive
Can't open as archive: 1
Files: 0
Size: 0
Compressed: 0
2020-04-22 16:28:52 +02:00
|
|
|
# RAR code is under non-free UnRAR license, but we remove it
|
2020-04-22 17:06:46 +02:00
|
|
|
license = if enableUnfree then lib.licenses.unfree else lib.licenses.lgpl2Plus;
|
2007-09-06 22:45:36 +02:00
|
|
|
};
|
2007-09-04 13:55:19 +02:00
|
|
|
}
|