From 542a86037d57e4657919fb5130c7bf819d91d2c3 Mon Sep 17 00:00:00 2001 From: Christian Kauhaus Date: Sun, 2 Sep 2018 06:42:34 +0200 Subject: [PATCH] poppler 0.61: patch against CVE-2018-13988 (#45916) Out of bounds vulnerability in versions up to 0.62. Generally, we use a newer poppler version but some pkgs still depend on 0.61. Patch named in https://nvd.nist.gov/vuln/detail/CVE-2018-13988. --- pkgs/development/libraries/poppler/0.61.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/poppler/0.61.nix b/pkgs/development/libraries/poppler/0.61.nix index 4456cd7ff285..1e86b19ad5af 100644 --- a/pkgs/development/libraries/poppler/0.61.nix +++ b/pkgs/development/libraries/poppler/0.61.nix @@ -1,5 +1,5 @@ { stdenv, lib, fetchurl, cmake, ninja, pkgconfig, libiconv, libintl -, zlib, curl, cairo, freetype, fontconfig, lcms, libjpeg, openjpeg +, zlib, curl, cairo, freetype, fontconfig, lcms, libjpeg, openjpeg, fetchpatch , withData ? true, poppler_data , qt5Support ? false, qtbase ? null , introspectionSupport ? false, gobjectIntrospection ? null @@ -21,6 +21,14 @@ stdenv.mkDerivation rec { outputs = [ "out" "dev" ]; + patches = [ + (fetchpatch { + name = "CVE-2018-13988"; + url = "https://cgit.freedesktop.org/poppler/poppler/patch/?id=004e3c10df0abda214f0c293f9e269fdd979c5ee"; + sha256 = "1l8713s57xc6g81bldw934rsfm140fqc7ggd50ha5mxdl1b3app2"; + }) + ]; + buildInputs = [ libiconv libintl ] ++ lib.optional withData poppler_data; # TODO: reduce propagation to necessary libs