jq: Fix CVE-2015-8863 and CVE-2016-4074 (#18908)

jq has not had a release since v1.5 in August 2015, so backport both of
these patches (the fix for CVE-2015-8863 is in the current master, while
the fix for CVE-2016-4074 is not yet in master).
This commit is contained in:
Aneesh Agrawal 2016-09-25 09:14:52 -04:00 committed by Franz Pletz
parent 7615d6385a
commit bfbca9dacd

View file

@ -1,33 +1,39 @@
{stdenv, fetchurl, oniguruma}:
let
s = # Generated upstream information
rec {
baseName="jq";
version="1.5";
name="${baseName}-${version}";
{ stdenv, lib, fetchurl, fetchpatch, oniguruma }:
stdenv.mkDerivation rec {
name = "jq-${version}";
version="1.5";
src = fetchurl {
url="https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz";
sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4";
};
buildInputs = [
oniguruma
buildInputs = [ oniguruma ];
patches = [
(fetchpatch {
name = "CVE-2015-8863.patch";
url = https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.diff;
sha256 = "18bjanzvklfzlzzd690y88725l7iwl4f6wnr429na5pfmircbpvh";
})
(fetchpatch {
name = "CVE-2016-4074.patch";
url = https://patch-diff.githubusercontent.com/raw/stedolan/jq/pull/1214.diff;
sha256 = "1w8bapnyp56di6p9casbfczfn8258rw0z16grydavdjddfm280l9";
})
];
in
stdenv.mkDerivation {
inherit (s) name version;
inherit buildInputs;
src = fetchurl {
inherit (s) url sha256;
};
patchFlags = [ "-p2" ]; # `src` subdir was introduced after v1.5 was released
# jq is linked to libjq:
configureFlags = [
"LDFLAGS=-Wl,-rpath,\\\${libdir}"
];
meta = {
inherit (s) version;
description = ''A lightweight and flexible command-line JSON processor'';
license = stdenv.lib.licenses.mit ;
maintainers = [stdenv.lib.maintainers.raskin];
platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin;
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ raskin ];
platforms = with lib.platforms; linux ++ darwin;
};
}