From dd16c3944c062ec7617981cd9a54d51925c73d19 Mon Sep 17 00:00:00 2001 From: Daniel Frank Date: Fri, 1 May 2020 14:25:42 +0200 Subject: [PATCH 1/2] p7zip: fix two CVEs --- pkgs/tools/archivers/p7zip/default.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/archivers/p7zip/default.nix b/pkgs/tools/archivers/p7zip/default.nix index 3f0c2487c91b..7e384902098b 100644 --- a/pkgs/tools/archivers/p7zip/default.nix +++ b/pkgs/tools/archivers/p7zip/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, lib, enableUnfree ? false }: +{ stdenv, fetchurl, fetchpatch, lib, enableUnfree ? false }: stdenv.mkDerivation rec { pname = "p7zip"; @@ -12,6 +12,14 @@ stdenv.mkDerivation rec { patches = [ ./12-CVE-2016-9296.patch ./13-CVE-2017-17969.patch + (fetchpatch { + url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/3-CVE-2018-5996.patch"; + sha256 = "1zivvkazmza0653i498ccp3zbpbpc7dvxl3zxwllbx41b6n589yp"; + }) + (fetchpatch { + url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/4-CVE-2018-10115.patch"; + sha256 = "1cr7q8gnrk9yp6dcvxaqi1yhdbgp964nkv65ls41mw1kdfm44zn6"; + }) ]; # Default makefile is full of impurities on Darwin. The patch doesn't hurt Linux so I'm leaving it unconditional From aa80b4780d849a00d86c28d6b3c78a777dd02e9a Mon Sep 17 00:00:00 2001 From: Daniel Frank Date: Thu, 30 Apr 2020 20:18:40 +0200 Subject: [PATCH 2/2] p7zip: mark as insecure --- pkgs/tools/archivers/p7zip/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/tools/archivers/p7zip/default.nix b/pkgs/tools/archivers/p7zip/default.nix index 7e384902098b..b7a97b3766b5 100644 --- a/pkgs/tools/archivers/p7zip/default.nix +++ b/pkgs/tools/archivers/p7zip/default.nix @@ -57,6 +57,11 @@ stdenv.mkDerivation rec { description = "A port of the 7-zip archiver"; platforms = stdenv.lib.platforms.unix; maintainers = [ stdenv.lib.maintainers.raskin ]; + knownVulnerabilities = [ + # p7zip is abandoned, according to this thread on its forums: + # https://sourceforge.net/p/p7zip/discussion/383043/thread/fa143cf2/#1817 + "p7zip is abandoned and may not receive important security fixes" + ]; # RAR code is under non-free UnRAR license, but we remove it license = if enableUnfree then lib.licenses.unfree else lib.licenses.lgpl2Plus; };