From f65d93f9f8dc60fa382919de9fe9869181920e30 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Thu, 20 Jul 2023 13:26:33 +0200 Subject: [PATCH] dnscrypt-wrapper: disable fortify3 hardening flag This was enabled by default in db3e94c3 and breaks the key generation, specifically `dnscrypt-wrapper --gen-crypt-keypair` fails with: Generate crypt key pair... ok. Secret key stored in 2.dnscrypt-cert.server.key *** buffer overflow detected ***: terminated FAQ: 1. Is the buffer overflow real? Probably. 2. Is it maintained? Is upstream going to fix it? Not really. 3. Are you willing to investigate and patch it yourself? Nope. --- pkgs/tools/networking/dnscrypt-wrapper/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/tools/networking/dnscrypt-wrapper/default.nix b/pkgs/tools/networking/dnscrypt-wrapper/default.nix index ddec798a8467..1e414b0521cd 100644 --- a/pkgs/tools/networking/dnscrypt-wrapper/default.nix +++ b/pkgs/tools/networking/dnscrypt-wrapper/default.nix @@ -13,6 +13,9 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + # causes `dnscrypt-wrapper --gen-provider-keypair` to crash + hardeningDisable = [ "fortify3" ]; + nativeBuildInputs = [ pkg-config autoreconfHook ]; buildInputs = [ libsodium libevent ];