nixpkgs-suyu/pkgs/applications/misc/synergy/default.nix
aszlig 9e476fe740
synergy: Add patch to fix CVE-2020-15117
From the description of CVE-2020-15117:

> In Synergy before version 1.12.0, a Synergy server can be crashed by
> receiving a kMsgHelloBack packet with a client name length set to
> 0xffffffff (4294967295) if the servers memory is less than 4 GB. It
> was verified that this issue does not cause a crash through the
> exception handler if the available memory of the Server is more than
> 4GB.

While I personally would consider this a pretty low-priority issue since
Synergy usually is only used in local environment, it's nevertheless
better to patch known issues.

Since the fix is part of version 1.12, which doesn't have a stable
release yet, I'm including the fix as a patch cherry-picked from the
upstream commit.

I originally had the CVE number as a comment prior to the fetchpatch
call in question, but since @mweinelt mentioned that https://broken.sh/
uses the patch file name[1] to match whether the software in question
has been patched, I've removed my initial comment as it would be
redundant.

[1]: https://github.com/andir/nix-vulnerability-scanner/blob/fb63998885462/src/report/nix_patches.rs#L83-L95

Signed-off-by: aszlig <aszlig@nix.build>
Fixes: https://github.com/NixOS/nixpkgs/issues/94007
2020-08-04 16:35:18 +02:00

88 lines
2.9 KiB
Nix

{ stdenv, lib, fetchpatch, fetchFromGitHub, cmake, openssl, qttools
, ApplicationServices, Carbon, Cocoa, CoreServices, ScreenSaver
, xlibsWrapper, libX11, libXi, libXtst, libXrandr, xinput, avahi-compat
, withGUI ? true, wrapQtAppsHook }:
stdenv.mkDerivation rec {
pname = "synergy";
version = "1.11.1";
src = fetchFromGitHub {
owner = "symless";
repo = "synergy-core";
rev = "${version}-stable";
sha256 = "1jk60xw4h6s5crha89wk4y8rrf1f3bixgh5mzh3cq3xyrkba41gh";
};
patches = [
./build-tests.patch
(fetchpatch {
name = "CVE-2020-15117.patch";
url = "https://github.com/symless/synergy-core/commit/"
+ "0a97c2be0da2d0df25cb86dfd642429e7a8bea39.patch";
sha256 = "03q8m5n50fms7fjfjgmqrgy9mrxwi9kkz3f3vlrs2x5h21dl6bmj";
})
] ++ lib.optional stdenv.isDarwin ./macos_build_fix.patch;
# Since the included gtest and gmock don't support clang and the
# segfault when built with gcc9, we replace it with 1.10.0 for
# synergy-1.11.0. This should become unnecessary when upstream
# updates these dependencies.
googletest = fetchFromGitHub {
owner = "google";
repo = "googletest";
rev = "release-1.10.0";
sha256 = "1zbmab9295scgg4z2vclgfgjchfjailjnvzc6f5x9jvlsdi3dpwz";
};
postPatch = ''
rm -r ext/*
cp -r ${googletest}/googlemock ext/gmock/
cp -r ${googletest}/googletest ext/gtest/
chmod -R +w ext/
'';
cmakeFlags = lib.optional (!withGUI) "-DSYNERGY_BUILD_LEGACY_GUI=OFF";
nativeBuildInputs = [ cmake ] ++ lib.optional withGUI wrapQtAppsHook;
dontWrapQtApps = true;
buildInputs = [
openssl
] ++ lib.optionals withGUI [
qttools
] ++ lib.optionals stdenv.isDarwin [
ApplicationServices Carbon Cocoa CoreServices ScreenSaver
] ++ lib.optionals stdenv.isLinux [
xlibsWrapper libX11 libXi libXtst libXrandr xinput avahi-compat
];
installPhase = ''
mkdir -p $out/bin
cp bin/{synergyc,synergys,synergyd,syntool} $out/bin/
'' + lib.optionalString withGUI ''
cp bin/synergy $out/bin/
wrapQtApp $out/bin/synergy --prefix PATH : ${lib.makeBinPath [ openssl ]}
'' + lib.optionalString stdenv.isLinux ''
mkdir -p $out/share/icons/hicolor/scalable/apps
cp ../res/synergy.svg $out/share/icons/hicolor/scalable/apps/
mkdir -p $out/share/applications
substitute ../res/synergy.desktop $out/share/applications/synergy.desktop --replace /usr/bin $out/bin
'' + lib.optionalString stdenv.isDarwin ''
mkdir -p $out/Applications/
mv bundle/Synergy.app $out/Applications/
ln -s $out/bin $out/Applications/Synergy.app/Contents/MacOS
'';
doCheck = true;
checkPhase = "bin/unittests";
meta = with lib; {
description = "Share one mouse and keyboard between multiple computers";
homepage = "http://synergy-project.org/";
license = licenses.gpl2;
maintainers = with maintainers; [ enzime ];
platforms = platforms.all;
};
}