jbigkit: add patch to fix security issue CVE-2017-9937 (#346153)

2024-10-03 14:07:18 +01:00 · 2024-10-03 14:07:18 +01:00 · 206a1acec0
commit 206a1acec0
parent aa81bad818 0115bf0f80
1 changed files with 14 additions and 1 deletions
--- a/pkgs/development/libraries/jbigkit/default.nix
+++ b/pkgs/development/libraries/jbigkit/default.nix
@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl }:
+{ lib, stdenv, fetchurl, fetchpatch }:

 stdenv.mkDerivation rec {
  pname = "jbigkit";
@ -9,6 +9,19 @@ stdenv.mkDerivation rec {
    sha256 = "0cnrcdr1dwp7h7m0a56qw09bv08krb37mpf7cml5sjdgpyv0cwfy";
  };

+  patches = [
+    # Archlinux patch: this helps users to reduce denial-of-service risks, as in CVE-2017-9937
+    (fetchpatch {
+      url = "https://gitlab.archlinux.org/archlinux/packaging/packages/jbigkit/-/raw/main/0013-new-jbig.c-limit-s-maxmem-maximum-decoded-image-size.patch";
+      hash = "sha256-Yq5qCTF7KZTrm4oeWbpctb+QLt3shJUGEReZvd0ey9k=";
+    })
+    # Archlinux patch: fix heap overflow
+    (fetchpatch {
+      url = "https://gitlab.archlinux.org/archlinux/packaging/packages/jbigkit/-/raw/main/0015-jbg_newlen-check-for-end-of-file-within-MARKER_NEWLE.patch";
+      hash = "sha256-F3qA/btR9D9NfzrNY76X4Z6vG6NrisI36SjCDjS+F5s=";
+    })
+  ];
+
  makeFlags = [
    "CC=${stdenv.cc}/bin/${stdenv.cc.targetPrefix}cc"
    "AR=${lib.getBin stdenv.cc.bintools.bintools}/bin/${stdenv.cc.targetPrefix}ar"