Merge #72958: libexif: fix CVE-2018-20030

(cherry picked from commit 908f624) Fixes #70104.
NixOS · Nov 16, 2019 · 2437bb3 · 2437bb3
1 parent ad0b94b
commit 2437bb3
Showing 1 changed file with 18 additions and 7 deletions.
diff --git a/pkgs/development/libraries/libexif/default.nix b/pkgs/development/libraries/libexif/default.nix
@@ -9,21 +9,32 @@ stdenv.mkDerivation rec {
   };
 
   patches = [
-   (fetchpatch {
-     name = "CVE-2017-7544.patch";
-     url = https://sourceforge.net/p/libexif/bugs/_discuss/thread/fc394c4b/489a/attachment/xx.pat;
-     sha256 = "1qgk8hgnxr8d63jsc4vljxz9yg33mbml280dq4a6050rmk9wq4la";
-   })
+    (fetchpatch {
+      name = "CVE-2017-7544.patch";
+      url = "https://github.com/libexif/libexif/commit/c39acd1692023b26290778a02a9232c873f9d71a.patch";
+      sha256 = "0xgx6ly2i4q05shb61mfx6njwf1yp347jkznm0ka4m85i41xm6sd";
+    })
+    (fetchpatch {
+      name = "CVE-2018-20030-1.patch";
+      url = "https://github.com/libexif/libexif/commit/5d28011c40ec86cf52cffad541093d37c263898a.patch";
+      sha256 = "1wv8s962wmbn2m2xypgirf12g6msrbplpsmd5bh86irfwhkcppj3";
+    })
+    (fetchpatch {
+      name = "CVE-2018-20030-2.patch";
+      url = "https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89.patch";
+      sha256 = "01aqvz63glwq6wg0wr7ykqqghb4abgq77ghvhizbzadg1k4h7drx";
+      excludes = [ "NEWS" ];
+    })
   ];
-  patchFlags = "-p0";
 
   buildInputs = [ gettext ];
 
   meta = {
-    homepage = http://libexif.sourceforge.net/;
+    homepage = https://libexif.github.io/;
     description = "A library to read and manipulate EXIF data in digital photographs";
     license = stdenv.lib.licenses.lgpl21;
     platforms = stdenv.lib.platforms.unix;
+    maintainers = [ stdenv.lib.maintainers.erictapen ];
   };
 
 }