Skip to content

Commit

Permalink
luajit*: patch CVE-2019-19391
Browse files Browse the repository at this point in the history 
- upstream argues that this kind of problems can't be called
  vulnerabilities
- the upstream patch is trivial, so why not fix the bug
- nixpkgs master uses git versions already containing that commit
Fixes #90875 (roundup ticket).
  • Loading branch information
@vcunat
vcunat committed Jun 18, 2020
1 parent 799a3b4 commit 4e48231
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions pkgs/development/interpreters/luajit/default.nix
View file
@@ -1,4 +1,5 @@
{ stdenv, fetchurl, buildPackages
, fetchpatch
, name ? "luajit-${version}"
, isStable
, sha256
Expand All @@ -20,6 +21,13 @@ stdenv.mkDerivation rec {

luaversion = "5.1";

patches = [
(fetchpatch {
name = "cve-2019-19391.patch";
url = "https://github.com/LuaJIT/LuaJIT/commit/0cd643d7c.diff";
sha256 = "1ya5h6r3mi7mkjy6bj1hjbl43j3lwh4phmi5q792rrz8az64hnjy";
})
];
postPatch = ''
substituteInPlace Makefile --replace ldconfig :
'';
Expand Down

1 comment on commit 4e48231

@vcunat
Copy link
Member Author

@vcunat vcunat commented on 4e48231 Jun 18, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I forgot to mention, but both LuaJIT versions were affected and patched. Roundup only reported 2.0 branch for some reason.

Please sign in to comment.