From 5ad81ab09c86a7acc99b31224a6aeb8fca4c152e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 16 Feb 2017 20:03:21 +0100 Subject: [PATCH] libxml2: bugfix updates from git upstream This should solve CVE-2016-5131 and some other bugs, but not what Suse calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497 The bugzilla discussion seems to indicate that the CVE is referenced incorrectly and only shows reproducing when using command-line flags that are considered "unsafe". CVE-2016-9318 also remains unfixed, as I consider their reasoning OK: https://lwn.net/Alerts/714411/ /cc #22826. --- pkgs/development/libraries/libxml2/default.nix | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix index 930227ed2434cb..d44a8c973fdcbc 100644 --- a/pkgs/development/libraries/libxml2/default.nix +++ b/pkgs/development/libraries/libxml2/default.nix @@ -17,19 +17,13 @@ in stdenv.mkDerivation rec { patches = [ (fetchpatch { - name = "CVE-2016-4658.patch"; - url = "https://git.gnome.org/browse/libxml2/patch/?id=c1d1f7121194036608bf555f08d3062a36fd344b"; - sha256 = "0q7i5qgwgzp2x4r820mqq3nx69bgkd7n0v00j28wa6hndbfaaxmb"; + # Contains fixes for CVE-2016-{4658,5131} and other bugs. + name = "misc.patch"; + url = "https://git.gnome.org/browse/libxml2/patch/?id=e905f081&id2=v2.9.4"; + sha256 = "14rnzilspmh92bcpwbd6kqikj36gx78al42ilgpqgl1609krb5m5"; }) ]; - # https://bugzilla.gnome.org/show_bug.cgi?id=766834#c5 - postPatch = "patch -R < " + fetchpatch { - name = "schemas-validity.patch"; - url = "https://git.gnome.org/browse/libxml2/patch/?id=f6599c5164"; - sha256 = "0i7a0nhxwkxx6dkm8917qn0bsfn1av6ghg2f4dxanxi4bn4b1jjn"; - }; - outputs = [ "bin" "dev" "out" "doc" ] ++ lib.optional pythonSupport "py"; propagatedBuildOutputs = "out bin" + lib.optionalString pythonSupport " py";