diff --git a/pkgs/development/libraries/gettext/CVE-2018-18751-bison.patch b/pkgs/development/libraries/gettext/CVE-2018-18751-bison.patch new file mode 100644 index 00000000000000..b734c1c8b0274d --- /dev/null +++ b/pkgs/development/libraries/gettext/CVE-2018-18751-bison.patch @@ -0,0 +1,323 @@ +This patch was generated by re-running Bison 3.0.4 on pro-gram-gen.y after +applying CVE-2018-18751.patch. This patch removes the need to add bison to +nativeBuildInputs. + +--- a/gettext-tools/src/po-gram-gen.c ++++ b/gettext-tools/src/po-gram-gen.c +@@ -568,9 +568,9 @@ static const yytype_uint8 yytranslate[] = + static const yytype_uint16 yyrline[] = + { + 0, 169, 169, 171, 172, 173, 174, 179, 187, 195, +- 216, 240, 249, 258, 269, 278, 292, 301, 315, 321, +- 332, 338, 350, 361, 372, 376, 391, 414, 422, 434, +- 442 ++ 216, 237, 246, 255, 266, 275, 289, 298, 312, 318, ++ 329, 335, 347, 358, 369, 373, 388, 411, 419, 431, ++ 439 + }; + #endif + +@@ -1419,14 +1419,11 @@ yyreduce: + check_obsolete ((yyvsp[-3].message_intro), (yyvsp[-1].string)); + check_obsolete ((yyvsp[-3].message_intro), (yyvsp[0].rhs)); + if (!(yyvsp[-3].message_intro).obsolete || pass_obsolete_entries) +- { +- do_callback_message ((yyvsp[-3].message_intro).ctxt, string2, &(yyvsp[-3].message_intro).pos, (yyvsp[-1].string).string, +- (yyvsp[0].rhs).rhs.msgstr, (yyvsp[0].rhs).rhs.msgstr_len, &(yyvsp[0].rhs).pos, +- (yyvsp[-3].message_intro).prev_ctxt, +- (yyvsp[-3].message_intro).prev_id, (yyvsp[-3].message_intro).prev_id_plural, +- (yyvsp[-3].message_intro).obsolete); +- free ((yyvsp[-1].string).string); +- } ++ do_callback_message ((yyvsp[-3].message_intro).ctxt, string2, &(yyvsp[-3].message_intro).pos, (yyvsp[-1].string).string, ++ (yyvsp[0].rhs).rhs.msgstr, (yyvsp[0].rhs).rhs.msgstr_len, &(yyvsp[0].rhs).pos, ++ (yyvsp[-3].message_intro).prev_ctxt, ++ (yyvsp[-3].message_intro).prev_id, (yyvsp[-3].message_intro).prev_id_plural, ++ (yyvsp[-3].message_intro).obsolete); + else + { + free_message_intro ((yyvsp[-3].message_intro)); +@@ -1435,11 +1432,11 @@ yyreduce: + free ((yyvsp[0].rhs).rhs.msgstr); + } + } +-#line 1439 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1436 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 11: +-#line 241 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 238 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-2].message_intro), (yyvsp[-1].stringlist)); + check_obsolete ((yyvsp[-2].message_intro), (yyvsp[0].string)); +@@ -1448,11 +1445,11 @@ yyreduce: + string_list_destroy (&(yyvsp[-1].stringlist).stringlist); + free ((yyvsp[0].string).string); + } +-#line 1452 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1449 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 12: +-#line 250 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 247 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-2].message_intro), (yyvsp[-1].stringlist)); + check_obsolete ((yyvsp[-2].message_intro), (yyvsp[0].rhs)); +@@ -1461,22 +1458,22 @@ yyreduce: + string_list_destroy (&(yyvsp[-1].stringlist).stringlist); + free ((yyvsp[0].rhs).rhs.msgstr); + } +-#line 1465 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1462 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 13: +-#line 259 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 256 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-1].message_intro), (yyvsp[0].stringlist)); + po_gram_error_at_line (&(yyvsp[-1].message_intro).pos, _("missing 'msgstr' section")); + free_message_intro ((yyvsp[-1].message_intro)); + string_list_destroy (&(yyvsp[0].stringlist).stringlist); + } +-#line 1476 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1473 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 14: +-#line 270 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 267 "po-gram-gen.y" /* yacc.c:1646 */ + { + (yyval.message_intro).prev_ctxt = NULL; + (yyval.message_intro).prev_id = NULL; +@@ -1485,11 +1482,11 @@ yyreduce: + (yyval.message_intro).pos = (yyvsp[0].string).pos; + (yyval.message_intro).obsolete = (yyvsp[0].string).obsolete; + } +-#line 1489 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1486 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 15: +-#line 279 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 276 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-1].prev), (yyvsp[0].string)); + (yyval.message_intro).prev_ctxt = (yyvsp[-1].prev).ctxt; +@@ -1499,11 +1496,11 @@ yyreduce: + (yyval.message_intro).pos = (yyvsp[0].string).pos; + (yyval.message_intro).obsolete = (yyvsp[0].string).obsolete; + } +-#line 1503 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1500 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 16: +-#line 293 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 290 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-1].string), (yyvsp[0].stringlist)); + (yyval.prev).ctxt = (yyvsp[-1].string).string; +@@ -1512,11 +1509,11 @@ yyreduce: + (yyval.prev).pos = (yyvsp[-1].string).pos; + (yyval.prev).obsolete = (yyvsp[-1].string).obsolete; + } +-#line 1516 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1513 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 17: +-#line 302 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 299 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-2].string), (yyvsp[-1].stringlist)); + check_obsolete ((yyvsp[-2].string), (yyvsp[0].string)); +@@ -1526,21 +1523,21 @@ yyreduce: + (yyval.prev).pos = (yyvsp[-2].string).pos; + (yyval.prev).obsolete = (yyvsp[-2].string).obsolete; + } +-#line 1530 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1527 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 18: +-#line 316 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 313 "po-gram-gen.y" /* yacc.c:1646 */ + { + (yyval.string).string = NULL; + (yyval.string).pos = (yyvsp[0].pos).pos; + (yyval.string).obsolete = (yyvsp[0].pos).obsolete; + } +-#line 1540 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1537 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 19: +-#line 322 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 319 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-2].pos), (yyvsp[-1].stringlist)); + check_obsolete ((yyvsp[-2].pos), (yyvsp[0].pos)); +@@ -1548,21 +1545,21 @@ yyreduce: + (yyval.string).pos = (yyvsp[0].pos).pos; + (yyval.string).obsolete = (yyvsp[0].pos).obsolete; + } +-#line 1552 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1549 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 20: +-#line 333 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 330 "po-gram-gen.y" /* yacc.c:1646 */ + { + (yyval.string).string = NULL; + (yyval.string).pos = (yyvsp[0].pos).pos; + (yyval.string).obsolete = (yyvsp[0].pos).obsolete; + } +-#line 1562 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1559 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 21: +-#line 339 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 336 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-2].pos), (yyvsp[-1].stringlist)); + check_obsolete ((yyvsp[-2].pos), (yyvsp[0].pos)); +@@ -1570,11 +1567,11 @@ yyreduce: + (yyval.string).pos = (yyvsp[0].pos).pos; + (yyval.string).obsolete = (yyvsp[0].pos).obsolete; + } +-#line 1574 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1571 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 22: +-#line 351 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 348 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-1].pos), (yyvsp[0].stringlist)); + plural_counter = 0; +@@ -1582,30 +1579,30 @@ yyreduce: + (yyval.string).pos = (yyvsp[-1].pos).pos; + (yyval.string).obsolete = (yyvsp[-1].pos).obsolete; + } +-#line 1586 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1583 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 23: +-#line 362 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 359 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-1].pos), (yyvsp[0].stringlist)); + (yyval.string).string = string_list_concat_destroy (&(yyvsp[0].stringlist).stringlist); + (yyval.string).pos = (yyvsp[-1].pos).pos; + (yyval.string).obsolete = (yyvsp[-1].pos).obsolete; + } +-#line 1597 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1594 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 24: +-#line 373 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 370 "po-gram-gen.y" /* yacc.c:1646 */ + { + (yyval.rhs) = (yyvsp[0].rhs); + } +-#line 1605 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1602 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 25: +-#line 377 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 374 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-1].rhs), (yyvsp[0].rhs)); + (yyval.rhs).rhs.msgstr = XNMALLOC ((yyvsp[-1].rhs).rhs.msgstr_len + (yyvsp[0].rhs).rhs.msgstr_len, char); +@@ -1617,11 +1614,11 @@ yyreduce: + (yyval.rhs).pos = (yyvsp[-1].rhs).pos; + (yyval.rhs).obsolete = (yyvsp[-1].rhs).obsolete; + } +-#line 1621 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1618 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 26: +-#line 392 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 389 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-4].pos), (yyvsp[-3].pos)); + check_obsolete ((yyvsp[-4].pos), (yyvsp[-2].number)); +@@ -1640,11 +1637,11 @@ yyreduce: + (yyval.rhs).pos = (yyvsp[-4].pos).pos; + (yyval.rhs).obsolete = (yyvsp[-4].pos).obsolete; + } +-#line 1644 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1641 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 27: +-#line 415 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 412 "po-gram-gen.y" /* yacc.c:1646 */ + { + string_list_init (&(yyval.stringlist).stringlist); + string_list_append (&(yyval.stringlist).stringlist, (yyvsp[0].string).string); +@@ -1652,11 +1649,11 @@ yyreduce: + (yyval.stringlist).pos = (yyvsp[0].string).pos; + (yyval.stringlist).obsolete = (yyvsp[0].string).obsolete; + } +-#line 1656 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1653 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 28: +-#line 423 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 420 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-1].stringlist), (yyvsp[0].string)); + (yyval.stringlist).stringlist = (yyvsp[-1].stringlist).stringlist; +@@ -1665,11 +1662,11 @@ yyreduce: + (yyval.stringlist).pos = (yyvsp[-1].stringlist).pos; + (yyval.stringlist).obsolete = (yyvsp[-1].stringlist).obsolete; + } +-#line 1669 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1666 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 29: +-#line 435 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 432 "po-gram-gen.y" /* yacc.c:1646 */ + { + string_list_init (&(yyval.stringlist).stringlist); + string_list_append (&(yyval.stringlist).stringlist, (yyvsp[0].string).string); +@@ -1677,11 +1674,11 @@ yyreduce: + (yyval.stringlist).pos = (yyvsp[0].string).pos; + (yyval.stringlist).obsolete = (yyvsp[0].string).obsolete; + } +-#line 1681 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1678 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + case 30: +-#line 443 "po-gram-gen.y" /* yacc.c:1646 */ ++#line 440 "po-gram-gen.y" /* yacc.c:1646 */ + { + check_obsolete ((yyvsp[-1].stringlist), (yyvsp[0].string)); + (yyval.stringlist).stringlist = (yyvsp[-1].stringlist).stringlist; +@@ -1690,11 +1687,11 @@ yyreduce: + (yyval.stringlist).pos = (yyvsp[-1].stringlist).pos; + (yyval.stringlist).obsolete = (yyvsp[-1].stringlist).obsolete; + } +-#line 1694 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1691 "po-gram-gen.c" /* yacc.c:1646 */ + break; + + +-#line 1698 "po-gram-gen.c" /* yacc.c:1646 */ ++#line 1695 "po-gram-gen.c" /* yacc.c:1646 */ + default: break; + } + /* User semantic actions sometimes alter yychar, and that requires diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index 1dae2c443c8c1e..75d1eec25f629e 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -1,5 +1,6 @@ { stdenv, lib, fetchurl, libiconv, xz, bison, automake115x, autoconf }: +let allowBisonDependency = !stdenv.isDarwin; in stdenv.mkDerivation rec { name = "gettext-${version}"; version = "0.19.8.1"; @@ -15,6 +16,9 @@ stdenv.mkDerivation rec { url = "https://git.savannah.gnu.org/gitweb/?p=gettext.git;a=patch;h=dce3a16e5e9368245735e29bf498dcd5e3e474a4"; sha256 = "1lpjwwcjr1sb879faj0xyzw02kma0ivab6xwn3qciy13qy6fq5xn"; }) + ] ++ lib.optionals (!allowBisonDependency) [ + # Only necessary for CVE-2018-18751.patch: + ./CVE-2018-18751-bison.patch ]; outputs = [ "out" "man" "doc" "info" ]; @@ -47,7 +51,18 @@ stdenv.mkDerivation rec { sed -i -e "s/\(libgettextsrc_la_LDFLAGS = \)/\\1..\/gnulib-lib\/libxml_rpl.la /" gettext-tools/src/Makefile.in ''; - nativeBuildInputs = [ xz xz.bin bison automake115x autoconf]; + nativeBuildInputs = [ + xz + xz.bin + ] ++ lib.optional allowBisonDependency [ + # Only necessary for CVE-2018-18751.patch (unless CVE-2018-18751-bison.patch + # is also applied): + bison + ] ++ [ + # Only necessary for CVE-2018-18751.patch: + automake115x + autoconf + ]; # HACK, see #10874 (and 14664) buildInputs = stdenv.lib.optional (!stdenv.isLinux && !stdenv.hostPlatform.isCygwin) libiconv;