Merge pull request #57963 from andir/samba

samba/ldb: fix CVE-2019-3824
NixOS · Mar 22, 2019 · 77166e7 · 77166e7
2 parents 69e23dc + 5acc543
commit 77166e7
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/pkgs/development/libraries/ldb/default.nix b/pkgs/development/libraries/ldb/default.nix
@@ -19,6 +19,17 @@ stdenv.mkDerivation rec {
     cmocka
   ];
 
+  patches = [
+    # CVE-2019-3824
+    # downloading the patch from debian as they have ported the patch from samba to ldb but otherwise is identical to
+    # https://bugzilla.samba.org/attachment.cgi?id=14857
+    (fetchurl {
+      name = "CVE-2019-3824.patch";
+      url = "https://sources.debian.org/data/main/l/ldb/2:1.1.27-1+deb9u1/debian/patches/CVE-2019-3824-master-v4-5-02.patch";
+      sha256 = "1idnqckvjh18rh9sbq90rr4sxfviha9nd1ca9pd6lai0y6r6q4yd";
+    })
+  ];
+
   preConfigure = ''
     sed -i 's,#!/usr/bin/env python,#!${python}/bin/python,g' buildtools/bin/waf
   '';

diff --git a/pkgs/servers/samba/4.x.nix b/pkgs/servers/samba/4.x.nix
@@ -33,10 +33,18 @@ stdenv.mkDerivation rec {
     [ ./4.x-no-persistent-install.patch
       ./patch-source3__libads__kerberos_keytab.c.patch
       ./4.x-no-persistent-install-dynconfig.patch
+
+      # conditionall disable MacOS incompatible tests
       (fetchpatch {
         url = "https://patch-diff.githubusercontent.com/raw/samba-team/samba/pull/107.patch";
         sha256 = "0r6q34vjj0bdzmcbnrkad9rww58k4krbwicv4gs1g3dj49skpvd6";
       })
+
+      (fetchpatch {
+        name = "CVE-2019-3824.patch";
+        url = "https://attachments.samba.org/attachment.cgi?id=14859";
+        sha256 = "02qf3zr55mzbimqdv01k3b22jjb084vfr5zabapyr5h1f588mw0q";
+      })
     ];
 
   buildInputs =