Merge pull request #39644 from andir/17.09/quassel-rce-dos

[17.09] quassel: 0.12.4 fix RCE & DOS
NixOS · Apr 28, 2018 · a3a6dd7 · a3a6dd7
2 parents 7aee0da + f05e8d5
commit a3a6dd7
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/pkgs/applications/networking/irc/quassel/default.nix b/pkgs/applications/networking/irc/quassel/default.nix
@@ -4,7 +4,7 @@
 , tag ? "" # tag added to the package name
 , static ? false # link statically
 
-, stdenv, fetchurl, cmake, makeWrapper, dconf
+, stdenv, fetchurl, fetchpatch, cmake, makeWrapper, dconf
 , qtbase, qtscript
 , phonon, libdbusmenu, qca-qt5
 
@@ -32,10 +32,10 @@ assert !buildClient -> !withKDE; # KDE is used by the client only
 
 let
   edf = flag: feature: [("-D" + feature + (if flag then "=ON" else "=OFF"))];
-  source = import ./source.nix { inherit fetchurl; };
+  source = import ./source.nix { inherit fetchurl fetchpatch; };
 
 in with stdenv; mkDerivation rec {
-  inherit (source) src version;
+  inherit (source) src version patches;
 
   name = "quassel${tag}-${version}";
 

diff --git a/pkgs/applications/networking/irc/quassel/source.nix b/pkgs/applications/networking/irc/quassel/source.nix
@@ -1,9 +1,21 @@
-{ fetchurl }:
+{ fetchurl, fetchpatch }:
 
 rec {
   version = "0.12.4";
   src = fetchurl {
     url = "https://github.com/quassel/quassel/archive/${version}.tar.gz";
     sha256 = "0q2qlhy1d6glw9pwxgcgwvspd1mkk3yi6m21dx9gnj86bxas2qs2";
   };
+  patches = [
+    (fetchpatch {
+      name = "CVE-XXX-RCE.patch";
+      url = "https://quassel-irc.org/pub/misc/0001-Implement-custom-deserializer-to-add-our-own-sanity-.patch";
+      sha256 = "0w7gx0xhqfb2h1rxlh9q96bdd23szbxdjs3ydmrzzvyxj5sk8dzd";
+    })
+    (fetchpatch {
+      name = "CVE-XXX-DOS.patch";
+      url = "https://quassel-irc.org/pub/misc/0002-Reject-clients-that-attempt-to-login-before-the-core.patch";
+      sha256 = "0is2jf7qppsx2y10f0zazm27lnkam83wpm8wmnfmdxdxj656ifd1";
+    })
+  ];
 }