Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[r19.03] ghostscript: catch up with many CVE patches #75121



Copy link

@risicle risicle commented Dec 6, 2019

Motivation for this change

Having the same base version as 19.09, it's easy enough to bring all the relevant patches up to the level of #73590.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits
Notify maintainers

cc @

risicle added 5 commits May 24, 2019
…-14812, CVE-2019-14813 and some of CVE-2019-14817

as with master, not all of the CVE-2019-14817 patch applies cleanly, but
the parts that do should provide some protection

(cherry picked from commit bd3f644)
context-adjusted patches cribbed from debian's 9.26a~dfsg-0+deb9u6, also
requiring further adjustment of patch for CVE-2019-10216

(cherry picked from commit 59ea6fc)
again, context-adjusted patches cribbed from debian's 9.26a~dfsg-0+deb9u6

(cherry picked from commit 4e28989)
again, context-adjusted patch cribbed from debian's 9.26a~dfsg-0+deb9u6

(cherry picked from commit 0fba5b9)
@@ -51,6 +51,37 @@ stdenv.mkDerivation rec {
url = ";a=patch;h=d3537a54740d78c5895ec83694a07b3e4f616f61";
sha256 = "1hr8bpi87bbg1kvv28kflmfh1dhzxw66p9q0ddvbrj72qd86p3kx";

This comment has been minimized.


doronbehar Mar 4, 2020

So why did you use fetchpatch for some patches and local files for other patches?

This comment has been minimized.


risicle Mar 4, 2020
Author Contributor

I think a couple of them needed manual adaptation. But this was a long time ago now.

Copy link

@doronbehar doronbehar commented Jul 2, 2020

@risicle this PR targets an unmaintained branch right? Perhaps we should close it now?

Copy link
Contributor Author

@risicle risicle commented Jul 2, 2020

If ya like, I don't see any harm in throwing a bone to people stuck on an old release tho 🤷

@doronbehar doronbehar closed this Sep 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.