firejail: add patches to fix CVE-2020-17367 and CVE-2020-17368

ryneeverett · Aug 9, 2020 · e15cab8 · e15cab8
1 parent 3735c9e
commit e15cab8
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/pkgs/os-specific/linux/firejail/default.nix b/pkgs/os-specific/linux/firejail/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, which}:
+{stdenv, fetchurl, fetchpatch, which}:
 let
   s = # Generated upstream information
   rec {
@@ -20,6 +20,19 @@ stdenv.mkDerivation {
     name = "${s.name}.tar.bz2";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2020-17367.patch";
+      url = "https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch";
+      sha256 = "1gxz4jxp80gxnn46195qxcpmikwqab9d0ylj9zkm62lycp84ij6n";
+    })
+    (fetchpatch {
+      name = "CVE-2020-17368.patch";
+      url = "https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch";
+      sha256 = "0n4ch3qykxx870201l8lz81f7h84vk93pzz77f5cjbd30cxnbddl";
+    })
+  ];
+
   prePatch = ''
     # Allow whitelisting ~/.nix-profile
     substituteInPlace etc/firejail.config --replace \