sharutils: Patch CVE-2018-1000097

author: Tim Steinbach <tim@nequissimus.com> 2018-08-05 14:41:59 -0400
committer: Tim Steinbach <tim@nequissimus.com> 2018-08-05 14:42:15 -0400
commit: 76a713bd299ff9bd63880c4be25a8335f5082322 (patch)
tree: 336ce9030554634f1742c2a71e107786ac7bb722 /pkgs/tools/archivers/sharutils
parent: 93a056993f79c62f9e5e27a895462353bdd7d59e (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix
index 907ac58d15fe..292c0be20e57 100644
--- a/pkgs/tools/archivers/sharutils/default.nix
+++ b/pkgs/tools/archivers/sharutils/default.nix
@@ -19,7 +19,15 @@ stdenv.mkDerivation rec {
   # remaps /etc/passwd to a trivial file, but we can't do that on Darwin so I do this
   # instead. In this case, I pass in the very imaginative "submitter" as the submitter name
 
-  patchPhase = let
+  patches = [
+    # CVE-2018-1000097
+    (fetchurl {
+      url = "https://sources.debian.org/data/main/s/sharutils/1:4.15.2-2+deb9u1/debian/patches/01-fix-heap-buffer-overflow-cve-2018-1000097.patch";
+      sha256 = "19g0sxc8g79aj5gd5idz5409311253jf2q8wqkasf0handdvsbxx";
+    })
+  ];
+
+  postPatch = let
       # This evaluates to a string containing:
       #
       #     substituteInPlace tests/shar-2 --replace '${SHAR}' '${SHAR} -s submitter'
author	Tim Steinbach <tim@nequissimus.com>	2018-08-05 14:41:59 -0400
committer	Tim Steinbach <tim@nequissimus.com>	2018-08-05 14:42:15 -0400
commit	76a713bd299ff9bd63880c4be25a8335f5082322 (patch)
tree	336ce9030554634f1742c2a71e107786ac7bb722 /pkgs/tools/archivers/sharutils
parent	93a056993f79c62f9e5e27a895462353bdd7d59e (diff)