db{48,53,60,62}: add patch to fix CVE-2017-10140

2024-11-16 14:54:29 +01:00 · 2017-10-24 13:03:20 +02:00 · 2017-10-24 13:03:20 +02:00 · 5072f4792e
commit 5072f4792e
parent 9bd9305602
6 changed files with 26 additions and 4 deletions
--- a/pkgs/development/libraries/db/CVE-2017-10140-4.8-cwd-db_config.patch
+++ b/pkgs/development/libraries/db/CVE-2017-10140-4.8-cwd-db_config.patch
@ -0,0 +1,11 @@
+--- a/env/env_open.c.old	2017-06-26 10:32:11.011419981 +0200
+++ b/env/env_open.c	2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+ 	env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+ 
+ 	/* Read the DB_CONFIG file. */
+-	if ((ret = __env_read_db_config(env)) != 0)
+	if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+ 		return (ret);
+ 
+ 	/*
--- a/pkgs/development/libraries/db/CVE-2017-10140-cwd-db_config.patch
+++ b/pkgs/development/libraries/db/CVE-2017-10140-cwd-db_config.patch
@ -0,0 +1,11 @@
+--- db-5.3.28/src/env/env_open.c.old	2017-06-26 10:32:11.011419981 +0200
+++ db-5.3.28/src/env/env_open.c	2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+ 	env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+ 
+ 	/* Read the DB_CONFIG file. */
+-	if ((ret = __env_read_db_config(env)) != 0)
+	if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+ 		return (ret);
+ 
+ 	/*
--- a/pkgs/development/libraries/db/db-4.8.nix
+++ b/pkgs/development/libraries/db/db-4.8.nix
@ -3,7 +3,7 @@
 import ./generic.nix (args // rec {
  version = "4.8.30";
  sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0";
-  extraPatches = [ ./clang-4.8.patch ];
+  extraPatches = [ ./clang-4.8.patch ./CVE-2017-10140-4.8-cwd-db_config.patch ];

  drvArgs.hardeningDisable = [ "format" ];
  drvArgs.doCheck = false;
--- a/pkgs/development/libraries/db/db-5.3.nix
+++ b/pkgs/development/libraries/db/db-5.3.nix
@ -3,5 +3,5 @@
 import ./generic.nix (args // rec {
  version = "5.3.28";
  sha256 = "0a1n5hbl7027fbz5lm0vp0zzfp1hmxnz14wx3zl9563h83br5ag0";
-  extraPatches = [ ./clang-5.3.patch ];
+  extraPatches = [ ./clang-5.3.patch ./CVE-2017-10140-cwd-db_config.patch ];
 })
--- a/pkgs/development/libraries/db/db-6.0.nix
+++ b/pkgs/development/libraries/db/db-6.0.nix
@ -4,5 +4,5 @@ import ./generic.nix (args // rec {
  version = "6.0.20";
  sha256 = "00r2aaglq625y8r9xd5vw2y070plp88f1mb2gbq3kqsl7128lsl0";
  license = stdenv.lib.licenses.agpl3;
-  extraPatches = [ ./clang-6.0.patch ];
+  extraPatches = [ ./clang-6.0.patch ./CVE-2017-10140-cwd-db_config.patch ];
 })
--- a/pkgs/development/libraries/db/db-6.2.nix
+++ b/pkgs/development/libraries/db/db-6.2.nix
@ -4,5 +4,5 @@ import ./generic.nix (args // rec {
  version = "6.2.23";
  sha256 = "1isxx4jfmnh913jzhp8hhfngbk6dsg46f4kjpvvc56maj64jqqa7";
  license = stdenv.lib.licenses.agpl3;
-  extraPatches = [ ./clang-6.0.patch ];
+  extraPatches = [ ./clang-6.0.patch ./CVE-2017-10140-cwd-db_config.patch ];
 })