json-c: update to 0.12, fixing CVE-2013-{6370,6371}

2024-11-16 23:03:40 +01:00 · 2014-05-03 17:17:34 +02:00 · 2014-05-03 17:17:34 +02:00 · d96f262166
commit d96f262166
parent 208e7cae1a
3 changed files with 41 additions and 10 deletions
--- a/pkgs/development/libraries/json-c/default.nix
+++ b/pkgs/development/libraries/json-c/default.nix
@ -1,20 +1,32 @@
-{ stdenv, fetchurl }:
+{ stdenv, fetchurl, autoreconfHook }:

 stdenv.mkDerivation rec {
-  name = "json-c-0.9";
+  name = "json-c-0.12";
  src = fetchurl {
-    url = "http://oss.metaparadigm.com/json-c/json-c-0.9.tar.gz";
-    sha256 = "0xcl8cwzm860f8m0cdzyw6slwcddni4mraw4shvr3qgqkdn4hakh";
+    url    = "https://s3.amazonaws.com/json-c_releases/releases/${name}-nodoc.tar.gz";
+    sha256 = "0dgvjjyb9xva63l6sy70sdch2w4ryvacdmfd3fg2f2v13lqx5mkg";
  };
+
+  patches = [ ./unused-variable.patch ];
+
+  buildInputs = [ autoreconfHook ]; # won't configure without it, no idea why
+
+  # compatibility hack (for mypaint at least)
+  postInstall = ''
+    ln -s json-c.pc "$out/lib/pkgconfig/json.pc"
+  '';
+
  meta = with stdenv.lib; {
-    homepage = "http://oss.metaparadigm.com/json-c/";
    description = "A JSON implementation in C";
+    homepage    = https://github.com/json-c/json-c/wiki;
+    maintainers = with maintainers; [ lovek323 ];
+    platforms   = platforms.unix;
+
    longDescription = ''
      JSON-C implements a reference counting object model that allows you to
      easily construct JSON objects in C, output them as JSON formatted strings
      and parse JSON formatted strings back into the C representation of JSON
      objects.
    '';
-    hydraPlatforms = platforms.linux;
  };
 }
--- a/pkgs/development/libraries/json-c/unused-variable.patch
+++ b/pkgs/development/libraries/json-c/unused-variable.patch
@ -0,0 +1,18 @@
+See https://groups.google.com/forum/#!topic/json-c/TYodemkG338
+diff --git a/json_tokener.c b/json_tokener.c
+index 19de8ef..32bc8af 100644
+--- a/json_tokener.c
+++ b/json_tokener.c
+@@ -352,12 +352,10 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
+ 
+     case json_tokener_state_inf: /* aka starts with 'i' */
+       {
+-	int size;
+ 	int size_inf;
+ 	int is_negative = 0;
+ 
+ 	printbuf_memappend_fast(tok->pb, &c, 1);
+-	size = json_min(tok->st_pos+1, json_null_str_len);
+ 	size_inf = json_min(tok->st_pos+1, json_inf_str_len);
+ 	char *infbuf = tok->pb->buf;
+ 	if (*infbuf == '-')
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -1112,7 +1112,9 @@ let
   */
  graphviz_2_0 = callPackage ../tools/graphics/graphviz/2.0.nix { };

-  grive = callPackage ../tools/filesystems/grive { };
+  grive = callPackage ../tools/filesystems/grive {
+    json_c = json-c-0-11; # won't configure with 0.12; others are vulnerable
+  };

  groff = callPackage ../tools/text/groff {
    ghostscript = null;
@ -4788,9 +4790,8 @@ let

  json_glib = callPackage ../development/libraries/json-glib { };

-  json-c-0-9 = callPackage ../development/libraries/json-c { };
-  json-c-0-11 = callPackage ../development/libraries/json-c/0.11.nix { };
-  json_c = json-c-0-9;
+  json-c-0-11 = callPackage ../development/libraries/json-c/0.11.nix { }; # vulnerable
+  json_c = callPackage ../development/libraries/json-c { };

  jsoncpp = callPackage ../development/libraries/jsoncpp { };