b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

ntfs3g: patch for CVE-2017-0358

Browse source 
From the Debian advisory:

Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write
NTFS driver for FUSE, does not scrub the environment before executing
modprobe with elevated privileges. A local user can take advantage of
this flaw for local root privilege escalation.
This commit is contained in:
Graham Christensen 2017-02-08 22:11:25 -05:00
parent e74ec9d84f
commit 19f23d00fd
No known key found for this signature in database
GPG key ID: 06121D366FE9435C
1 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
pkgs/tools/filesystems/ntfs-3g/default.nix
View file

@ -1,4 +1,4 @@
{stdenv, fetchurl, utillinux, libuuid
{stdenv, fetchurl, fetchpatch, utillinux, libuuid
, crypto ? false, libgcrypt, gnutls, pkgconfig}:
stdenv.mkDerivation rec {
@ -14,6 +14,13 @@ stdenv.mkDerivation rec {
sha256 = "180y5y09h30ryf2vim8j30a2npwz1iv9ly5yjmh3wjdkwh2jrdyp";
};
patches = [
(fetchpatch {
url = "https://sources.debian.net/data/main/n/ntfs-3g/1:2016.2.22AR.1-4/debian/patches/0003-CVE-2017-0358.patch";
sha256 = "0hd05q9q06r18k8pmppvch1sslzqln5fvqj51d5r72g4mnpavpj3";
})
];
patchPhase = ''
substituteInPlace src/Makefile.in --replace /sbin '@sbindir@'
substituteInPlace ntfsprogs/Makefile.in --replace /sbin '@sbindir@'
@ -45,4 +52,3 @@ stdenv.mkDerivation rec {
license = licenses.gpl2Plus; # and (lib)fuse-lite under LGPL2+
};
}