From 04c0fa2d3a524a74091b51b0d180eec138362272 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Mon, 3 Jan 2022 17:49:44 +0000 Subject: [PATCH 1/3] openexr_3: add patch for CVE-2021-45942 the CVE description is currently suggesting https://github.com/AcademySoftwareFoundation/openexr/commit/db217f29dfb24f6b4b5100c24ac5e7490e1c57d0 as the fix, but it is wrong checked this patch does silence valgrind's complaints with reproducer file https://oss-fuzz.com/download?testcase_id=5275682339422208 --- pkgs/development/libraries/openexr/3.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/development/libraries/openexr/3.nix b/pkgs/development/libraries/openexr/3.nix index 1fae6682906..dab6b254089 100644 --- a/pkgs/development/libraries/openexr/3.nix +++ b/pkgs/development/libraries/openexr/3.nix @@ -1,6 +1,7 @@ { lib , stdenv , fetchFromGitHub +, fetchpatch , zlib , cmake , imath @@ -19,6 +20,14 @@ stdenv.mkDerivation rec { sha256 = "0vyclrrikphwkkpyjg8kzh3qzflzk3d6xsidgqllgfdgllr9wmgv"; }; + patches = [ + (fetchpatch { + name = "CVE-2021-45942.patch"; + url = "https://github.com/AcademySoftwareFoundation/openexr/commit/11cad77da87c4fa2aab7d58dd5339e254db7937e.patch"; + sha256 = "1qa8662ga5i0lyfi9mkj9s9bygdg7h1i6ahki28c664kxrlsakch"; + }) + ]; + nativeBuildInputs = [ cmake ]; propagatedBuildInputs = [ imath zlib ]; From c893059836b291f9d747e2b9f03c03ff4d3dae28 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Mon, 3 Jan 2022 17:50:36 +0000 Subject: [PATCH 2/3] openexr_3: enable tests --- pkgs/development/libraries/openexr/3.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/development/libraries/openexr/3.nix b/pkgs/development/libraries/openexr/3.nix index dab6b254089..3c77abfccbf 100644 --- a/pkgs/development/libraries/openexr/3.nix +++ b/pkgs/development/libraries/openexr/3.nix @@ -28,9 +28,18 @@ stdenv.mkDerivation rec { }) ]; + # tests are determined to use /var/tmp on unix + postPatch = '' + cat <(find . -name tmpDir.h) <(echo src/test/OpenEXRCoreTest/main.cpp) | while read -r f ; do + substituteInPlace $f --replace '/var/tmp' "$TMPDIR" + done + ''; + nativeBuildInputs = [ cmake ]; propagatedBuildInputs = [ imath zlib ]; + doCheck = true; + meta = with lib; { description = "A high dynamic-range (HDR) image file format"; homepage = "https://www.openexr.com/"; From a238071df44df8bebfa4f08fe81661b86f8d4f95 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Mon, 3 Jan 2022 22:44:21 +0000 Subject: [PATCH 3/3] openexr: add patch for CVE-2021-45942 the CVE description is currently suggesting https://github.com/AcademySoftwareFoundation/openexr/commit/db217f29dfb24f6b4b5100c24ac5e7490e1c57d0 as the fix, but it is wrong checked this patch does silence valgrind's complaints with reproducer file https://oss-fuzz.com/download?testcase_id=5275682339422208 --- pkgs/development/libraries/openexr/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkgs/development/libraries/openexr/default.nix b/pkgs/development/libraries/openexr/default.nix index d60b7b7fc43..31ca4855275 100644 --- a/pkgs/development/libraries/openexr/default.nix +++ b/pkgs/development/libraries/openexr/default.nix @@ -26,6 +26,13 @@ stdenv.mkDerivation rec { url = "https://github.com/AcademySoftwareFoundation/openexr/commit/2f19a01923885fda75ec9d19332de080ec7102bd.patch"; sha256 = "1yxmrdzq1x1911wdzwnzr29jmg2r4wd4yx3vhjn0y5dpny0ri5y5"; }) + (fetchpatch { + name = "CVE-2021-45942.patch"; + url = "https://github.com/AcademySoftwareFoundation/openexr/commit/11cad77da87c4fa2aab7d58dd5339e254db7937e.patch"; + stripLen = 4; + extraPrefix = "OpenEXR/IlmImf/"; + sha256 = "1wa2jn6sa0n3phaqvklnlbgk1bz60y756ad4jk4d757pzpnannsy"; + }) ]; nativeBuildInputs = [ cmake ];