From 3a4e2376e444fd7664102af00a34c65b47e271ec Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 11 Mar 2017 13:43:42 +0100 Subject: [PATCH] qemu_test: don't apply patch for CVE-2016-9602 Both patches are conflicting. Keeping the vulnerability unpatched in qemu binaries used for nixos test is tolerable. --- pkgs/applications/virtualization/qemu/default.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix index e5620b6ce456..ef3cce4808d1 100644 --- a/pkgs/applications/virtualization/qemu/default.nix +++ b/pkgs/applications/virtualization/qemu/default.nix @@ -77,12 +77,6 @@ stdenv.mkDerivation rec { "0lk19qss6ky7cqnvis54742cr2z0vl8c64chhch0kp6n83hray9x") # security fixes from debian - (fetchurl { - name = "CVE-2016-9602.patch"; - url = "https://anonscm.debian.org/cgit/pkg-qemu/qemu.git/plain/debian/patches/9pfs-symlink-attack-fixes-CVE-2016-9602.patch?h=debian/qemu_2.8%2bdfsg-3"; - sha256 = "0f7m1k3hbw9v0dwqn53ds36s7s334vlidvbn0682s9r2sq0sjlkv"; - }) - (fetchurl { name = "CVE-2017-2630.patch"; url = "https://anonscm.debian.org/cgit/pkg-qemu/qemu.git/plain/debian/patches/nbd_client-fix-drop_sync-CVE-2017-2630.patch?h=debian/qemu_2.8%2bdfsg-3"; @@ -141,7 +135,13 @@ stdenv.mkDerivation rec { (upstreamPatch "CVE-2017-5987" "6e86d90352adf6cb08295255220295cf23c4286e" "09yfxf93cisx8rhm0h48ib1ibwfs420k5pqpz8dnz33nci9567jm") - ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch; + ] ++ (if nixosTestRunner then [ ./force-uid0-on-9p.patch ] else [ + (fetchurl { + name = "CVE-2016-9602.patch"; + url = "https://anonscm.debian.org/cgit/pkg-qemu/qemu.git/plain/debian/patches/9pfs-symlink-attack-fixes-CVE-2016-9602.patch?h=debian/qemu_2.8%2bdfsg-3"; + sha256 = "0f7m1k3hbw9v0dwqn53ds36s7s334vlidvbn0682s9r2sq0sjlkv"; + }) + ]); hardeningDisable = [ "stackprotector" ];