diff --git a/pkgs/tools/backup/store-backup/CVE-2020-7040.patch b/pkgs/tools/backup/store-backup/CVE-2020-7040.patch new file mode 100644 index 000000000000..9b78f9bab95f --- /dev/null +++ b/pkgs/tools/backup/store-backup/CVE-2020-7040.patch @@ -0,0 +1,23 @@ +Index: storeBackup/lib/fileDir.pl +=================================================================== +--- storeBackup.orig/lib/fileDir.pl ++++ storeBackup/lib/fileDir.pl +@@ -21,7 +21,7 @@ + + + use Digest::MD5 qw(md5_hex); +-use Fcntl qw(O_RDWR O_CREAT); ++use Fcntl qw(O_RDWR O_CREAT O_WRONLY O_EXCL); + use Fcntl ':mode'; + use POSIX; + use Cwd 'abs_path'; +@@ -482,7 +482,7 @@ sub checkLockFile + '-str' => ["creating lock file <$lockFile>"]); + + &::checkDelSymLink($lockFile, $prLog, 0x01); +- open(FILE, '>', $lockFile) or ++ sysopen(FILE, $lockFile, O_WRONLY | O_CREAT | O_EXCL) or + $prLog->print('-kind' => 'E', + '-str' => ["cannot create lock file <$lockFile>"], + '-exit' => 1); + diff --git a/pkgs/tools/backup/store-backup/default.nix b/pkgs/tools/backup/store-backup/default.nix index afa667ec0725..506ea600cbcb 100644 --- a/pkgs/tools/backup/store-backup/default.nix +++ b/pkgs/tools/backup/store-backup/default.nix @@ -14,7 +14,7 @@ in stdenv.mkDerivation rec { - version = "3.5"; + version = "3.5.2"; pname = "store-backup"; @@ -25,9 +25,14 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://download.savannah.gnu.org/releases/storebackup/storeBackup-${version}.tar.bz2"; - sha256 = "0y4gzssc93x6y93mjsxm5b5cdh68d7ffa43jf6np7s7c99xxxz78"; + hash = "sha256-Ki1DT2zypFFiiMVd9Y8eSX7T+yr8moWMoALmAexjqWU="; }; + patches = [ + # https://www.openwall.com/lists/oss-security/2020/01/20/3 + ./CVE-2020-7040.patch + ]; + installPhase = '' mkdir -p $out/scripts mv * $out @@ -48,7 +53,8 @@ stdenv.mkDerivation rec { PATH=$PATH:${dummyMount}/bin - + export USER=test + export HOME=$(mktemp -d) { # simple sanity test, test backup/restore of simple store paths mkdir backup