Skip to content

Commit

Permalink
synergy: Add patch to fix CVE-2020-15117
Browse files Browse the repository at this point in the history 
From the description of CVE-2020-15117:

> In Synergy before version 1.12.0, a Synergy server can be crashed by
> receiving a kMsgHelloBack packet with a client name length set to
> 0xffffffff (4294967295) if the servers memory is less than 4 GB. It
> was verified that this issue does not cause a crash through the
> exception handler if the available memory of the Server is more than
> 4GB.

While I personally would consider this a pretty low-priority issue since
Synergy usually is only used in local environment, it's nevertheless
better to patch known issues.

Since the fix is part of version 1.12, which doesn't have a stable
release yet, I'm including the fix as a patch cherry-picked from the
upstream commit.

I originally had the CVE number as a comment prior to the fetchpatch
call in question, but since @mweinelt mentioned that https://broken.sh/
uses the patch file name[1] to match whether the software in question
has been patched, I've removed my initial comment as it would be
redundant.

[1]: https://github.com/andir/nix-vulnerability-scanner/blob/fb63998885462/src/report/nix_patches.rs#L83-L95

Signed-off-by: aszlig <aszlig@nix.build>
Fixes: #94007
  • Loading branch information
@aszlig
aszlig committed Aug 4, 2020
1 parent 3873e0d commit 9e476fe
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions pkgs/applications/misc/synergy/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{ stdenv, lib, fetchFromGitHub, cmake, openssl, qttools
{ stdenv, lib, fetchpatch, fetchFromGitHub, cmake, openssl, qttools
, ApplicationServices, Carbon, Cocoa, CoreServices, ScreenSaver
, xlibsWrapper, libX11, libXi, libXtst, libXrandr, xinput, avahi-compat
, withGUI ? true, wrapQtAppsHook }:
Expand All @@ -14,7 +14,14 @@ stdenv.mkDerivation rec {
sha256 = "1jk60xw4h6s5crha89wk4y8rrf1f3bixgh5mzh3cq3xyrkba41gh";
};

patches = [ ./build-tests.patch
patches = [
./build-tests.patch
(fetchpatch {
name = "CVE-2020-15117.patch";
url = "https://github.com/symless/synergy-core/commit/"
+ "0a97c2be0da2d0df25cb86dfd642429e7a8bea39.patch";
sha256 = "03q8m5n50fms7fjfjgmqrgy9mrxwi9kkz3f3vlrs2x5h21dl6bmj";
})
] ++ lib.optional stdenv.isDarwin ./macos_build_fix.patch;

# Since the included gtest and gmock don't support clang and the
Expand Down

0 comments on commit 9e476fe

Please sign in to comment.