mirror of
https://github.com/NixOS/nixpkgs.git
synced 2026-07-06 17:13:24 -05:00
arti: add patch for TROVE-2026-024
TROVE: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
an invalid assumption of ASCII in port policies could allow a malicious
directory cache to crash arti clients. this issue was originally
publicly reported at
https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/4049
and the final fix was merged as
https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/4062. this
allows for DoSing clients, and has been allocated the the TROVE-2026-024
id with medium severity. we fetch the patch for it here, and may upgrade
to 2.4.1 or similar if upstream releases one.
(cherry picked from commit d355b592b8)
This commit is contained in:
parent
ac5764a5e9
commit
eb8720b009
1 changed files with 12 additions and 0 deletions
|
|
@ -3,6 +3,7 @@
|
|||
stdenv,
|
||||
rustPlatform,
|
||||
fetchFromGitLab,
|
||||
fetchpatch,
|
||||
pkg-config,
|
||||
sqlite,
|
||||
openssl,
|
||||
|
|
@ -24,6 +25,17 @@ rustPlatform.buildRustPackage (finalAttrs: {
|
|||
hash = "sha256-YLOdrHstmN2pLl75uclkbpN5h3iBs3xpraZ8XN6R/+Q=";
|
||||
};
|
||||
|
||||
patches = [
|
||||
# Fixes a panic that could allow malicious directory caches to crash
|
||||
# clients.
|
||||
# https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/4062
|
||||
(fetchpatch {
|
||||
name = "TROVE-2026-024.patch";
|
||||
url = "https://gitlab.torproject.org/tpo/core/arti/-/commit/f69be8c70561629e63004788f0aa4bf898025f93.patch";
|
||||
hash = "sha256-P0sXTKOBW7ulqQZwmTVJfrpLksLyaonuDpxGF2keDqE=";
|
||||
})
|
||||
];
|
||||
|
||||
# Working around a bug in cargo that appears with cargo-auditable, see
|
||||
# https://github.com/rust-secure-code/cargo-auditable/issues/124.
|
||||
postPatch = ''
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue