opentsdb: fix CVE-2020-35476

This contribution pulls in the patch fixing CVE-2020-35476. The fix is also included in the 2.4.1 version but the upgrade requires more work: a tarball with all the third party tools is no more provided. The build process attempts to get them during the build which fail. https://github.com/advisories/GHSA-hv53-q76c-7f8c
2021-09-14 10:15:08 +02:00 · 2021-09-14 10:15:08 +02:00 · b9608ec767
commit b9608ec767
parent 7a36468853
1 changed files with 9 additions and 4 deletions
--- a/pkgs/tools/misc/opentsdb/default.nix
+++ b/pkgs/tools/misc/opentsdb/default.nix
@ -1,4 +1,4 @@
-{ lib, stdenv, autoconf, automake, curl, fetchurl, jdk8, makeWrapper, nettools
+{ lib, stdenv, autoconf, automake, curl, fetchurl, fetchpatch, jdk8, makeWrapper, nettools
 , python, git
 }:

@ -13,6 +13,14 @@ stdenv.mkDerivation rec {
    sha256 = "0b0hilqmgz6n1q7irp17h48v8fjpxhjapgw1py8kyav1d51s7mm2";
  };

+  patches = [
+    (fetchpatch {
+      name = "CVE-2020-35476.patch";
+      url = "https://github.com/OpenTSDB/opentsdb/commit/b89fded4ee326dc064b9d7e471e9f29f7d1dede9.patch";
+      sha256 = "1vb9m0a4fsjqcjagiypvkngzgsw4dil8jrlhn5xbz7rwx8x96wvb";
+    })
+  ];
+
  nativeBuildInputs = [ makeWrapper ];
  buildInputs = [ autoconf automake curl jdk nettools python git ];

@ -33,8 +41,5 @@ stdenv.mkDerivation rec {
    license = licenses.lgpl21Plus;
    platforms = lib.platforms.linux;
    maintainers = [ ];
-    knownVulnerabilities = [
-      "CVE-2020-35476" # https://github.com/OpenTSDB/opentsdb/issues/2051
-    ];
  };
 }