From 29386c74722ff5133ea94f8001063c6355e56688 Mon Sep 17 00:00:00 2001 From: Raphael Robatsch Date: Mon, 1 Apr 2024 09:01:15 +0200 Subject: [PATCH 1/2] mbedtls_2: 2.28.7 -> 2.28.8 Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.8 Fixes CVE-2024-28960 (cherry picked from commit 92f5f12a72d44c26cde46c033e5ae50419084d62) --- pkgs/development/libraries/mbedtls/2.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/mbedtls/2.nix b/pkgs/development/libraries/mbedtls/2.nix index 97d62fad3ced1..42fb6edae78f2 100644 --- a/pkgs/development/libraries/mbedtls/2.nix +++ b/pkgs/development/libraries/mbedtls/2.nix @@ -1,6 +1,6 @@ { callPackage }: callPackage ./generic.nix { - version = "2.28.7"; - hash = "sha256-JI0Frbz4HkPqrLQNrSIj1ikN8201h4kd1wTwyPotERw="; + version = "2.28.8"; + hash = "sha256-A1DYZrvJ8SRujroVwqPfcTOSgLnT5xRat/RVdq2fL/o="; } From de9919537ef431ad1b1a6f277d43df3ebb71cbde Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sat, 13 Apr 2024 18:59:44 +0100 Subject: [PATCH 2/2] mbedtls: add patch for CVE-2024-28755 --- pkgs/development/libraries/mbedtls/3.nix | 10 +++++++++- pkgs/development/libraries/mbedtls/generic.nix | 3 +++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/mbedtls/3.nix b/pkgs/development/libraries/mbedtls/3.nix index 267349ac5d7be..abba77308a61c 100644 --- a/pkgs/development/libraries/mbedtls/3.nix +++ b/pkgs/development/libraries/mbedtls/3.nix @@ -1,6 +1,14 @@ -{ callPackage }: +{ callPackage, fetchpatch }: callPackage ./generic.nix { version = "3.5.2"; hash = "sha256-lVGmnSYccNmRS6vfF/fDiny5cYRPc/wJBpgciFLPUvM="; + + patches = [ + (fetchpatch { + name = "CVE-2024-28755.patch"; + url = "https://github.com/Mbed-TLS/mbedtls/commit/ad736991bb59211118a29fe115367c24495300c2.patch"; + hash = "sha256-MUnGT2ptlBikpZYL6+cvoF7fOiD2vMK4cbkgevgyl60="; + }) + ]; } diff --git a/pkgs/development/libraries/mbedtls/generic.nix b/pkgs/development/libraries/mbedtls/generic.nix index 2e79a593b7c31..045f59b269eda 100644 --- a/pkgs/development/libraries/mbedtls/generic.nix +++ b/pkgs/development/libraries/mbedtls/generic.nix @@ -3,6 +3,7 @@ , version , hash , fetchFromGitHub +, patches ? [] , cmake , ninja @@ -23,6 +24,8 @@ stdenv.mkDerivation rec { inherit hash; }; + inherit patches; + nativeBuildInputs = [ cmake ninja perl python3 ]; strictDeps = true;