diff options
author | Thomas Gerbet <thomas@gerbet.me> | 2024-04-27 14:47:20 +0200 |
---|---|---|
committer | Thomas Gerbet <thomas@gerbet.me> | 2024-04-27 14:55:30 +0200 |
commit | 887d63ed7d25af94ceca37c6bc56db0a25ea5ea7 (patch) | |
tree | 237294e0fc7bdddddf28ae44261e7216eb2bdede /pkgs/applications | |
parent | 41ea4d332aef73f273e0218405dece419b93a5e1 (diff) |
octoprint: apply patch for CVE-2024-28237
The 1.10.0 upgrade from #306861 seems to be too big to be safely backported. I also did not backport CVE-2024-23637: it is split across a series of patches and impacts quite sensitive parts of OctoPrint. I am not feeling confident enough to backport it and exploiting the issue requires an admin level access.
Diffstat (limited to 'pkgs/applications')
-rw-r--r-- | pkgs/applications/misc/octoprint/default.nix | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/pkgs/applications/misc/octoprint/default.nix b/pkgs/applications/misc/octoprint/default.nix index e7daa60198d11..6920a8f3bbbe3 100644 --- a/pkgs/applications/misc/octoprint/default.nix +++ b/pkgs/applications/misc/octoprint/default.nix @@ -4,6 +4,7 @@ , lib , fetchFromGitHub , fetchPypi +, fetchpatch , python3 , substituteAll , nix-update-script @@ -188,6 +189,13 @@ let src = ./ffmpeg-path.patch; ffmpeg = "${pkgs.ffmpeg}/bin/ffmpeg"; }) + + (fetchpatch { + # https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c + name = "CVE-2024-28237.patch"; + url = "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517.patch"; + hash = "sha256-JtZSEbzkvVl1yz1fjJN1BCVIRSx3ZiLsj01dh+xchyM="; + }) ]; postPatch = |