7 files changed, 85 insertions, 5 deletions
diff --git a/pkgs/tools/archivers/fsarchiver/default.nix b/pkgs/tools/archivers/fsarchiver/default.nix
new file mode 100644
index 0000000000000..cb73233dcb460
--- /dev/null
+++ b/pkgs/tools/archivers/fsarchiver/default.nix
@@ -0,0 +1,43 @@
+{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig
+, zlib, bzip2, lzma, lzo, lz4, zstd, xz
+, libgcrypt, e2fsprogs, utillinux, libgpgerror }:
+
+let
+  version = "0.8.5";
+
+in stdenv.mkDerivation {
+  name = "fsarchiver-${version}";
+
+  src = fetchFromGitHub {
+    owner = "fdupoux";
+    repo = "fsarchiver";
+    rev = version;
+    sha256 = "1rvwq5v3rl14bqxjm1ibfapyicf0sa44nw7451v10kx39lp56ylp";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook pkgconfig
+  ];
+
+  buildInputs = [
+    zlib bzip2 lzma lzo lz4 zstd xz
+    libgcrypt e2fsprogs utillinux libgpgerror
+  ];
+
+  meta = with stdenv.lib; {
+    description = "File system archiver for linux";
+    longDescription = ''
+      FSArchiver is a system tool that allows you to save the contents of a
+      file-system to a compressed archive file. The file-system can be restored
+      on a partition which has a different size and it can be restored on a
+      different file-system. Unlike tar/dar, FSArchiver also creates the
+      file-system when it extracts the data to partitions. Everything is
+      checksummed in the archive in order to protect the data. If the archive is
+      corrupt, you just loose the current file, not the whole archive.
+    '';
+    homepage = http://www.fsarchiver.org/;
+    license = licenses.lgpl2;
+    maintainers = [ maintainers.etu ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/tools/archivers/gnutar/default.nix b/pkgs/tools/archivers/gnutar/default.nix
index 5633a9fa152f6..a6f5052ad08ae 100644
--- a/pkgs/tools/archivers/gnutar/default.nix
+++ b/pkgs/tools/archivers/gnutar/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "gnutar-${version}";
-  version = "1.30";
+  version = "1.31";
 
   src = fetchurl {
     url = "mirror://gnu/tar/tar-${version}.tar.xz";
-    sha256 = "1lyjyk8z8hdddsxw0ikchrsfg3i0x3fsh7l63a8jgaz1n7dr5gzi";
+    sha256 = "1h9dxhjhz1jnyhmh6jfhqw1g1sxqbg3cd32vpwg7x2xxxqffzwrp";
   };
 
   # avoid retaining reference to CF during stdenv bootstrap
diff --git a/pkgs/tools/archivers/rpmextract/default.nix b/pkgs/tools/archivers/rpmextract/default.nix
index 8d4d5fd8dddd4..6d5041c52d031 100644
--- a/pkgs/tools/archivers/rpmextract/default.nix
+++ b/pkgs/tools/archivers/rpmextract/default.nix
@@ -10,6 +10,7 @@ stdenv.mkDerivation rec {
   script = substituteAll {
     src = ./rpmextract.sh;
     inherit rpm cpio;
+    inherit (stdenv) shell;
   };
 
   meta = with stdenv.lib; {
diff --git a/pkgs/tools/archivers/rpmextract/rpmextract.sh b/pkgs/tools/archivers/rpmextract/rpmextract.sh
index 04f57f6e6045a..6ebfa251955d4 100644
--- a/pkgs/tools/archivers/rpmextract/rpmextract.sh
+++ b/pkgs/tools/archivers/rpmextract/rpmextract.sh
@@ -1,4 +1,4 @@
-#!/bin/sh -e
+#!@shell@ -e
 
 if [ "$1" = "" ]; then
   echo "usage: rpmextract package_name..." 1>&2
diff --git a/pkgs/tools/archivers/unzip/CVE-2018-18384.patch b/pkgs/tools/archivers/unzip/CVE-2018-18384.patch
new file mode 100644
index 0000000000000..e9320e125cf64
--- /dev/null
+++ b/pkgs/tools/archivers/unzip/CVE-2018-18384.patch
@@ -0,0 +1,35 @@
+--- unzip60/list.c	
++++ unzip60/list.c	
+@@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type
+ {
+     int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+-    char sgn, cfactorstr[10];
++    char sgn, cfactorstr[1+10+1+1];	/* <sgn><int>%NUL */
+     int longhdr=(uO.vflag>1);
+ #endif
+     int date_format;
+@@ -389,9 +389,9 @@ int list_files(__G)    /* return PK-type
+             }
+ #else /* !WINDLL */
+             if (cfactor == 100)
+-                sprintf(cfactorstr, LoadFarString(CompFactor100));
++                snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
+             else
+-                sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
++                snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
+             if (longhdr)
+                 Info(slide, 0, ((char *)slide, LoadFarString(LongHdrStats),
+                   FmZofft(G.crec.ucsize, "8", "u"), methbuf,
+@@ -471,9 +471,9 @@ int list_files(__G)    /* return PK-type
+ 
+ #else /* !WINDLL */
+         if (cfactor == 100)
+-            sprintf(cfactorstr, LoadFarString(CompFactor100));
++            snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
+         else
+-            sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
++            snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
+         if (longhdr) {
+             Info(slide, 0, ((char *)slide, LoadFarString(LongFileTrailer),
+               FmZofft(tot_ucsize, "8", "u"), FmZofft(tot_csize, "8", "u"),
diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix
index 7c4bb988b6291..cdf189e82df55 100644
--- a/pkgs/tools/archivers/unzip/default.nix
+++ b/pkgs/tools/archivers/unzip/default.nix
@@ -24,6 +24,7 @@ stdenv.mkDerivation {
     ./CVE-2015-7697.diff
     ./CVE-2014-9913.patch
     ./CVE-2016-9844.patch
+    ./CVE-2018-18384.patch
     ./dont-hardcode-cc.patch
   ] ++ stdenv.lib.optional enableNLS
     (fetchurl {
diff --git a/pkgs/tools/archivers/wimlib/default.nix b/pkgs/tools/archivers/wimlib/default.nix
index dbf3d91f37aae..8fdb75892e804 100644
--- a/pkgs/tools/archivers/wimlib/default.nix
+++ b/pkgs/tools/archivers/wimlib/default.nix
@@ -8,7 +8,7 @@
 }:
 
 stdenv.mkDerivation rec {
-  version = "1.12.0";
+  version = "1.13.0";
   name = "wimlib-${version}";
 
   nativeBuildInputs = [ pkgconfig makeWrapper ];
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://wimlib.net/downloads/${name}.tar.gz";
-    sha256 = "852cf59d682a91974f715f09fa98cab621b740226adcfea7a42360be0f86464f";
+    sha256 = "02wpsxjlw9vysj6x6q7kmvbcdkpvdzw201mmj5x0q670mapjrnai";
   };
 
   preBuild = ''