Jasper has been marked insecure for a while, and upstream has not been responsive to CVEs for over a year. Fixes #55388. Signed-off-by: David Anderson <dave@natulte.net>wip/yesman
parent
9c11454182
commit
3a38cef8f9
@ -1,51 +0,0 @@ |
||||
{ stdenv, fetchFromGitHub, fetchpatch, libjpeg, cmake }: |
||||
|
||||
stdenv.mkDerivation rec { |
||||
pname = "jasper"; |
||||
version = "2.0.16"; |
||||
|
||||
src = fetchFromGitHub { |
||||
repo = "jasper"; |
||||
owner = "mdadams"; |
||||
rev = "version-${version}"; |
||||
sha256 = "05l75yd1zsxwv25ykwwwjs8961szv7iywf16nc6vc6qpby27ckv6"; |
||||
}; |
||||
|
||||
patches = [ |
||||
(fetchpatch { |
||||
name = "CVE-2018-9055.patch"; |
||||
url = "http://paste.opensuse.org/view/raw/330751ce"; |
||||
sha256 = "0m798m6c4v9yyhql7x684j5kppcm6884n1rrb9ljz8p9aqq2jqnm"; |
||||
}) |
||||
]; |
||||
|
||||
|
||||
# newer reconf to recognize a multiout flag |
||||
nativeBuildInputs = [ cmake ]; |
||||
propagatedBuildInputs = [ libjpeg ]; |
||||
|
||||
configureFlags = [ "--enable-shared" ]; |
||||
|
||||
outputs = [ "bin" "dev" "out" "man" ]; |
||||
|
||||
enableParallelBuilding = true; |
||||
|
||||
doCheck = false; # fails |
||||
|
||||
postInstall = '' |
||||
moveToOutput bin "$bin" |
||||
''; |
||||
|
||||
meta = with stdenv.lib; { |
||||
homepage = "https://www.ece.uvic.ca/~frodo/jasper/"; |
||||
description = "JPEG2000 Library"; |
||||
platforms = platforms.unix; |
||||
license = licenses.jasper; |
||||
maintainers = with maintainers; [ pSub ]; |
||||
knownVulnerabilities = [ |
||||
"Numerous CVE unsolved upstream" |
||||
"See: https://github.com/NixOS/nixpkgs/pull/57681#issuecomment-475857499" |
||||
"See: https://github.com/mdadams/jasper/issues/208" |
||||
]; |
||||
}; |
||||
} |
Loading…
Reference in new issue