gnu: zstd: Downgrade to 1.4.4 and make security graft saner.

* gnu/packages/patches/zstd-CVE-2021-24031_CVE-2021-24032.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/compression.scm (zstd-1.4.9): Remove. (zstd/fixed): New variable. Apply patch. (zstd)[replacement]: Graft with zstd/fixed.
2025-10-02 02:15:12 +00:00 · 2021-03-30 02:10:19 +02:00 · 2021-03-30 02:10:19 +02:00 · 9feef62b73
commit 9feef62b73
parent aae012e91e
3 changed files with 76 additions and 12 deletions
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@ -1409,7 +1409,7 @@ or junctions, and always follows hard links.")
                           "v" version "/zstd-" version ".tar.gz"))
       (sha256
        (base32 "05ckxap00qvc0j51d3ci38150cxsw82w7s9zgd5fgzspnzmp1vsr"))))
-    (replacement zstd-1.4.9)
+    (replacement zstd/fixed)
    (build-system gnu-build-system)
    (outputs '("out"                    ;1.2MiB executables and documentation
               "lib"                    ;1.2MiB shared library and headers
@ -1469,21 +1469,16 @@ speed.")
                   license:public-domain ; zlibWrapper/examples/fitblk*
                   license:zlib))))      ; zlibWrapper/{gz*.c,gzguts.h}

-(define-public zstd-1.4.9
+(define zstd/fixed
  (package
    (inherit zstd)
-    (name "zstd")
-    (version "1.4.9")
    (source
     (origin
-       (method url-fetch)
-       (uri (string-append "https://github.com/facebook/zstd/releases/download/"
-                           "v" version "/zstd-" version ".tar.gz"))
-       (sha256
-        (base32 "14yj7309gsvg39rki4xqnd6w5idmqi0655v1fc0mk1m2kvhp9b19"))))
-    (arguments
-     (substitute-keyword-arguments (package-arguments zstd)
-       ((#:tests? _ #t) #f)))))
+       (inherit (package-source zstd))
+       (patches
+        (search-patches
+         ;; From Ubuntu focal-security
+         "zstd-CVE-2021-24031_CVE-2021-24032.patch"))))))

 (define-public pzstd
  (package/inherit zstd