libconfuse: add patch for CVE-2022-40320

2023-01-07 13:48:16 +00:00 · 2023-01-07 13:48:16 +00:00 · 764a1d3752
commit 764a1d3752
parent ac7445e754
1 changed files with 19 additions and 1 deletions
--- a/pkgs/development/libraries/libconfuse/default.nix
+++ b/pkgs/development/libraries/libconfuse/default.nix
@ -1,4 +1,10 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, flex }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, autoreconfHook
+, flex
+}:

 stdenv.mkDerivation rec {
  pname = "libconfuse";
@ -11,6 +17,18 @@ stdenv.mkDerivation rec {
    owner = "martinh";
  };

+  patches = [
+    (fetchpatch {
+      name = "CVE-2022-40320.patch";
+      urls = [
+        "https://sources.debian.org/data/main/libc/libconfuse/3.3-3/debian/patches/CVE-2022-40320.patch"
+        # files on sources.debian.org can disappear
+        "https://web.archive.org/web/20230107133212/https://sources.debian.org/data/main/libc/libconfuse/3.3-3/debian/patches/CVE-2022-40320.patch"
+      ];
+      sha256 = "sha256-ftfE9JFz4nyRSOb2xHb9BAtgWn5Yv2WLm4RegDLtiBw=";
+    })
+  ];
+
  postPatch = ''
    substituteInPlace tests/Makefile.am \
      --replace 'TESTS            += empty_string' "" \