libconfuse: add patch for CVE-2022-40320

(cherry picked from commit 764a1d3752ee90998eaa01d42be3f4e6c68beb6e)
author: Robert Scott <code@humanleg.org.uk> 2023-01-07 13:48:16 +0000
committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com> 2023-01-08 16:06:09 +0000
commit: 09a9af3d1bf0db2d8d6ae5d2fff84f126e4af9cd (patch)
tree: 11c9b542eaeab2d66b5213d33dd8fb31a88f3f03
parent: 3f3c12856bbdd15a2121eecf959cf9219158a9e5 (diff)
1 files changed, 19 insertions, 1 deletions
diff --git a/pkgs/development/libraries/libconfuse/default.nix b/pkgs/development/libraries/libconfuse/default.nix
index 7545fe9617cc..91a5a2f26f87 100644
--- a/pkgs/development/libraries/libconfuse/default.nix
+++ b/pkgs/development/libraries/libconfuse/default.nix
@@ -1,4 +1,10 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, flex }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, autoreconfHook
+, flex
+}:
 
 stdenv.mkDerivation rec {
   pname = "libconfuse";
@@ -11,6 +17,18 @@ stdenv.mkDerivation rec {
     owner = "martinh";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2022-40320.patch";
+      urls = [
+        "https://sources.debian.org/data/main/libc/libconfuse/3.3-3/debian/patches/CVE-2022-40320.patch"
+        # files on sources.debian.org can disappear
+        "https://web.archive.org/web/20230107133212/https://sources.debian.org/data/main/libc/libconfuse/3.3-3/debian/patches/CVE-2022-40320.patch"
+      ];
+      sha256 = "sha256-ftfE9JFz4nyRSOb2xHb9BAtgWn5Yv2WLm4RegDLtiBw=";
+    })
+  ];
+
   postPatch = ''
     substituteInPlace tests/Makefile.am \
       --replace 'TESTS            += empty_string' "" \
author	Robert Scott <code@humanleg.org.uk>	2023-01-07 13:48:16 +0000
committer	github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2023-01-08 16:06:09 +0000
commit	09a9af3d1bf0db2d8d6ae5d2fff84f126e4af9cd (patch)
tree	11c9b542eaeab2d66b5213d33dd8fb31a88f3f03
parent	3f3c12856bbdd15a2121eecf959cf9219158a9e5 (diff)