opentsdb: fix CVE-2020-35476

This contribution pulls in the patch fixing CVE-2020-35476.
The fix is also included in the 2.4.1 version but the upgrade requires
more work: a tarball with all the third party tools is no more provided.
The build process attempts to get them during the build which fail.

https://github.com/advisories/GHSA-hv53-q76c-7f8c

1 files changed, 9 insertions, 4 deletions

diff --git a/pkgs/tools/misc/opentsdb/default.nix b/pkgs/tools/misc/opentsdb/default.nix
index 678c2607b614..bc7baa55fecd 100644
--- a/pkgs/tools/misc/opentsdb/default.nix
+++ b/pkgs/tools/misc/opentsdb/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, autoconf, automake, curl, fetchurl, jdk8, makeWrapper, nettools
+{ lib, stdenv, autoconf, automake, curl, fetchurl, fetchpatch, jdk8, makeWrapper, nettools
 , python, git
 }:
 
@@ -13,6 +13,14 @@ stdenv.mkDerivation rec {
     sha256 = "0b0hilqmgz6n1q7irp17h48v8fjpxhjapgw1py8kyav1d51s7mm2";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2020-35476.patch";
+      url = "https://github.com/OpenTSDB/opentsdb/commit/b89fded4ee326dc064b9d7e471e9f29f7d1dede9.patch";
+      sha256 = "1vb9m0a4fsjqcjagiypvkngzgsw4dil8jrlhn5xbz7rwx8x96wvb";
+    })
+  ];
+
   nativeBuildInputs = [ makeWrapper ];
   buildInputs = [ autoconf automake curl jdk nettools python git ];
 
@@ -33,8 +41,5 @@ stdenv.mkDerivation rec {
     license = licenses.lgpl21Plus;
     platforms = lib.platforms.linux;
     maintainers = [ ];
-    knownVulnerabilities = [
-      "CVE-2020-35476" # https://github.com/OpenTSDB/opentsdb/issues/2051
-    ];
   };
 }