From 657fc6d5d8b6cf4aa11b8647878e395ce7dc0b0a Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Mon, 28 Mar 2022 16:10:40 +0200
Subject: powerdns: apply patch for ixfr validation issue

The PowerDNS version we ship on release-21.11 went EOL in january, so
there are no explicit patches for 4.3.1, however the patches for 4.4.2
apply cleanly and the tests are still passing.

https://blog.powerdns.com/2022/03/25/security-advisory-2022-01-for-powerdns-authoritative-server-4-4-2-4-5-3-4-6-0-and-powerdns-recursor-4-4-7-4-5-7-4-6-0/

Fixes: CVE-2022-27227
---
 pkgs/servers/dns/powerdns/default.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkgs/servers/dns/powerdns/default.nix b/pkgs/servers/dns/powerdns/default.nix
index cc7bb3317fd4..6a6b80bcd6c4 100644
--- a/pkgs/servers/dns/powerdns/default.nix
+++ b/pkgs/servers/dns/powerdns/default.nix
@@ -18,6 +18,12 @@ stdenv.mkDerivation rec {
       url = "https://github.com/PowerDNS/pdns/commit/05c9dd77b28.diff";
       sha256 = "1m9szbi02h9kcabgw3kb8k9qrb54d34z0qzizrlfiw3hxs6c2zql";
     })
+    (fetchurl {
+      # Fixes incomplete validation of incoming IXFR transfers
+      name = "CVE-2022-27227.patch";
+      url = "https://downloads.powerdns.com/patches/2022-01/pdns-4.4.2-xfr.patch";
+      hash = "sha256-WFycHFmDX6MvbOS9WDv+wx0rog7xkSGe/sxSVMWREOA=";
+    })
   ];
 
   nativeBuildInputs = [ pkg-config ];
-- 
cgit v1.2.3