summary refs log tree commit diff
path: root/pkgs/development/libraries/libwebp/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/development/libraries/libwebp/default.nix')
-rw-r--r--pkgs/development/libraries/libwebp/default.nix8
1 files changed, 8 insertions, 0 deletions
diff --git a/pkgs/development/libraries/libwebp/default.nix b/pkgs/development/libraries/libwebp/default.nix
index 39a7ab3ba45..287c0b6b18b 100644
--- a/pkgs/development/libraries/libwebp/default.nix
+++ b/pkgs/development/libraries/libwebp/default.nix
@@ -36,6 +36,14 @@ stdenv.mkDerivation rec {
     hash   = "sha256-Q94avvKjPdwdGt5ADo30cf2V4T7MCTubDHJxTtbG4xQ=";
   };
 
+  patches = [
+    # Commit 902bc919 from upstream, mangled slightly to apply onto 1.3.1.
+    # There is currently (2023-09-12) no confirmation that this is the fix for
+    # CVE-2023-4863, but it is linked to the right crbug, and matches the
+    # description of that (critical sev, exploited in the wild) CVE.
+    ./CVE-2023-4863.patch
+  ];
+
   configureFlags = [
     (lib.enableFeature threadingSupport "threading")
     (lib.enableFeature openglSupport "gl")
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-05 14:30:02 +0000