transmission: fix RCE via dns rebinding attach

For further details see [1] & [2].

[1] https://github.com/transmission/transmission/pull/468
[2] http://www.openwall.com/lists/oss-security/2018/01/12/1

1 files changed, 11 insertions, 1 deletions

diff --git a/pkgs/applications/networking/p2p/transmission/default.nix b/pkgs/applications/networking/p2p/transmission/default.nix
index d2bbef7f581..3c5fb499a8b 100644
--- a/pkgs/applications/networking/p2p/transmission/default.nix
+++ b/pkgs/applications/networking/p2p/transmission/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, intltool, file, wrapGAppsHook
+{ stdenv, fetchurl, fetchpatch, pkgconfig, intltool, file, wrapGAppsHook
 , openssl, curl, libevent, inotify-tools, systemd, zlib
 , enableGTK3 ? false, gtk3
 , enableSystemd ? stdenv.isLinux
@@ -27,6 +27,16 @@ stdenv.mkDerivation rec {
     ++ optionals enableSystemd [ systemd ]
     ++ optionals stdenv.isLinux [ inotify-tools ];
 
+  patches = [
+    (fetchpatch {
+      # See https://github.com/transmission/transmission/pull/468
+      # Patch from: https://github.com/transmission/transmission/pull/468#issuecomment-357098126
+      name = "transmission-fix-dns-rebinding-vuln.patch";
+      url = https://github.com/transmission/transmission/files/1624507/transmission-fix-dns-rebinding-vuln.patch.txt;
+      sha256 = "1p9m20kp4kdyp5jjr3yp5px627n8cfa29mg5n3wzsdfv0qzk9gy4";
+    })
+  ];
+
   postPatch = ''
     substituteInPlace ./configure \
       --replace "libsystemd-daemon" "libsystemd" \