libtar: fix CVE-2013-4420 by Debian patches

CC maintainer @bjornfor.

1 files changed, 15 insertions, 2 deletions

diff --git a/pkgs/development/libraries/libtar/default.nix b/pkgs/development/libraries/libtar/default.nix
index 7a8dfa7a622..212a3a23939 100644
--- a/pkgs/development/libraries/libtar/default.nix
+++ b/pkgs/development/libraries/libtar/default.nix
@@ -1,9 +1,9 @@
-{ stdenv, fetchgit, autoreconfHook }:
+{ stdenv, fetchgit, fetchpatch, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   version = "1.2.20";
   name = "libtar-${version}";
-  
+
   # Maintenance repo for libtar (Arch Linux uses this)
   src = fetchgit {
     url = "git://repo.or.cz/libtar.git";
@@ -11,6 +11,19 @@ stdenv.mkDerivation rec {
     sha256 = "1pjsqnqjaqgkzf1j8m6y5h76bwprffsjjj6gk8rh2fjsha14rqn9";
   };
 
+  patches = let
+    fp =  name: sha256:
+      fetchpatch {
+        url = "http://sources.debian.net/data/main/libt/libtar/1.2.20-4/debian/patches/${name}.patch";
+        inherit sha256;
+      };
+    in [
+      (fp "no_static_buffers"         "0yv90bhvqjj0v650gzn8fbzhdhzx5z0r1lh5h9nv39wnww435bd0")
+      (fp "no_maxpathlen"             "11riv231wpbdb1cm4nbdwdsik97wny5sxcwdgknqbp61ibk572b7")
+      (fp "CVE-2013-4420"             "0d010190bqgr2ggy02qwxvjaymy9a22jmyfwdfh4086v876cbxpq")
+      (fp "th_get_size-unsigned-int"  "1ravbs5yrfac98mnkrzciw9hd2fxq4dc07xl3wx8y2pv1bzkwm41")
+    ];
+
   buildInputs = [ autoreconfHook ];
 
   meta = with stdenv.lib; {