libxslt: fix CVE-2015-7995 by upstream patch

1 files changed, 10 insertions, 3 deletions

diff --git a/pkgs/development/libraries/libxslt/default.nix b/pkgs/development/libraries/libxslt/default.nix
index 3579e99ec7a..9aa70ea0471 100644
--- a/pkgs/development/libraries/libxslt/default.nix
+++ b/pkgs/development/libraries/libxslt/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libxml2, findXMLCatalogs }:
+{ stdenv, fetchurl, fetchpatch, libxml2, findXMLCatalogs }:
 
 stdenv.mkDerivation rec {
   name = "libxslt-1.1.28";
@@ -8,14 +8,21 @@ stdenv.mkDerivation rec {
     sha256 = "13029baw9kkyjgr7q3jccw2mz38amq7mmpr5p3bh775qawd1bisz";
   };
 
+  patches = stdenv.lib.optional stdenv.isSunOS ./patch-ah.patch
+    ++ [
+      (fetchpatch {
+        name = "CVE-2015-7995.patch";
+        url = "http://git.gnome.org/browse/libxslt/patch/?id=7ca19df892ca22";
+        sha256 = "1xzg0q94dzbih9nvqp7g9ihz0a3qb0w23l1158m360z9smbi8zbd";
+      })
+    ];
+
   outputs = [ "out" "doc" ];
 
   buildInputs = [ libxml2 ];
 
   propagatedBuildInputs = [ findXMLCatalogs ];
 
-  patches = stdenv.lib.optionals stdenv.isSunOS [ ./patch-ah.patch ];
-
   configureFlags = [
     "--with-libxml-prefix=${libxml2}"
     "--without-python"