ipsecTools: add patch to fix CVE-2016-10396

1 files changed, 9 insertions, 3 deletions

diff --git a/pkgs/os-specific/linux/ipsec-tools/default.nix b/pkgs/os-specific/linux/ipsec-tools/default.nix
index 466ecb1efee..30bd51473b5 100644
--- a/pkgs/os-specific/linux/ipsec-tools/default.nix
+++ b/pkgs/os-specific/linux/ipsec-tools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, linuxHeaders, readline, openssl, flex, kerberos, pam }:
+{ stdenv, fetchurl, fetchpatch, linuxHeaders, readline, openssl, flex, kerberos, pam }:
 
 # TODO: These tools are supposed to work under NetBSD and FreeBSD as
 # well, so I guess it's not appropriate to place this expression in
@@ -16,8 +16,14 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ readline openssl flex kerberos pam ];
 
-  patches = [ ./dont-create-localstatedir-during-install.patch
-              ./CVE-2015-4047.patch ];
+  patches = [
+    ./dont-create-localstatedir-during-install.patch
+    ./CVE-2015-4047.patch
+    (fetchpatch {
+      url = "https://anonscm.debian.org/cgit/pkg-ipsec-tools/pkg-ipsec-tools.git/plain/debian/patches/CVE-2016-10396.patch?id=62ac12648a4eb7c5ba5dba0f81998d1acf310d8b";
+      sha256 = "1kf7j2pf1blni52z7q41n0yisqb7gvk01lvldr319zaxxg7rm84a";
+    })
+  ];
 
   # fix build with newer gcc versions
   preConfigure = ''substituteInPlace configure --replace "-Werror" "" '';