freeswitch: patch CVE-2023-5217 and CVE-2023-44488

Co-authored-by: éclairevoyant <848000+eclairevoyant@users.noreply.github.com>
Co-authored-by: Thomas Gerbet <thomas@gerbet.me>

1 files changed, 37 insertions, 7 deletions

diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix
index 499bef7e237..55721a38cd8 100644
--- a/pkgs/servers/sip/freeswitch/default.nix
+++ b/pkgs/servers/sip/freeswitch/default.nix
@@ -1,12 +1,28 @@
-{ fetchFromGitHub, stdenv, lib, pkg-config, autoreconfHook
-, ncurses, gnutls, readline
-, openssl, perl, sqlite, libjpeg, speex, pcre, libuuid
-, ldns, libedit, yasm, which, libsndfile, libtiff, libxcrypt
-
+{ fetchFromGitHub
+, fetchpatch
+, stdenv
+, lib
+, pkg-config
+, autoreconfHook
+, ncurses
+, gnutls
+, readline
+, openssl
+, perl
+, sqlite
+, libjpeg
+, speex
+, pcre
+, libuuid
+, ldns
+, libedit
+, yasm
+, which
+, libsndfile
+, libtiff
+, libxcrypt
 , callPackage
-
 , SystemConfiguration
-
 , modules ? null
 , nixosTests
 }:
@@ -110,6 +126,20 @@ stdenv.mkDerivation rec {
     done
   '';
 
+  ## TODO Validate with the next upstream release
+  patches = [
+    (fetchpatch {
+       name = "CVE-2023-44488.patch";
+       url = "https://github.com/signalwire/freeswitch/commit/f1fb05214e4f427dcf922f531431ab649cf0622b.patch";
+       hash = "sha256-6GMebE6O2EBx60NE2LSRVljaiLm9T4zTrkIpwGvaB08=";
+     })
+    (fetchpatch {
+       name = "CVE-2023-5217.patch";
+       url = "https://github.com/signalwire/freeswitch/commit/6f9e72c585265d8def8a613b36cd4f524c201980.patch";
+       hash = "sha256-l64mBpyq/TzRM78n73kbuD0UNsk5zIH5QNJlMKdPfr4=";
+     })
+  ];
+
   strictDeps = true;
   nativeBuildInputs = [ pkg-config autoreconfHook perl which yasm ];
   buildInputs = [