tcpdump: fix multiple CVEs

Fixes CVE-2017-11541, CVE-2017-11542, CVE-2017-11543.

Also fixes a segfault if built with openssl 1.1.

1 files changed, 20 insertions, 1 deletions

diff --git a/pkgs/tools/networking/tcpdump/default.nix b/pkgs/tools/networking/tcpdump/default.nix
index 77e74569ee5..69893f0a832 100644
--- a/pkgs/tools/networking/tcpdump/default.nix
+++ b/pkgs/tools/networking/tcpdump/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, libpcap, enableStatic ? false
+{ stdenv, fetchFromGitHub, fetchpatch, libpcap, enableStatic ? false
 , hostPlatform
 }:
 
@@ -13,6 +13,25 @@ stdenv.mkDerivation rec {
     sha256 = "1vzrvn1q7x28h18yskqc390y357pzpg5xd3pzzj4xz3llnvsr64p";
   };
 
+  patches = [
+    (fetchpatch {
+      url = "http://www.tcpdump.org/pre-4.9.2/PUBLISHED-CVE-2017-11541.patch";
+      sha256 = "1lqg4lbyddnv75wpj0rs2sxz4lb3d1vp8n385i27mrpcxw9qaxia";
+    })
+    (fetchpatch {
+      url = "http://www.tcpdump.org/pre-4.9.2/PUBLISHED-CVE-2017-11542.patch";
+      sha256 = "0vqgmw9i5vr3d4siyrh8mw60jdmp5r66rbjxfmbnwhlfjf4bwxz4";
+    })
+    (fetchpatch {
+      url = "http://www.tcpdump.org/pre-4.9.2/PUBLISHED-CVE-2017-11543.patch";
+      sha256 = "1vk9ncpx0qjja8l69xw5kkvgy9fkcii2n98diazv1yndln2cs26l";
+    })
+    (fetchpatch {
+      url = "http://www.tcpdump.org/pre-4.9.2/PUBLISHED-OpenSSL-1.1-segfault.patch";
+      sha256 = "0mw0jdj5nyg4sviqj7wxwf2492b2bdqmjrvf1k34ak417xfcvy1d";
+    })
+  ];
+
   buildInputs = [ libpcap ];
 
   crossAttrs = {