1 files changed, 29 insertions, 3 deletions

diff --git a/pkgs/servers/mail/rspamd/default.nix b/pkgs/servers/mail/rspamd/default.nix
index 579a664e637..eb96fa9738e 100644
--- a/pkgs/servers/mail/rspamd/default.nix
+++ b/pkgs/servers/mail/rspamd/default.nix
@@ -1,6 +1,23 @@
-{ stdenv, lib, fetchFromGitHub, cmake, perl
-, glib, luajit, openssl, pcre, pkg-config, sqlite, ragel, icu
-, hyperscan, jemalloc, blas, lapack, lua, libsodium
+{ stdenv
+, lib
+, fetchFromGitHub
+, fetchpatch2
+, cmake
+, perl
+, glib
+, luajit
+, openssl
+, pcre
+, pkg-config
+, sqlite
+, ragel
+, icu
+, hyperscan
+, jemalloc
+, blas
+, lapack
+, lua
+, libsodium
 , withBlas ? true
 , withHyperscan ? stdenv.isx86_64
 , withLuaJIT ? stdenv.isx86_64
@@ -20,6 +37,15 @@ stdenv.mkDerivation rec {
     hash = "sha256-GuWuJK73RE+cS8451m+bcmpZNQEzmZtexm19xgdDQeU=";
   };
 
+  patches = [
+    # Fix leak in `gzip` function
+    # https://github.com/rspamd/rspamd/issues/4564
+    (fetchpatch2 {
+      url = "https://github.com/rspamd/rspamd/commit/ffbab4fbf218514845b8e5209aec044621b1f460.patch";
+      hash = "sha256-ltkC/mZcYmGoSFILaTTRB/UWSn36flEbuJP4Buys05Y=";
+    })
+  ];
+
   hardeningEnable = [ "pie" ];
 
   nativeBuildInputs = [ cmake pkg-config perl ];