From 8b7f04c25a37ed416e986a3a635d5d120706d75f Mon Sep 17 00:00:00 2001
From: Thomas Tuegel <ttuegel@gmail.com>
Date: Wed, 12 Oct 2016 08:46:43 -0500
Subject: kde5.kcoreaddons: fix HTML injection CVE-2016-7966

See https://www.kde.org/info/security/advisory-20161006-1.txt for more
information.
---
 pkgs/development/libraries/kde-frameworks/kcoreaddons.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'pkgs/development/libraries/kde-frameworks/kcoreaddons.nix')

diff --git a/pkgs/development/libraries/kde-frameworks/kcoreaddons.nix b/pkgs/development/libraries/kde-frameworks/kcoreaddons.nix
index a3d5735ad27..91bfd28df4e 100644
--- a/pkgs/development/libraries/kde-frameworks/kcoreaddons.nix
+++ b/pkgs/development/libraries/kde-frameworks/kcoreaddons.nix
@@ -1,8 +1,15 @@
-{ kdeFramework, lib, ecm, shared_mime_info }:
+{ kdeFramework, lib, fetchurl, ecm, shared_mime_info }:
 
 kdeFramework {
   name = "kcoreaddons";
   meta = { maintainers = [ lib.maintainers.ttuegel ]; };
+  patches = [
+    (fetchurl {
+      url = "https://packaging.neon.kde.org/frameworks/kcoreaddons.git/plain/debian/patches/0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch?id=ab7258dd8a87668ba63c585a69f41f291254aa43";
+      sha256 = "0svdqbikmslc0n2gdwwlbdyi61m5qgy0lxxv9iglbs3ja09xqs0p";
+      name = "kcoreaddons-CVE-2016-7966.patch";
+    })
+  ];
   nativeBuildInputs = [ ecm ];
   propagatedBuildInputs = [ shared_mime_info ];
 }
-- 
cgit 1.4.1