From 332a800de3f203d509349847dde540d171f163de Mon Sep 17 00:00:00 2001
From: Vladimír Čunát <vcunat@gmail.com>
Date: Sat, 9 Dec 2017 18:44:02 +0100
Subject: exiv2: a batch of security fixes

/cc #32459.  I can't see any other CVE patches that are either
backported upstream to the 0.26 branch or applied in some distro.
---
 pkgs/development/libraries/exiv2/default.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'pkgs/development/libraries')

diff --git a/pkgs/development/libraries/exiv2/default.nix b/pkgs/development/libraries/exiv2/default.nix
index a1a07b43197..7f5f1903517 100644
--- a/pkgs/development/libraries/exiv2/default.nix
+++ b/pkgs/development/libraries/exiv2/default.nix
@@ -7,6 +7,24 @@ stdenv.mkDerivation rec {
     url = "http://www.exiv2.org/builds/${name}-trunk.tar.gz";
     sha256 = "1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7";
   };
+
+  patches = [
+    (fetchurl rec {
+      name = "CVE-2017-9239.patch";
+      url = let patchname = "0006-1296-Fix-submitted.patch";
+          in "https://src.fedoraproject.org/lookaside/pkgs/exiv2/${patchname}"
+          + "/sha512/${sha512}/${patchname}";
+      sha512 = "3f9242dbd4bfa9dcdf8c9820243b13dc14990373a800c4ebb6cf7eac5653cfef"
+             + "e6f2c47a94fbee4ed24f0d8c2842729d721f6100a2b215e0f663c89bfefe9e32";
+     })
+     (fetchpatch {
+       # many CVEs - see https://github.com/Exiv2/exiv2/pull/120
+       url = "https://patch-diff.githubusercontent.com/raw/Exiv2/exiv2/pull/120.patch";
+       sha256 = "1szl22xmh12hibzaqf2zi8zl377x841m52x4jm5lziw6j8g81sj8";
+       excludes = [ "test/bugfixes-test.sh" ];
+     })
+  ];
+
   postPatch = "patchShebangs ./src/svn_version.sh";
 
   outputs = [ "out" "dev" ];
-- 
cgit 1.4.1