openexr: upstream security patch

/cc #32459. (cherry picked from commit aa9fbd0)
NixOS · Dec 10, 2017 · ab84b53 · ab84b53
1 parent 9b7a702
commit ab84b53
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/pkgs/development/libraries/openexr/default.nix b/pkgs/development/libraries/openexr/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, autoconf, automake, libtool, pkgconfig, zlib, ilmbase }:
+{ lib, stdenv, fetchurl, fetchpatch, autoconf, automake, libtool, pkgconfig, zlib, ilmbase }:
 
 stdenv.mkDerivation rec {
   name = "openexr-${lib.getVersion ilmbase}";
@@ -8,6 +8,18 @@ stdenv.mkDerivation rec {
     sha256 = "0ca2j526n4wlamrxb85y2jrgcv0gf21b3a19rr0gh4rjqkv1581n";
   };
 
+  patches = [
+    ./bootstrap.patch
+    (fetchpatch {
+      # https://github.com/openexr/openexr/issues/232
+      # https://github.com/openexr/openexr/issues/238
+      name = "CVE-2017-12596.patch";
+      url = "https://github.com/openexr/openexr/commit/f09f5f26c1924.patch";
+      sha256 = "1d014da7c8cgbak5rgr4mq6wzm7kwznb921pr7nlb52vlfvqp4rs";
+      stripLen = 1;
+    })
+  ];
+
   outputs = [ "bin" "dev" "out" "doc" ];
 
   preConfigure = ''
@@ -19,8 +31,6 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  patches = [ ./bootstrap.patch ];
-
   meta = with stdenv.lib; {
     homepage = http://www.openexr.com/;
     license = licenses.bsd3;