qemu: apply patch for CVE-2017-17381

andir · adisbladis · commit 9e635ecc8be8 · 2017-12-06T03:44:55.000+08:00
More details at [1]. [1] http://www.openwall.com/lists/oss-security/2017/12/05/2 (cherry picked from commit d72974a)
diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
@@ -56,7 +56,12 @@ stdenv.mkDerivation rec {
 
   patches = [ ./no-etc-install.patch ]
     ++ optional nixosTestRunner ./force-uid0-on-9p.patch
-    ++ optional pulseSupport ./fix-hda-recording.patch;
+    ++ optional pulseSupport ./fix-hda-recording.patch
+    ++ [ (fetchpatch {
+           name = "qemu-CVE-2017-17381.patch";
+           url = "https://git.kernel.org/pub/scm/virt/kvm/mst/qemu.git/patch/?id=758ead31c7e17bf17a9ef2e0ca1c3e86ab296b43";
+           sha256 = "17yw4bqsbywdrbmrikr94yjnfsg853bf4i3k4y3k169387da2yc5"; })
+       ];
 
   hardeningDisable = [ "stackprotector" ];
 
