libssh2-1.9.0: apply patch for CVE-2019-17498

No upstream release yet, but https://github.com/libssh2/libssh2/pull/402 has been accepted by upstream devs. Original advisory: https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/ Re #73662
2024-11-11 04:02:55 +03:00 · 2020-02-10 16:39:24 +01:00 · 2020-02-10 16:39:24 +01:00 · 4682b29aad
commit 4682b29aad
parent d9eb897edd
1 changed files with 9 additions and 0 deletions
--- a/pkgs/development/libraries/libssh2/default.nix
+++ b/pkgs/development/libraries/libssh2/default.nix
@ -14,6 +14,15 @@ stdenv.mkDerivation rec {
  buildInputs = [ openssl zlib ]
    ++ stdenv.lib.optional stdenv.hostPlatform.isMinGW windows.mingw_w64;

+  patches = [
+    # not able to use fetchpatch here: infinite recursion
+    (fetchurl {
+      name = "CVE-2019-17498.patch";
+      url = "https://github.com/libssh2/libssh2/pull/402.patch";
+      sha256 = "1n9s2mcz5dkw0xpm3c5x4hzj8bar4i6z0pr1rmqjplhfg888vdvc";
+    })
+  ];
+
  meta = with stdenv.lib; {
    description = "A client-side C library implementing the SSH2 protocol";
    homepage = https://www.libssh2.org;