From 8b7f04c25a37ed416e986a3a635d5d120706d75f Mon Sep 17 00:00:00 2001 From: Thomas Tuegel Date: Wed, 12 Oct 2016 08:46:43 -0500 Subject: [PATCH] kde5.kcoreaddons: fix HTML injection CVE-2016-7966 See https://www.kde.org/info/security/advisory-20161006-1.txt for more information. --- .../development/libraries/kde-frameworks/kcoreaddons.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/kde-frameworks/kcoreaddons.nix b/pkgs/development/libraries/kde-frameworks/kcoreaddons.nix index a3d5735ad274..91bfd28df4eb 100644 --- a/pkgs/development/libraries/kde-frameworks/kcoreaddons.nix +++ b/pkgs/development/libraries/kde-frameworks/kcoreaddons.nix @@ -1,8 +1,15 @@ -{ kdeFramework, lib, ecm, shared_mime_info }: +{ kdeFramework, lib, fetchurl, ecm, shared_mime_info }: kdeFramework { name = "kcoreaddons"; meta = { maintainers = [ lib.maintainers.ttuegel ]; }; + patches = [ + (fetchurl { + url = "https://packaging.neon.kde.org/frameworks/kcoreaddons.git/plain/debian/patches/0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch?id=ab7258dd8a87668ba63c585a69f41f291254aa43"; + sha256 = "0svdqbikmslc0n2gdwwlbdyi61m5qgy0lxxv9iglbs3ja09xqs0p"; + name = "kcoreaddons-CVE-2016-7966.patch"; + }) + ]; nativeBuildInputs = [ ecm ]; propagatedBuildInputs = [ shared_mime_info ]; }