apr: add patch for CVE-2021-35940

author: Robert Scott <code@humanleg.org.uk> 2021-08-30 12:34:28 +0100
committer: Robert Scott <code@humanleg.org.uk> 2021-08-30 12:34:28 +0100
commit: c6c39b5944d1ebc7f294ea9b78350beec67b21a8 (patch)
tree: 8a692af961d9e53b85445e4275cdc6fd1c64a7c1 /pkgs/development/libraries/apr
parent: 0c8415335fe3fb3347bd1f75813c6da1991f1112 (diff)
1 files changed, 10 insertions, 2 deletions
diff --git a/pkgs/development/libraries/apr/default.nix b/pkgs/development/libraries/apr/default.nix
index dd88cf7b1d49f..19adfb08cfa00 100644
--- a/pkgs/development/libraries/apr/default.nix
+++ b/pkgs/development/libraries/apr/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, autoreconfHook }:
+{ lib, stdenv, fetchurl, fetchpatch, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   pname = "apr";
@@ -9,7 +9,15 @@ stdenv.mkDerivation rec {
     sha256 = "1spp6r2a3xcl5yajm9safhzyilsdzgagc2dadif8x6z9nbq4iqg2";
   };
 
-  patches = lib.optionals stdenv.isDarwin [ ./is-this-a-compiler-bug.patch ];
+  patches = [
+    (fetchpatch {
+      name = "CVE-2021-35940.patch";
+      url = "https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch";
+      sha256 = "1qd511dyqa1b7bj89iihrlbaavbzl6yyblqginghmcnhw8adymbs";
+      # convince fetchpatch to restore missing `a/`, `b/` to paths
+      extraPrefix = "";
+    })
+  ] ++ lib.optionals stdenv.isDarwin [ ./is-this-a-compiler-bug.patch ];
 
   # This test needs the net
   postPatch = ''
author	Robert Scott <code@humanleg.org.uk>	2021-08-30 12:34:28 +0100
committer	Robert Scott <code@humanleg.org.uk>	2021-08-30 12:34:28 +0100
commit	c6c39b5944d1ebc7f294ea9b78350beec67b21a8 (patch)
tree	8a692af961d9e53b85445e4275cdc6fd1c64a7c1 /pkgs/development/libraries/apr
parent	0c8415335fe3fb3347bd1f75813c6da1991f1112 (diff)