From be28735bfe1a9cb307355cd32c4d8603df756136 Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Sat, 26 Oct 2019 14:28:02 +0100
Subject: file: add patch for CVE-2019-18218

upstream patch https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84.patch
doesn't apply directly, debian have a version which has been adapted for
5.37.

(cherry picked from commit 99273fc55533db11748750f5337f0791e8233cee)
---
 pkgs/tools/misc/file/default.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/misc/file/default.nix b/pkgs/tools/misc/file/default.nix
index ed31d01f09d5e..33d9972e867c4 100644
--- a/pkgs/tools/misc/file/default.nix
+++ b/pkgs/tools/misc/file/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, file, zlib, libgnurx }:
+{ stdenv, fetchurl, fetchpatch, file, zlib, libgnurx }:
 
 stdenv.mkDerivation rec {
   name = "file-${version}";
@@ -12,6 +12,14 @@ stdenv.mkDerivation rec {
     sha256 = "0ya330cdkvfi2d28h8gvhghj4gnhysmifmryysl0a97xq2884q7v";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2019-18218.patch";
+      url = "https://sources.debian.org/data/main/f/file/1:5.37-6/debian/patches/cherry-pick.FILE5_37-67-g46a8443f.limit-the-number-of-elements-in-a-vector-found-by-oss-fuzz.patch";
+      sha256 = "1i22y91yndc3n2p2ngczp1lwil8l05sp8ciicil74xrc5f91y6mj";
+    })
+  ];
+
   nativeBuildInputs = stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) file;
   buildInputs = [ zlib ]
               ++ stdenv.lib.optional stdenv.hostPlatform.isWindows libgnurx;
-- 
cgit 1.4.1