From 5e72b0a076509369f4bca28f3dffd800455299c9 Mon Sep 17 00:00:00 2001
From: Ryan Burns
Date: Sat, 28 Aug 2021 12:39:46 -0700
Subject: fossil: 2.15.1 -> 2.16

For CVE-2021-36377

Add enableDeserialize option to sqlite,
which is required to build fossil v2.16+.
---
 pkgs/applications/version-management/fossil/default.nix | 7 +++----
 pkgs/development/libraries/sqlite/default.nix           | 8 ++++++--
 pkgs/top-level/all-packages.nix                         | 4 +++-
 3 files changed, 12 insertions(+), 7 deletions(-)

(limited to 'pkgs')

diff --git a/pkgs/applications/version-management/fossil/default.nix b/pkgs/applications/version-management/fossil/default.nix
index 6b445446d5b5..ed2cf00291e2 100644
--- a/pkgs/applications/version-management/fossil/default.nix
+++ b/pkgs/applications/version-management/fossil/default.nix
@@ -15,12 +15,11 @@
 
 stdenv.mkDerivation rec {
   pname = "fossil";
-  version = "2.15.1";
+  version = "2.16";
 
   src = fetchurl {
-    url = "https://www.fossil-scm.org/index.html/uv/fossil-src-${version}.tar.gz";
-    name = "${pname}-${version}.tar.gz";
-    sha256 = "sha256-gNJ5I8ZjsqLHEPiujNVJhi4E+MBChXBidMNK48jKF9E=";
+    url = "https://www.fossil-scm.org/home/tarball/version-${version}/fossil-${version}.tar.gz";
+    sha256 = "1z5ji25f2rqaxd1nj4fj84afl1v0m3mnbskgfwsjr3fr0h5p9aqy";
   };
 
   nativeBuildInputs = [ installShellFiles tcl tcllib ];
diff --git a/pkgs/development/libraries/sqlite/default.nix b/pkgs/development/libraries/sqlite/default.nix
index e2331d89751a..7e53222d0a33 100644
--- a/pkgs/development/libraries/sqlite/default.nix
+++ b/pkgs/development/libraries/sqlite/default.nix
@@ -1,5 +1,6 @@
 { lib, stdenv, fetchurl, zlib, interactive ? false, readline ? null, ncurses ? null
 , python3Packages
+, enableDeserialize ? false
 }:
 
 assert interactive -> readline != null && ncurses != null;
@@ -32,7 +33,7 @@ stdenv.mkDerivation rec {
 
   configureFlags = [ "--enable-threadsafe" ] ++ optional interactive "--enable-readline";
 
-  NIX_CFLAGS_COMPILE = toString [
+  NIX_CFLAGS_COMPILE = toString ([
     "-DSQLITE_ENABLE_COLUMN_METADATA"
     "-DSQLITE_ENABLE_DBSTAT_VTAB"
     "-DSQLITE_ENABLE_JSON1"
@@ -48,7 +49,10 @@ stdenv.mkDerivation rec {
     "-DSQLITE_SECURE_DELETE"
     "-DSQLITE_MAX_VARIABLE_NUMBER=250000"
     "-DSQLITE_MAX_EXPR_DEPTH=10000"
-  ];
+  ] ++ lib.optionals enableDeserialize [
+    # Can be removed in v3.36+, as this will become the default
+    "-DSQLITE_ENABLE_DESERIALIZE"
+  ]);
 
   # Test for features which may not be available at compile time
   preBuild = ''
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index b777ba8f7b14..bb0800320154 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -24309,7 +24309,9 @@ with pkgs;
 
   foo-yc20 = callPackage ../applications/audio/foo-yc20 { };
 
-  fossil = callPackage ../applications/version-management/fossil { };
+  fossil = callPackage ../applications/version-management/fossil {
+    sqlite = sqlite.override { enableDeserialize = true; };
+  };
 
   freebayes = callPackage ../applications/science/biology/freebayes { };
 
-- 
cgit 1.4.1