Merge commit '969cff2691a02b3d7e5468beda26c482d8986644'

1 files changed, 17 insertions, 2 deletions

diff --git a/nixpkgs/pkgs/development/libraries/cairo/default.nix b/nixpkgs/pkgs/development/libraries/cairo/default.nix
index 8f7a04cbb68f..845b09053ad4 100644
--- a/nixpkgs/pkgs/development/libraries/cairo/default.nix
+++ b/nixpkgs/pkgs/development/libraries/cairo/default.nix
@@ -1,8 +1,10 @@
-{ stdenv, fetchurl, pkgconfig, libiconv
+{ config, stdenv, fetchurl, fetchpatch, pkgconfig, libiconv
 , libintl, expat, zlib, libpng, pixman, fontconfig, freetype, xorg
 , gobjectSupport ? true, glib
 , xcbSupport ? true # no longer experimental since 1.12
-, glSupport ? true, libGL ? null # libGLU_combined is no longer a big dependency
+, libGLSupported
+, glSupport ? config.cairo.gl or (libGLSupported && stdenv.isLinux && !stdenv.isAarch32 && !stdenv.isMips)
+, libGL ? null # libGLU_combined is no longer a big dependency
 , pdfSupport ? true
 , darwin
 }:
@@ -20,6 +22,19 @@ in stdenv.mkDerivation rec {
     sha256 = "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy";
   };
 
+  patches = [
+    # Fixes CVE-2018-19876; see Nixpkgs issue #55384
+    # CVE information: https://nvd.nist.gov/vuln/detail/CVE-2018-19876
+    # Upstream PR: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5
+    #
+    # This patch is the merged commit from the above PR.
+    (fetchpatch {
+      name   = "CVE-2018-19876.patch";
+      url    = "https://gitlab.freedesktop.org/cairo/cairo/commit/6edf572ebb27b00d3c371ba5ae267e39d27d5b6d.patch";
+      sha256 = "112hgrrsmcwxh1r52brhi5lksq4pvrz4xhkzcf2iqp55jl2pb7n1";
+    })
+  ];
+
   outputs = [ "out" "dev" "devdoc" ];
   outputBin = "dev"; # very small