graphviz: fix CVE-2018-10196

1 files changed, 19 insertions, 1 deletions

diff --git a/pkgs/tools/graphics/graphviz/base.nix b/pkgs/tools/graphics/graphviz/base.nix
index 68ff84c7495a..db21df9b5d0d 100644
--- a/pkgs/tools/graphics/graphviz/base.nix
+++ b/pkgs/tools/graphics/graphviz/base.nix
@@ -2,12 +2,26 @@
 
 { stdenv, fetchFromGitLab, autoreconfHook, pkgconfig, cairo, expat, flex
 , fontconfig, gd, gettext, gts, libdevil, libjpeg, libpng, libtool, pango
-, yacc, xorg ? null, ApplicationServices ? null }:
+, yacc, fetchpatch, xorg ? null, ApplicationServices ? null }:
 
 assert stdenv.isDarwin -> ApplicationServices != null;
 
 let
   inherit (stdenv.lib) optionals optionalString;
+  raw_patch =
+    # https://gitlab.com/graphviz/graphviz/issues/1367 CVE-2018-10196
+    fetchpatch {
+      name = "CVE-2018-10196.patch";
+      url = https://gitlab.com/graphviz/graphviz/uploads/30f8f0b00e357c112ac35fb20241604a/p.diff;
+      sha256 = "074qx6ch9blrnlilmz7p96fkiz2va84x2fbqdza5k4808rngirc7";
+      excludes = ["tests/*"]; # we don't run them and they don't apply
+    };
+  # the patch needs a small adaption for older versions
+  patch = if stdenv.lib.versionAtLeast version "2.37" then raw_patch else
+  stdenv.mkDerivation {
+    inherit (raw_patch) name;
+    buildCommand = "sed s/dot_root/agroot/g ${raw_patch} > $out";
+  };
 in
 
 stdenv.mkDerivation rec {
@@ -37,6 +51,10 @@ stdenv.mkDerivation rec {
     "--with-ltdl-include=${libtool}/include"
   ] ++ stdenv.lib.optional (xorg == null) [ "--without-x" ];
 
+  patches = [
+    patch
+  ];
+
   postPatch = ''
     for f in $(find . -name Makefile.in); do
       substituteInPlace $f --replace "-lstdc++" "-lc++"