1 files changed, 14 insertions, 2 deletions

diff --git a/nixpkgs/pkgs/development/libraries/cereal/default.nix b/nixpkgs/pkgs/development/libraries/cereal/default.nix
index d2321175f8bd..958a92dec34e 100644
--- a/nixpkgs/pkgs/development/libraries/cereal/default.nix
+++ b/nixpkgs/pkgs/development/libraries/cereal/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, cmake }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, cmake }:
 stdenv.mkDerivation rec {
   pname = "cereal";
   version = "1.3.0";
@@ -12,7 +12,19 @@ stdenv.mkDerivation rec {
     sha256 = "0hc8wh9dwpc1w1zf5lfss4vg5hmgpblqxbrpp1rggicpx9ar831p";
   };
 
-  cmakeFlagsArray = [ "-DJUST_INSTALL_CEREAL=yes" ];
+  patches = [
+    # https://nvd.nist.gov/vuln/detail/CVE-2020-11105
+    # serialized std::shared_ptr variables cannot always be expected to
+    # serialize back into their original values. This can have any number of
+    # consequences, depending on the context within which this manifests.
+    (fetchpatch {
+      name = "CVE-2020-11105.patch";
+      url = "https://github.com/USCiLab/cereal/commit/f27c12d491955c94583512603bf32c4568f20929.patch";
+      sha256 = "CIkbJ7bAN0MXBhTXQdoQKXUmY60/wQvsdn99FaWt31w=";
+    })
+  ];
+
+  cmakeFlags = [ "-DJUST_INSTALL_CEREAL=yes" ];
 
   meta = with lib; {
     description = "A header-only C++11 serialization library";