diff options
Diffstat (limited to 'nixpkgs/pkgs/tools/graphics/graphviz/base.nix')
| -rw-r--r-- | nixpkgs/pkgs/tools/graphics/graphviz/base.nix | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/nixpkgs/pkgs/tools/graphics/graphviz/base.nix b/nixpkgs/pkgs/tools/graphics/graphviz/base.nix index 68ff84c7495a..db21df9b5d0d 100644 --- a/nixpkgs/pkgs/tools/graphics/graphviz/base.nix +++ b/nixpkgs/pkgs/tools/graphics/graphviz/base.nix @@ -2,12 +2,26 @@ { stdenv, fetchFromGitLab, autoreconfHook, pkgconfig, cairo, expat, flex , fontconfig, gd, gettext, gts, libdevil, libjpeg, libpng, libtool, pango -, yacc, xorg ? null, ApplicationServices ? null }: +, yacc, fetchpatch, xorg ? null, ApplicationServices ? null }: assert stdenv.isDarwin -> ApplicationServices != null; let inherit (stdenv.lib) optionals optionalString; + raw_patch = + # https://gitlab.com/graphviz/graphviz/issues/1367 CVE-2018-10196 + fetchpatch { + name = "CVE-2018-10196.patch"; + url = https://gitlab.com/graphviz/graphviz/uploads/30f8f0b00e357c112ac35fb20241604a/p.diff; + sha256 = "074qx6ch9blrnlilmz7p96fkiz2va84x2fbqdza5k4808rngirc7"; + excludes = ["tests/*"]; # we don't run them and they don't apply + }; + # the patch needs a small adaption for older versions + patch = if stdenv.lib.versionAtLeast version "2.37" then raw_patch else + stdenv.mkDerivation { + inherit (raw_patch) name; + buildCommand = "sed s/dot_root/agroot/g ${raw_patch} > $out"; + }; in stdenv.mkDerivation rec { @@ -37,6 +51,10 @@ stdenv.mkDerivation rec { "--with-ltdl-include=${libtool}/include" ] ++ stdenv.lib.optional (xorg == null) [ "--without-x" ]; + patches = [ + patch + ]; + postPatch = '' for f in $(find . -name Makefile.in); do substituteInPlace $f --replace "-lstdc++" "-lc++" |