From aa9fbd036f1da94b13c3fbaf822dd3915b4213cb Mon Sep 17 00:00:00 2001
From: Vladimír Čunát <vcunat@gmail.com>
Date: Sun, 10 Dec 2017 10:57:29 +0100
Subject: openexr: upstream security patch

/cc #32459.
---
 pkgs/development/libraries/openexr/default.nix | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/libraries/openexr/default.nix b/pkgs/development/libraries/openexr/default.nix
index 27a9860c8683..d2d8b686f35c 100644
--- a/pkgs/development/libraries/openexr/default.nix
+++ b/pkgs/development/libraries/openexr/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, autoconf, automake, libtool, pkgconfig, zlib, ilmbase }:
+{ lib, stdenv, fetchurl, fetchpatch, autoconf, automake, libtool, pkgconfig, zlib, ilmbase }:
 
 stdenv.mkDerivation rec {
   name = "openexr-${lib.getVersion ilmbase}";
@@ -8,6 +8,18 @@ stdenv.mkDerivation rec {
     sha256 = "0ca2j526n4wlamrxb85y2jrgcv0gf21b3a19rr0gh4rjqkv1581n";
   };
 
+  patches = [
+    ./bootstrap.patch
+    (fetchpatch {
+      # https://github.com/openexr/openexr/issues/232
+      # https://github.com/openexr/openexr/issues/238
+      name = "CVE-2017-12596.patch";
+      url = "https://github.com/openexr/openexr/commit/f09f5f26c1924.patch";
+      sha256 = "1d014da7c8cgbak5rgr4mq6wzm7kwznb921pr7nlb52vlfvqp4rs";
+      stripLen = 1;
+    })
+  ];
+
   outputs = [ "bin" "dev" "out" "doc" ];
 
   preConfigure = ''
@@ -20,8 +32,6 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  patches = [ ./bootstrap.patch ];
-
   meta = with stdenv.lib; {
     homepage = http://www.openexr.com/;
     license = licenses.bsd3;
-- 
cgit 1.4.1