From c9d11b8a1d8d1f3bff230027496e90d0fb963d8b Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Mon, 18 Sep 2017 16:01:22 +0200
Subject: apacheHttpd: fix CVE-2017-9798 (Optionsbleed)

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
---
 pkgs/servers/http/apache-httpd/2.4.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'pkgs/servers')

diff --git a/pkgs/servers/http/apache-httpd/2.4.nix b/pkgs/servers/http/apache-httpd/2.4.nix
index 3393d0cf58b6..ecf9ee9d84a4 100644
--- a/pkgs/servers/http/apache-httpd/2.4.nix
+++ b/pkgs/servers/http/apache-httpd/2.4.nix
@@ -5,6 +5,7 @@
 , ldapSupport ? true, openldap
 , libxml2Support ? true, libxml2
 , luaSupport ? false, lua5
+, fetchpatch
 }:
 
 let optional       = stdenv.lib.optional;
@@ -35,10 +36,19 @@ stdenv.mkDerivation rec {
     optional http2Support nghttp2 ++
     optional stdenv.isDarwin libiconv;
 
-  patchPhase = ''
+  prePatch = ''
     sed -i config.layout -e "s|installbuilddir:.*|installbuilddir: $dev/share/build|"
   '';
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2017-9798.patch";
+      url = "https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch";
+      sha256 = "00hbq5szgav91kwsc30jdjvgd3vbgm8n198yna8bcs33p434v25k";
+      stripLen = 3;
+     })
+  ];
+
   # Required for ‘pthread_cancel’.
   NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s";
 
-- 
cgit 1.4.1