shellinabox: fix CVE-2018-16789

(#72620)
NixOS · Nov 3, 2019 · 73523e0 · 73523e0
1 parent 7153c48
commit 73523e0
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/pkgs/servers/shellinabox/default.nix b/pkgs/servers/shellinabox/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pam, openssl, openssh, shadow, makeWrapper }:
+{ stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, pam, openssl, openssh, shadow, makeWrapper }:
 
 stdenv.mkDerivation rec {
   version = "2.20";
@@ -11,10 +11,17 @@ stdenv.mkDerivation rec {
     sha256 = "1hmfayh21cks2lyj572944ll0mmgsxbnj981b3hq3nhdg8ywzjfr";
   };
 
-  patches = [ ./shellinabox-minus.patch ];
+  patches = [
+    ./shellinabox-minus.patch
+    (fetchpatch {
+      name = "CVE-2018-16789.patch";
+      url = "https://github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361.patch";
+      sha256 = "1mpm6acxdb0fms9pa2b88fx6hp07ph87ahxi82yyqj2m7p79jx7a";
+    })
+  ];
 
-  nativeBuildInputs = [ autoreconfHook ];
-  buildInputs = [ pam openssl openssh makeWrapper ];
+  nativeBuildInputs = [ autoreconfHook makeWrapper ];
+  buildInputs = [ pam openssl openssh ];
 
   # Disable GSSAPIAuthentication errors. Also, paths in certain source files are
   # hardcoded. Replace the hardcoded paths with correct paths.