file: add patch for CVE-2019-18218

upstream patch https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84.patch doesn't apply directly, debian have a version which has been adapted for 5.37.
risicle · Oct 26, 2019 · 99273fc · 99273fc
1 parent 40272a7
commit 99273fc
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/pkgs/tools/misc/file/default.nix b/pkgs/tools/misc/file/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, file, zlib, libgnurx }:
+{ stdenv, fetchurl, fetchpatch, file, zlib, libgnurx }:
 
 stdenv.mkDerivation rec {
   pname = "file";
@@ -12,6 +12,14 @@ stdenv.mkDerivation rec {
     sha256 = "0zz0p9bqnswfx0c16j8k62ivjq1m16x10xqv4hy9lcyxyxkkkhg9";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2019-18218.patch";
+      url = "https://sources.debian.org/data/main/f/file/1:5.37-6/debian/patches/cherry-pick.FILE5_37-67-g46a8443f.limit-the-number-of-elements-in-a-vector-found-by-oss-fuzz.patch";
+      sha256 = "1i22y91yndc3n2p2ngczp1lwil8l05sp8ciicil74xrc5f91y6mj";
+    })
+  ];
+
   nativeBuildInputs = stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) file;
   buildInputs = [ zlib ]
               ++ stdenv.lib.optional stdenv.hostPlatform.isWindows libgnurx;