nginxStable: add patch for CVE-2021-3618

2 years ago · 6951ba02f4
parent 5f7a31d62e
commit 6951ba02f4
2 changed files with 11 additions and 2 deletions
--- a/pkgs/servers/http/nginx/generic.nix
+++ b/pkgs/servers/http/nginx/generic.nix
@ -18,6 +18,7 @@
 , sha256 ? null # when not specifying src
 , configureFlags ? []
 , buildInputs ? []
+, extraPatches ? []
 , fixPatch ? p: p
 , preConfigure ? ""
 , postInstall ? null
@ -134,7 +135,8 @@ stdenv.mkDerivation {
      url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/103-sys_nerr.patch";
      sha256 = "0s497x6mkz947aw29wdy073k8dyjq8j99lax1a1mzpikzr4rxlmd";
    })
-  ] ++ mapModules "patches");
+  ] ++ mapModules "patches")
+    ++ extraPatches;

  hardeningEnable = optional (!stdenv.isDarwin) "pie";

--- a/pkgs/servers/http/nginx/stable.nix
+++ b/pkgs/servers/http/nginx/stable.nix
@ -1,6 +1,13 @@
-{ callPackage, ... } @ args:
+{ callPackage, fetchpatch, ... } @ args:

 callPackage ./generic.nix args {
  version = "1.20.2";
  sha256 = "0hjsyjzd35qyw49w210f67g678kvzinw4kg1acb0l6c2fxspd24m";
+  extraPatches = [
+    (fetchpatch {
+      name = "CVE-2021-3618.patch";
+      url = "https://github.com/nginx/nginx/commit/173f16f736c10eae46cd15dd861b04b82d91a37a.patch";
+      sha256 = "0cnxmbkp6ip61w7y1ihhnvziiwzz3p3wi2vpi5c7yaj5m964k5db";
+    })
+  ];
 }