libuv: add patch for CVE-2021-22918

> libuv was vulnerable to out-of-bounds reads in the uv__idna_toascii() > function which is used to convert strings to ASCII. This is called by > the DNS resolution function and can lead to information disclosures or > crashes. b7466e31e4 Fixes: CVE-2021-22918
3 years ago · 742b8f71f7
parent a28ba52cac
commit 742b8f71f7
1 changed files with 10 additions and 1 deletions
--- a/pkgs/development/libraries/libuv/default.nix
+++ b/pkgs/development/libraries/libuv/default.nix
@ -1,4 +1,4 @@
-{ stdenv, lib, fetchFromGitHub, autoconf, automake, libtool, pkg-config, ApplicationServices, CoreServices }:
+{ stdenv, lib, fetchFromGitHub, fetchpatch, autoconf, automake, libtool, pkg-config, ApplicationServices, CoreServices }:

 stdenv.mkDerivation rec {
  version = "1.41.0";
@ -11,6 +11,15 @@ stdenv.mkDerivation rec {
    sha256 = "sha256-i6AYD1Ony0L2+3yWK6bxOfwoZEvd9qCg33QSqA7bRXI=";
  };

+  patches = [
+    (fetchpatch {
+      # Fixes out-of-bounds read in uv__idna_toascii() function
+      name = "CVE-2021-22918.patch";
+      url = "https://github.com/libuv/libuv/commit/b7466e31e4bee160d82a68fca11b1f61d46debae.patch";
+      sha256 = "0fbjy0jh7r9nrd27ag1k6am6d8p5ih7p0ywvjn53nq4cyqdqxhi7";
+    })
+  ];
+
  postPatch = let
    toDisable = [
      "getnameinfo_basic" "udp_send_hang_loop" # probably network-dependent