libjpeg(-turbo): patch CVE-2020-13790

Fixes #90864 (roundup issue). Release is said to be expected soon, but we can patch now anyway.
4 years ago · d5fd2edb1f
parent 7e57c524a6
commit d5fd2edb1f
1 changed files with 6 additions and 0 deletions
--- a/pkgs/development/libraries/libjpeg-turbo/default.nix
+++ b/pkgs/development/libraries/libjpeg-turbo/default.nix
@ -18,6 +18,12 @@ stdenv.mkDerivation rec {
        url = "https://github.com/libjpeg-turbo/libjpeg-turbo/commit/a2291b252de1413a13db61b21863ae7aea0946f3.patch";
        sha256 = "0nc5vcch5h52gpi07h08zf8br58q8x81q2hv871hrn0dinb53vym";
      })
+
+      (fetchpatch {
+        name = "cve-2020-13790.patch";
+        url = "https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d.diff";
+        sha256 = "0hm5i6qir5w3zxb0xvqdh4jyvbfg7xnd28arhyfsaclfz9wdb0pb";
+      })
    ] ++
    stdenv.lib.optional (stdenv.hostPlatform.libc or null == "msvcrt")
      ./mingw-boolean.patch;