Merge pull request #303874 from risicle/ris-mbedtls-CVEs-2024-04-r23.11

[23.11] mbedtls_2: 2.28.7 -> 2.28.8, mbedtls: add patch for CVE-2024-28755
NixOS · Apr 16, 2024 · 1c75acb · 1c75acb
2 parents 6293b18 + de99195
commit 1c75acb
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 3 deletions.
diff --git a/pkgs/development/libraries/mbedtls/2.nix b/pkgs/development/libraries/mbedtls/2.nix
@@ -1,6 +1,6 @@
 { callPackage }:
 
 callPackage ./generic.nix {
-  version = "2.28.7";
-  hash = "sha256-JI0Frbz4HkPqrLQNrSIj1ikN8201h4kd1wTwyPotERw=";
+  version = "2.28.8";
+  hash = "sha256-A1DYZrvJ8SRujroVwqPfcTOSgLnT5xRat/RVdq2fL/o=";
 }
diff --git a/pkgs/development/libraries/mbedtls/3.nix b/pkgs/development/libraries/mbedtls/3.nix
@@ -1,6 +1,14 @@
-{ callPackage }:
+{ callPackage, fetchpatch }:
 
 callPackage ./generic.nix {
   version = "3.5.2";
   hash = "sha256-lVGmnSYccNmRS6vfF/fDiny5cYRPc/wJBpgciFLPUvM=";
+
+  patches = [
+    (fetchpatch {
+      name = "CVE-2024-28755.patch";
+      url = "https://github.com/Mbed-TLS/mbedtls/commit/ad736991bb59211118a29fe115367c24495300c2.patch";
+      hash = "sha256-MUnGT2ptlBikpZYL6+cvoF7fOiD2vMK4cbkgevgyl60=";
+    })
+  ];
 }
diff --git a/pkgs/development/libraries/mbedtls/generic.nix b/pkgs/development/libraries/mbedtls/generic.nix
@@ -3,6 +3,7 @@
 , version
 , hash
 , fetchFromGitHub
+, patches ? []
 
 , cmake
 , ninja
@@ -23,6 +24,8 @@ stdenv.mkDerivation rec {
     inherit hash;
   };
 
+  inherit patches;
+
   nativeBuildInputs = [ cmake ninja perl python3 ];
 
   strictDeps = true;