openjpeg: apply patches for CVE-2024-56826

Preferred to apply patches instead of bumping to 2.5.3 until the upgrade can be dealt with, see #370072 for the last attempt.
NixOS · Jan 14, 2025 · b851789 · b851789
1 parent 07cfc4d
commit b851789
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/pkgs/by-name/op/openjpeg/package.nix b/pkgs/by-name/op/openjpeg/package.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, cmake, pkg-config
+{ lib, stdenv, fetchFromGitHub, fetchpatch, cmake, pkg-config
 , libpng, libtiff, zlib, lcms2
 , jpipLibSupport ? false # JPIP library & executables
 , jpipServerSupport ? false, curl, fcgi # JPIP Server
@@ -38,6 +38,21 @@ stdenv.mkDerivation rec {
     hash = "sha256-mQ9B3MJY2/bg0yY/7jUJrAXM6ozAHT5fmwES5Q1SGxw=";
   };
 
+  patches = [
+    (fetchpatch {
+      # https://github.com/uclouvain/openjpeg/issues/1564
+      name = "CVE-2024-56826_ISSUE1564.patch";
+      url = "https://github.com/uclouvain/openjpeg/commit/e492644fbded4c820ca55b5e50e598d346e850e8.patch";
+      hash = "sha256-v+odu4/MXRA+RKOlPO+m/Xk66BMH6mOcEN4ScHn3VAo=";
+    })
+    (fetchpatch {
+      # https://github.com/uclouvain/openjpeg/issues/1563
+      name = "CVE-2024-56826_ISSUE1563.patch";
+      url = "https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2.patch";
+      hash = "sha256-1ScnEZAPuvclyRME5kbeo7dBMG31Njs5CaYC4sGyx08=";
+    })
+  ];
+
   outputs = [ "out" "dev" ];
 
   cmakeFlags = [