gh: apply patches for CVE-2024-52308

GHSA-p2h2-3vg9-4p87
NixOS · Nov 26, 2024 · e0411bb · e0411bb
1 parent 429b985
commit e0411bb
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/pkgs/applications/version-management/gh/default.nix b/pkgs/applications/version-management/gh/default.nix
@@ -1,4 +1,4 @@
-{ lib, fetchFromGitHub, buildGoModule, installShellFiles, stdenv, testers, gh }:
+{ lib, fetchFromGitHub, fetchpatch, buildGoModule, installShellFiles, stdenv, testers, gh }:
 
 buildGoModule rec {
   pname = "gh";
@@ -13,6 +13,19 @@ buildGoModule rec {
 
   vendorHash = "sha256-9Rv1zPrtaxd00lbA3WrPIzIZ9IiKqZa/ppn37jqMP4M=";
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2024-52308_1.patch";
+      url = "https://github.com/cli/cli/commit/6d5a26cfd194e261e11015506c357d175fa4946a.patch";
+      hash = "sha256-TdJ9/vWFSRzH6qlvdj/98ZoAprSK8tj6Zafu0zFyj0E=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-52308_2.patch";
+      url = "https://github.com/cli/cli/commit/a02f84528a43d7cb5e68bf7060e7b7abeecb00ee.patch";
+      hash = "sha256-lKJULVfSAH4csY9q2z4GfnxnHGoixW5N1yoFJldEApo=";
+    })
+  ];
+
   nativeBuildInputs = [ installShellFiles ];
 
   buildPhase = ''