libsForQt5.kimageformats: fix CVE-2021-36083

Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
(cherry picked from commit 3d260a2d0edffce5095a5f813e9227c4864e9715)

1 files changed, 14 insertions, 1 deletions

diff --git a/pkgs/development/libraries/kde-frameworks/kimageformats.nix b/pkgs/development/libraries/kde-frameworks/kimageformats.nix
index 3d9c5851f246..f78d8168b45f 100644
--- a/pkgs/development/libraries/kde-frameworks/kimageformats.nix
+++ b/pkgs/development/libraries/kde-frameworks/kimageformats.nix
@@ -1,5 +1,5 @@
 {
-  mkDerivation, lib,
+  mkDerivation, lib, fetchpatch,
   extra-cmake-modules,
   ilmbase, karchive, openexr, qtbase
 }:
@@ -8,8 +8,21 @@ let inherit (lib) getDev; in
 
 mkDerivation {
   name = "kimageformats";
+
+  patches = [
+    (fetchpatch { # included in kimageformats >= 5.82
+      name = "CVE-2021-36083.patch";
+      url = "https://invent.kde.org/frameworks/kimageformats/-/commit/297ed9a2fe339bfe36916b9fce628c3242e5be0f.diff";
+      sha256 = "16axaljgaar0j5796x1mjps93y92393x8zywh3nzw7rm9w2qxzml";
+    })
+  ];
+
   nativeBuildInputs = [ extra-cmake-modules ];
   buildInputs = [ karchive openexr qtbase ];
   outputs = [ "out" ]; # plugins only
   CXXFLAGS = "-I${getDev ilmbase}/include/OpenEXR";
+
+  meta = with lib; {
+    broken = versionOlder qtbase.version "5.14";
+  };
 }