Merge pull request #150523 from Ma27/signald-cve-2021-44228-21.11

[21.11] signald: incorporate log4j update for CVE-2021-44228

1 files changed, 14 insertions, 4 deletions

diff --git a/pkgs/applications/networking/instant-messengers/signald/default.nix b/pkgs/applications/networking/instant-messengers/signald/default.nix
index 649cc8843d2e..e435d283a55f 100644
--- a/pkgs/applications/networking/instant-messengers/signald/default.nix
+++ b/pkgs/applications/networking/instant-messengers/signald/default.nix
@@ -1,10 +1,16 @@
 { lib, stdenv, fetchurl, fetchFromGitLab, jre_headless, coreutils, gradle_6, git, perl
-, makeWrapper }:
+, makeWrapper, fetchpatch
+}:
 
 let
   pname = "signald";
   version = "0.14.1";
 
+  log4j-update-cve-2021-44228 = fetchpatch {
+    url = "https://gitlab.com/signald/signald/-/commit/7f668062ab9ffa09a49d171e995f57cf0a0803a7.patch";
+    sha256 = "sha256-504je6hKciUGelVCGZjxGjHi1qZQaovagXD5PBQP+mM=";
+  };
+
   src = fetchFromGitLab {
     owner = pname;
     repo = pname;
@@ -26,6 +32,7 @@ let
   deps = stdenv.mkDerivation {
     name = "${pname}-deps";
     inherit src version postPatch;
+    patches = [ log4j-update-cve-2021-44228 ];
     nativeBuildInputs = [ gradle_6 perl ];
     buildPhase = ''
       export GRADLE_USER_HOME=$(mktemp -d)
@@ -43,15 +50,18 @@ let
     outputHashMode = "recursive";
     # Downloaded jars differ by platform
     outputHash = {
-      x86_64-linux = "/gJFoT+vvdSWr33oI44XiZXlFfyUjtRVB1M6CMzSztM=";
-      aarch64-linux = "v71stMWBbNALasfGAHvsVTBaDOZfpKK3sQrjNJ6FG1A=";
+      x86_64-linux = "sha256-Tn0x5MJJMe04Du+eFGAkdvh/7Sgb7pf2FtBiRyCvjo8=";
+      aarch64-linux = "sha256-T/Cj/QxlW48xW6l+O3K4fFA19fulOB8nk9dRoiP1sys=";
     }.${stdenv.system} or (throw "Unsupported platform");
   };
 
 in stdenv.mkDerivation rec {
   inherit pname src version postPatch;
 
-  patches = [ ./gradle-plugin.patch ];
+  patches = [
+    ./gradle-plugin.patch
+    log4j-update-cve-2021-44228
+  ];
 
   buildPhase = ''
     runHook preBuild