From 260d97ca25819690ce87bc5af48ab6a4ae0e2e68 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Wed, 11 Jan 2017 12:10:44 +0100
Subject: [PATCH] runc: add patches to fix CVE-2016-9962

---
 .../virtualization/runc/default.nix             | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/virtualization/runc/default.nix b/pkgs/applications/virtualization/runc/default.nix
index 432c1fdb964..7f19121b7f5 100644
--- a/pkgs/applications/virtualization/runc/default.nix
+++ b/pkgs/applications/virtualization/runc/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchFromGitHub, go-md2man
+{ stdenv, lib, fetchFromGitHub, fetchpatch, go-md2man
 , go, pkgconfig, libapparmor, apparmor-parser, libseccomp }:
 
 with lib;
@@ -14,6 +14,21 @@ stdenv.mkDerivation rec {
     sha256 = "06bxc4g3frh4i1lkzvwdcwmzmr0i52rz4a4pij39s15zaigm79wk";
   };
 
+  patches = [
+    # Two patches to fix CVE-2016-9962
+    # From https://bugzilla.suse.com/show_bug.cgi?id=1012568
+    (fetchpatch {
+      name = "0001-libcontainer-nsenter-set-init-processes-as-non-dumpa.patch";
+      url = "https://bugzilla.suse.com/attachment.cgi?id=709048&action=diff&context=patch&collapsed=&headers=1&format=raw";
+      sha256 = "1cfsmsyhc45a2929825mdaql0mrhhbrgdm54ly0957j2f46072ck";
+    })
+    (fetchpatch {
+      name = "0002-libcontainer-init-only-pass-stateDirFd-when-creating.patch";
+      url = "https://bugzilla.suse.com/attachment.cgi?id=709049&action=diff&context=patch&collapsed=&headers=1&format=raw";
+      sha256 = "1ykwg1mbvsxsnsrk9a8i4iadma1g0rgdmaj19dvif457hsnn31wl";
+    })
+  ];
+
   outputs = [ "out" "man" ];
 
   hardeningDisable = ["fortify"];