From 892a9b1f0faf9553234784f5569a883c6f4f34ce Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 19:05:52 -0500
Subject: [PATCH] icu: patch for multiple CVEs

 - CVE-2014-6585
 - CVE-2015-4760
 - CVE-2016-0494
 - CVE-2016-6293
 - CVE-2016-7415
---
 pkgs/development/libraries/icu/54.1.nix    |  5 ++--
 pkgs/development/libraries/icu/default.nix | 34 +++++++++++++++++++++-
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/pkgs/development/libraries/icu/54.1.nix b/pkgs/development/libraries/icu/54.1.nix
index cd4398b3cc0..a2465ce930f 100644
--- a/pkgs/development/libraries/icu/54.1.nix
+++ b/pkgs/development/libraries/icu/54.1.nix
@@ -1,7 +1,7 @@
-{ stdenv, fetchurl, fixDarwinDylibNames }:
+{ stdenv, fetchurl, fetchpatch, fixDarwinDylibNames }:
 
 let
-  icu = import ./default.nix { inherit stdenv fetchurl fixDarwinDylibNames; };
+  icu = import ./default.nix { inherit stdenv fetchurl fetchpatch fixDarwinDylibNames; };
 in
   stdenv.lib.overrideDerivation icu (attrs: {
     src = fetchurl {
@@ -9,4 +9,3 @@ in
       sha256 = "1cwapgjmvrcv1n2wjspj3vahidg596gjfp4jn1gcb4baralcjayl";
     };
   })
-
diff --git a/pkgs/development/libraries/icu/default.nix b/pkgs/development/libraries/icu/default.nix
index ba8fe038ffa..d4a4c2a500c 100644
--- a/pkgs/development/libraries/icu/default.nix
+++ b/pkgs/development/libraries/icu/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fixDarwinDylibNames }:
+{ stdenv, fetchurl, fetchpatch, fixDarwinDylibNames }:
 
 let
   pname = "icu4c";
@@ -25,6 +25,38 @@ stdenv.mkDerivation ({
     echo Source root reset to ''${sourceRoot}
   '';
 
+  # This pre/postPatch shenanigans is to handle that the patches expect
+  # to be outside of `source`.
+  prePatch = ''
+    pushd ..
+  '';
+  postPatch = ''
+    popd
+  '';
+
+  patches = [
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2014-6585.patch";
+      sha256 = "1s8kqax444pqf5chwxvgsx1n1dx7v74h34fqh08fyq57mcjnpj4d";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2015-4760.patch";
+      sha256 = "08gawyqbylk28i9pxv9vsw2drdpd6i97q0aml4nmv2xyb1ala0wp";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2016-0494.patch";
+      sha256 = "1741s8lpmnizjprzk3xb7zkm5fznzgk8hhlrs8a338c18nalvxay";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2016-6293.patch";
+      sha256 = "01h4xcss1vmsr60ijkv4lxsgvspwimyss61zp9nq4xd5i3kk1f4b";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2016-7415.patch";
+      sha256 = "01d070h8d7rkj55ac8isr64m999bv5znc8vnxa7aajglsfidzs2r";
+    })
+  ];
+
   preConfigure = ''
     sed -i -e "s|/bin/sh|${stdenv.shell}|" configure
   '';