python3Packages.websockets: add patch for CVE-2021-33880

this is a reintroduction of CVE-2018-1000518 which i had been calling CVE-2018-1000518-redux before it got its own CVE assigned (cherry picked from commit aba83e7f878d6c48e781a3934a79f98b072bb659) (yes, a forward cherry-pick because i fully expected the websockets 9.1 to make it into 21.05)
2021-05-31 16:09:50 +01:00 · 2021-05-31 16:09:50 +01:00 · a1446cc63d
parent 4714dcf148
commit a1446cc63d
1 changed files with 10 additions and 0 deletions
--- a/pkgs/development/python-modules/websockets/default.nix
+++ b/pkgs/development/python-modules/websockets/default.nix
@ -1,5 +1,6 @@
 { lib
 , fetchFromGitHub
+, fetchpatch
 , buildPythonPackage
 , pythonOlder
 , pytest
@ -17,6 +18,15 @@ buildPythonPackage rec {
    sha256 = "05jbqcbjg50ydwl0fijhdlqcq7fl6v99kjva66kmmzzza7vwa872";
  };

+  patches = [
+    (fetchpatch {
+      name = "CVE-2021-33880.patch";
+      url = "https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0.patch";
+      excludes = [ "docs/changelog.rst" ];
+      sha256 = "1wgsvza53ga8ldrylb3rqc17yxcrchwsihbq6i6ldpycq83q5akq";
+    })
+  ];
+
  disabled = pythonOlder "3.3";

  # Tests fail on Darwin with `OSError: AF_UNIX path too long`