From e8fe5c4eb4d447e01b6237bf4e4f719329e7ed86 Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Wed, 8 Sep 2021 00:59:44 +0100
Subject: [PATCH] botan2: add patch for CVE-2021-40529

(cherry picked from commit 63bf10c8487963d50d67024859178178f776164a)
---
 pkgs/development/libraries/botan/2.0.nix     | 11 ++++++++++-
 pkgs/development/libraries/botan/generic.nix |  2 ++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/botan/2.0.nix b/pkgs/development/libraries/botan/2.0.nix
index 84f0ebef69b..113c4a27b91 100644
--- a/pkgs/development/libraries/botan/2.0.nix
+++ b/pkgs/development/libraries/botan/2.0.nix
@@ -1,4 +1,4 @@
-{ callPackage, ... } @ args:
+{ callPackage, fetchpatch, ... } @ args:
 
 callPackage ./generic.nix (args // {
   baseVersion = "2.18";
@@ -7,4 +7,13 @@ callPackage ./generic.nix (args // {
   postPatch = ''
     sed -e 's@lang_flags "@&--std=c++11 @' -i src/build-data/cc/{gcc,clang}.txt
   '';
+  extraPatches = [
+    (fetchpatch {
+      name = "CVE-2021-40529.patch";
+      url = "https://github.com/randombit/botan/commit/9a23e4e3bc3966340531f2ff608fa9d33b5185a2.patch";
+      sha256 = "1ax1n2l9zh0hk35vkkywgkhzpdk76xb9apz2wm3h9kjvjs9acr3y";
+      # our source tarball doesn't include the tests
+      excludes = [ "src/tests/*" ];
+    })
+  ];
 })
diff --git a/pkgs/development/libraries/botan/generic.nix b/pkgs/development/libraries/botan/generic.nix
index 2fc5abc2928..58f329fc8af 100644
--- a/pkgs/development/libraries/botan/generic.nix
+++ b/pkgs/development/libraries/botan/generic.nix
@@ -3,6 +3,7 @@
 , baseVersion, revision, sha256
 , sourceExtension ? "tar.xz"
 , extraConfigureFlags ? ""
+, extraPatches ? [ ]
 , postPatch ? null
 , knownVulnerabilities ? [ ]
 , CoreServices
@@ -22,6 +23,7 @@ stdenv.mkDerivation rec {
     ];
     inherit sha256;
   };
+  patches = extraPatches;
   inherit postPatch;
 
   buildInputs = [ python3 bzip2 zlib gmp openssl boost ]