diff --git a/pkgs/by-name/op/opendkim/package.nix b/pkgs/by-name/op/opendkim/package.nix index c80d68b098af..d33ebb0afe04 100644 --- a/pkgs/by-name/op/opendkim/package.nix +++ b/pkgs/by-name/op/opendkim/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchFromGitHub, + fetchpatch, nix-update-script, autoreconfHook, pkg-config, @@ -24,6 +25,28 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-/IqWB0s39t8BeqpRIa8MZn4HgXlIMuU2UbYbpZGNo1s="; }; + # TODO: remove when is merge + patches = [ + (fetchpatch { + # https://github.com/trusteddomainproject/OpenDKIM/pull/288 + name = "CVE-2020-35766.patch"; + url = "https://github.com/trusteddomainproject/OpenDKIM/commit/520338d25af68cf263b97ba63037e3f5856a10da.patch"; + hash = "sha256-O4a4boa67tj0nqxee6V+u7rd3l3RGaiWE+Mu0ib4DWE="; + }) + (fetchpatch { + # https://github.com/trusteddomainproject/OpenDKIM/pull/287 + name = "CVE-2022-48521.patch"; + url = "https://github.com/trusteddomainproject/OpenDKIM/commit/e67c33e1a08cca793470e6a6ff44082f73f6d222.patch"; + hash = "sha256-QtxiRM+/NDlQhfGB8XNX1M1PtQyXXarawoF+8pTTMVo="; + }) + (fetchpatch { + # https://github.com/trusteddomainproject/OpenDKIM/pull/261 + name = "fix-old-style-dkimf_base64_encode_file.patch"; + url = "https://github.com/trusteddomainproject/OpenDKIM/commit/3f0aa0a31c11b9924f826708535071b68c22b731.patch"; + hash = "sha256-nQCBGef2kjs9ZyHwPreNPQYW6jBOBTDhVq9RyeGSN/Y="; + }) + ]; + configureFlags = [ "--with-milter=${libmilter}" "ac_cv_func_malloc_0_nonnull=yes" @@ -63,11 +86,6 @@ stdenv.mkDerivation (finalAttrs: { license = lib.licenses.bsd3; platforms = lib.platforms.unix; mainProgram = "opendkim"; - knownVulnerabilities = [ - "CVE-2020-35766: Privilege escalation in test suite" - "CVE-2022-48521: Specially crafted e-mails can bypass DKIM signature validation" - "Upstream OpenDKIM hasn't been updated in years, and is assumed to be unmaintained. Consider using an alternative such as rspamd." - ]; maintainers = with lib.maintainers; [ maevii ]; }; })