From f2b4c18cd96a69e375d7d9b5ad1c09f8fc065571 Mon Sep 17 00:00:00 2001
From: Jelle Licht <jlicht@fsfe.org>
Date: Thu, 11 Aug 2016 17:02:41 +0200
Subject: gnu: jq: Fix CVE-2015-8863.

* gnu/packages/patches/jq-CVE-2015-8863.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/web.scm (jq)[source]: Use it.

Signed-off-by: Leo Famulari <leo@famulari.name>
---
 gnu/packages/web.scm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'gnu/packages/web.scm')

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index fa791ffbe1..9106295061 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -3293,7 +3293,11 @@ It uses the uwsgi protocol for all the networking/interprocess communications.")
                                   "/" name "-" version ".tar.gz"))
               (sha256
                (base32
-                "0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4"))))
+                "0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4"))
+              ;; This patch has been pushed and the vulnerability will be
+              ;; fixed in the next release after 1.5.
+              ;; https://github.com/stedolan/jq/issues/995
+              (patches (search-patches "jq-CVE-2015-8863.patch"))))
     (inputs
      `(("oniguruma" ,oniguruma)))
     (native-inputs
-- 
cgit v1.2.3