gnu: avahi: Fix CVE-2018-1000845 and duplicate CVE-2017-6519.

* gnu/packages/avahi.scm (avahi/fixed): New variable.
(avahi)[replacement]: Use it.
* gnu/packages/patches/avahi-CVE-2018-1000845.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.

1 files changed, 11 insertions, 0 deletions

diff --git a/gnu/packages/avahi.scm b/gnu/packages/avahi.scm
index e71ffc2982..408be8ed57 100644
--- a/gnu/packages/avahi.scm
+++ b/gnu/packages/avahi.scm
@@ -35,6 +35,7 @@
   (package
     (name "avahi")
     (version "0.7")
+    (replacement avahi/fixed)
     (home-page "http://avahi.org")
     (source (origin
              (method url-fetch)
@@ -74,6 +75,16 @@ network.  It is an implementation of the mDNS (for \"Multicast DNS\") and
 DNS-SD (for \"DNS-Based Service Discovery\") protocols.")
     (license lgpl2.1+)))
 
+(define avahi/fixed
+  (package/inherit avahi
+    (source (origin
+              (inherit (package-source avahi))
+              (patches
+               (append (search-patches "avahi-CVE-2018-1000845.patch")
+                       (origin-patches (package-source avahi))))))
+    ;; Hide a duplicate of the CVE fixed above.
+    (properties `((lint-hidden-cve . ("CVE-2017-6519"))))))
+
 (define-public nss-mdns
   (package
     (name "nss-mdns")