From 7c4c781aa40c42d4cd10b8d9482199f3db345e1b Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Wed, 12 May 2021 18:21:19 -0400
Subject: gnu: Graphviz: Fix CVE-2020-18032.

* gnu/packages/patches/graphviz-CVE-2020-18032.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/graphviz.scm (graphviz)[replacement]: New field.
(graphviz/fixed): New variable.
---
 gnu/packages/graphviz.scm | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'gnu/packages/graphviz.scm')

diff --git a/gnu/packages/graphviz.scm b/gnu/packages/graphviz.scm
index eb3fd1d583..72c96655bc 100644
--- a/gnu/packages/graphviz.scm
+++ b/gnu/packages/graphviz.scm
@@ -62,6 +62,7 @@
 (define-public graphviz
   (package
     (name "graphviz")
+    (replacement graphviz/fixed)
     (version "2.42.3")
     (source (origin
               (method url-fetch)
@@ -126,6 +127,15 @@ software engineering, database and web design, machine learning, and in visual
 interfaces for other technical domains.")
     (license license:epl1.0)))
 
+(define-public graphviz/fixed
+  (hidden-package
+    (package
+      (inherit graphviz)
+      (source (origin
+                (inherit (package-source graphviz))
+                (patches (append (search-patches "graphviz-CVE-2020-18032.patch")
+                                 (origin-patches (package-source graphviz)))))))))
+
 ;; Older Graphviz needed for pygraphviz.  See
 ;; https://github.com/pygraphviz/pygraphviz/issues/175
 (define-public graphviz-2.38
-- 
cgit v1.2.3