From b1fe6da0be086f16a130ed7fe424df9220c65d61 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Sat, 23 Aug 2025 10:31:48 +0200
Subject: [PATCH] h2o: apply patch for CVE-2025-8671

Given upstream does not make things easy to determine
if there are some breaking changes or not, only the
security fix is backported instead of the whole upgrade (#433400).
---
 pkgs/by-name/h2/h2o/package.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/pkgs/by-name/h2/h2o/package.nix b/pkgs/by-name/h2/h2o/package.nix
index 5f90ecff51f9..76b485b83d57 100644
--- a/pkgs/by-name/h2/h2o/package.nix
+++ b/pkgs/by-name/h2/h2o/package.nix
@@ -2,6 +2,7 @@
   lib,
   stdenv,
   fetchFromGitHub,
+  fetchpatch,
   pkg-config,
   cmake,
   makeWrapper,
@@ -32,6 +33,16 @@ stdenv.mkDerivation (finalAttrs: {
     sha256 = "sha256-sfOkyEhlLGmXjYqRoI/8pD6/NBY7q6K9y2vS7qwJmrw=";
   };
 
+  patches = [
+    (fetchpatch {
+      # https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq
+      # https://kb.cert.org/vuls/id/767506
+      name = "CVE-2025-8671.patch";
+      url = "https://github.com/h2o/h2o/commit/579ecfaca155d1f9f12bfd0cff6086dcda4b9692.patch";
+      hash = "sha256-bNnhx5RGBw6SmKmhlACHKPsnVUPzQUqHsunPdiayzv0=";
+    })
+  ];
+
   outputs = [
     "out"
     "man"