From 7da8a5a7a40dd9a3064bab3cf27438d3b7febd82 Mon Sep 17 00:00:00 2001
From: Flakebi <flakebi@t-online.de>
Date: Thu, 30 Apr 2020 18:07:33 +0200
Subject: [PATCH] salt: 2019.2.0 -> 2019.2.4

Fixes CVE-2020-11651 and CVE-2020-11652
---
 pkgs/tools/admin/salt/default.nix | 33 +++++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/pkgs/tools/admin/salt/default.nix b/pkgs/tools/admin/salt/default.nix
index 13bba0860c49f..07c9df549bf23 100644
--- a/pkgs/tools/admin/salt/default.nix
+++ b/pkgs/tools/admin/salt/default.nix
@@ -1,21 +1,40 @@
 {
-  stdenv, pythonPackages, openssl,
+  stdenv, python2, openssl,
 
   # Many Salt modules require various Python modules to be installed,
   # passing them in this array enables Salt to find them.
   extraInputs ? []
 }:
 
-pythonPackages.buildPythonApplication rec {
+let
+
+  py = python2.override {
+    packageOverrides = self: super: {
+      pyyaml = super.pyyaml.overridePythonAttrs (
+        oldAttrs: rec {
+          version = "3.13";
+          src = oldAttrs.src.override {
+            inherit version;
+            sha256 = "1gx603g484z46cb74j9rzr6sjlh2vndxayicvlyhxdz98lhhkwry";
+          };
+          postPatch = "rm ext/_yaml.c";
+          doCheck = false;
+        }
+      );
+    };
+  };
+
+in
+py.pkgs.buildPythonApplication rec {
   pname = "salt";
-  version = "2019.2.0";
+  version = "2019.2.4";
 
-  src = pythonPackages.fetchPypi {
+  src = py.pkgs.fetchPypi {
     inherit pname version;
-    sha256 = "1kgn3lway0zwwysyzpphv05j4xgxk92dk4rv1vybr2527wmvp5an";
+    sha256 = "0ir8gmir4jl21v252vxwgjaskj15wlkhp715jn7h1jb1vfairsxg";
   };
 
-  propagatedBuildInputs = with pythonPackages; [
+  propagatedBuildInputs = with py.pkgs; [
     jinja2
     markupsafe
     msgpack
@@ -24,8 +43,6 @@ pythonPackages.buildPythonApplication rec {
     pyzmq
     requests
     tornado_4
-  ] ++ stdenv.lib.optional (!pythonPackages.isPy3k) [
-    futures
   ] ++ extraInputs;
 
   patches = [ ./fix-libcrypto-loading.patch ];