Merge pull request #215216 from mweinelt/less

less: Apply patch for CVE-2022-46663

pkgs/tools/misc/less/default.nix

@@ -1,18 +1,41 @@
-{ lib, stdenv, fetchurl, ncurses, lessSecure ? false }:
+{ lib
+, stdenv
+, fetchurl
+, fetchpatch
+, ncurses
+, pcre2
+}:
 
 stdenv.mkDerivation rec {
   pname = "less";
   version = "608";
 
+  # Only tarballs on the website are valid releases,
+  # other versions, e.g. git tags are considered snapshots.
   src = fetchurl {
     url = "https://www.greenwoodsoftware.com/less/less-${version}.tar.gz";
-    sha256 = "02f2d9d6hyf03va28ip620gjc6rf4aikmdyk47h7frqj18pbx6m6";
+    hash = "sha256-ppq+LgoSZ3fgIdO3OqMiLhsmHxDmRiTUHsB5aFpqwgk=";
   };
 
-  configureFlags = [ "--sysconfdir=/etc" ] # Look for ‘sysless’ in /etc.
-    ++ lib.optionals lessSecure [ "--with-secure" ];
+  patches = [
+    (fetchpatch {
+      # https://github.com/advisories/GHSA-5xw7-xf7p-gm82
+      name = "CVE-2022-46663.patch";
+      url = "https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c.patch";
+      hash = "sha256-gWgCzoMt1WyVJVKYzkMq8HfaTlU1XUtC8fvNFUQT0sI=";
+    })
+  ];
 
-  buildInputs = [ ncurses ];
+  configureFlags = [
+    # Look for ‘sysless’ in /etc.
+    "--sysconfdir=/etc"
+    "--with-regex=pcre2"
+  ];
+
+  buildInputs = [
+    ncurses
+    pcre2
+  ];
 
   meta = with lib; {
     homepage = "https://www.greenwoodsoftware.com/less/";