From 100af695bf0ae85a2af3c394fe5230c0c1a293c9 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Sat, 10 Feb 2024 22:34:31 +0100
Subject: [PATCH] opencryptoki: 3.20.0 -> 3.23.0

Fixes CVE-2024-0914.

Changes:
https://github.com/opencryptoki/opencryptoki/blob/v3.23.0/ChangeLog
---
 pkgs/tools/security/opencryptoki/default.nix | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/pkgs/tools/security/opencryptoki/default.nix b/pkgs/tools/security/opencryptoki/default.nix
index 056c379ac68f..67acc540348b 100644
--- a/pkgs/tools/security/opencryptoki/default.nix
+++ b/pkgs/tools/security/opencryptoki/default.nix
@@ -7,17 +7,18 @@
 , openldap
 , openssl
 , trousers
+, libcap
 }:
 
 stdenv.mkDerivation rec {
   pname = "opencryptoki";
-  version = "3.20.0";
+  version = "3.23.0";
 
   src = fetchFromGitHub {
     owner = "opencryptoki";
     repo = "opencryptoki";
     rev = "v${version}";
-    hash = "sha256-Z11CDw9ykmJ7MI7I0H4Y/i+8/I+hRgC2frklYPP1di0=";
+    hash = "sha256-5FcvwGTzsL0lYrSYGlbSY89s6OKzg+2TRlwHlJjdzXo=";
   };
 
   nativeBuildInputs = [
@@ -30,14 +31,17 @@ stdenv.mkDerivation rec {
     openldap
     openssl
     trousers
+    libcap
   ];
 
   postPatch = ''
     substituteInPlace configure.ac \
-      --replace "usermod" "true" \
-      --replace "groupadd" "true" \
-      --replace "chmod" "true" \
-      --replace "chgrp" "true"
+      --replace-fail "usermod" "true" \
+      --replace-fail "useradd" "true" \
+      --replace-fail "groupadd" "true" \
+      --replace-fail "chmod" "true" \
+      --replace-fail "chown" "true" \
+      --replace-fail "chgrp" "true"
   '';
 
   configureFlags = [