buildbot: fix CVE-2019-7313

pkgs/development/tools/build-managers/buildbot/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, lib, openssh, buildbot-worker, buildbot-pkg, pythonPackages, runCommand, makeWrapper }:
+{ stdenv, lib, fetchpatch, openssh, buildbot-worker, buildbot-pkg, pythonPackages, runCommand, makeWrapper }:
 
 let
   withPlugins = plugins: runCommand "wrapped-${package.name}" {
@@ -74,6 +74,15 @@ let
       # This patch disables the test that tries to read /etc/os-release which
       # is not accessible in sandboxed builds.
       ./skip_test_linux_distro.patch
+
+      # CVE-2019-7313
+      # https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code
+      # https://github.com/buildbot/buildbot/compare/v1.8.0...v1.8.1
+      (fetchpatch {
+        url = "https://github.com/buildbot/buildbot/commit/bdae9fea4e8978b19e12425776b2d083febd91a6.diff";
+        sha256 = "18fbcbqphs8jjmfvjjcbcnv5wj87mj6jv9lmx17lfhpi5hg2axph";
+        stripLen = 1;
+      })
     ];
 
     postPatch = ''