expat: add patch for CVE-2022-23990

[risicle]

Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2022-23990

Perhaps someone or something is trying to teach me not to jump the gun on these and instead wait for 2.4.4. I'll learn my lesson if another comes.

Staging currently broken for me on macos but the early-stage version of this package builds for me there at least.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[jonringer]

LGTM

Result of nixpkgs-review pr 157052 run on x86_64-linux 1

1 package built:

• expat

[github-actions]

Successfully created backport PR #157194 for staging-21.11.