From 2a360652e2af41c7afdc4d15b96e187417aebb04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9-Patrick=20Bubel?= <code@apb.name>
Date: Sun, 26 Dec 2021 19:00:06 +0100
Subject: [PATCH] mediathekview: CVE-2021-45105 (log4j) mitigation

Remove the affected JndiLookup.class until we can update to the lastest
Mediathekview version.
---
 pkgs/applications/video/mediathekview/default.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/video/mediathekview/default.nix b/pkgs/applications/video/mediathekview/default.nix
index 1a6f1972133..7f36fd232e9 100644
--- a/pkgs/applications/video/mediathekview/default.nix
+++ b/pkgs/applications/video/mediathekview/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, makeWrapper, jre }:
+{ lib, stdenv, fetchurl, makeWrapper, jre, zip }:
 
 stdenv.mkDerivation rec {
   version = "13.8.0";
@@ -8,13 +8,16 @@ stdenv.mkDerivation rec {
     sha256 = "0zfkwz5psv7m0881ykgqrxwjhadg39c55aj2wpy7m1jdara86c5q";
   };
 
-  nativeBuildInputs = [ makeWrapper ];
+  nativeBuildInputs = [ makeWrapper zip ];
 
   installPhase = ''
     runHook preInstall
 
     mkdir -p $out/{bin,lib}
 
+    # log4j mitigation, see https://logging.apache.org/log4j/2.x/security.html
+    zip -d MediathekView.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
+
     install -m644 MediathekView.jar $out/lib
 
     makeWrapper ${jre}/bin/java $out/bin/mediathek \