mp3gain: Fix vulnerabilities

This commit fetches a patch for CVE-2019-18359 from Gentoo's repository [1]. Previously openSuSE[2] was used, but that did not work well with `fetchpatch` and having copies of patches is discouraged. This commit should also close https://github.com/NixOS/nixpkgs/issues/90893 [1]: https://gitweb.gentoo.org/repo/gentoo.git/commit/media-sound/mp3gain?id=36f8689f7903548f5d89827a6e7bdf70a9882cee [2]: https://build.opensuse.org/package/view_file/openSUSE:Factory/mp3gain/0001-fix-security-bugs.patch
2020-10-18 15:19:10 +01:00 · 2020-10-18 15:19:10 +01:00 · 487fb291d9
parent 7955668c3a
commit 487fb291d9
1 changed files with 13 additions and 5 deletions
--- a/pkgs/applications/audio/mp3gain/default.nix
+++ b/pkgs/applications/audio/mp3gain/default.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchurl, unzip, mpg123 }:
+{ stdenv, fetchurl, fetchpatch, unzip, mpg123 }:

 stdenv.mkDerivation {
  name = "mp3gain-1.6.2";
@ -11,17 +11,25 @@ stdenv.mkDerivation {

  sourceRoot = ".";

+  patches = [
+    (fetchpatch {
+      name = "0001-fix-security-bugs.patch";
+      url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/media-sound/mp3gain/files/mp3gain-1.6.2-CVE-2019-18359-plus.patch?id=36f8689f7903548f5d89827a6e7bdf70a9882cee";
+      sha256 = "10n53wm0xynlcxqlnaqfgamjzcpfz41q1jlg0bhw4kq1kzhs4yyw";
+    })
+  ];
+
  buildFlags = [ "OSTYPE=linux" ];

  installPhase = ''
    install -vD mp3gain "$out/bin/mp3gain"
  '';

-  meta = {
+  meta = with stdenv.lib; {
    description = "Lossless mp3 normalizer with statistical analysis";
    homepage = "http://mp3gain.sourceforge.net/";
-    license = stdenv.lib.licenses.lgpl21;
-    platforms = stdenv.lib.platforms.linux;
-    maintainers = [ stdenv.lib.maintainers.devhell ];
+    license = licenses.lgpl21;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ devhell ];
  };
 }