From 079dd272c63ee497a9e5a453deeafda9e3330c0a Mon Sep 17 00:00:00 2001
From: Josh Hoffer <jhoffer@sansorgan.es>
Date: Tue, 12 Aug 2025 10:27:16 -0700
Subject: [PATCH] audiofile: add many CVE patches

Patch the following CVEs using debian patches.

* CVE-2018-13440
* CVE-2018-17095
* CVE-2022-24599
* CVE-2019-13147

(cherry picked from commit def9ecde939309ac0e3020a6d1333bb3a6cc1a1a)
---
 pkgs/by-name/au/audiofile/package.nix | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/pkgs/by-name/au/audiofile/package.nix b/pkgs/by-name/au/audiofile/package.nix
index de5ce22b017a..04233447d471 100644
--- a/pkgs/by-name/au/audiofile/package.nix
+++ b/pkgs/by-name/au/audiofile/package.nix
@@ -16,7 +16,7 @@ let
     }:
     fetchpatch {
       inherit sha256 name;
-      url = "https://salsa.debian.org/multimedia-team/audiofile/raw/debian/0.3.6-4/debian/patches/${debname}";
+      url = "https://salsa.debian.org/multimedia-team/audiofile/raw/debian/0.3.6-7/debian/patches/${debname}";
     };
 
 in
@@ -97,6 +97,31 @@ stdenv.mkDerivation rec {
       debname = "10_Check-for-division-by-zero-in-BlockCodec-runPull.patch";
       sha256 = "1rlislkjawq98bbcf1dgl741zd508wwsg85r37ca7pfdf6wgl6z7";
     })
+    (fetchDebianPatch {
+      name = "CVE-2018-13440.patch";
+      debname = "11_CVE-2018-13440.patch";
+      sha256 = "sha256-qDfjiBJ4QXgn8588Ra1X0ViH0jBjtFS/+2zEGIUIhuo=";
+    })
+    (fetchDebianPatch {
+      name = "CVE-2018-17095.patch";
+      debname = "12_CVE-2018-17095.patch";
+      sha256 = "sha256-FC89EFZuRLcj5x4wZVqUlitEMTRPSZk+qzQpIoVk9xY=";
+    })
+    (fetchDebianPatch {
+      name = "CVE-2022-24599.patch";
+      debname = "0013-Fix-CVE-2022-24599.patch";
+      sha256 = "sha256-DHJQ4B6cvKfSlXy66ZC5RNaCMDaygj8dWLZZhJnhw1E=";
+    })
+    (fetchDebianPatch {
+      name = "1_CVE-2019-13147.patch";
+      debname = "0014-Partial-fix-of-CVE-2019-13147.patch";
+      sha256 = "sha256-clb/XiIZbmttPr2dT9AZsbQ97W6lwifEwMO4l2ZEh0k=";
+    })
+    (fetchDebianPatch {
+      name = "2_CVE-2019-13147.patch";
+      debname = "0015-Partial-fix-of-CVE-2019-13147.patch";
+      sha256 = "sha256-JOZIw962ae7ynnjJXGO29i8tuU5Dhk67DmB0o5/vSf4=";
+    })
   ];
 
   meta = with lib; {