1 files changed, 10 insertions, 2 deletions

diff --git a/nixpkgs/pkgs/applications/audio/mpg321/default.nix b/nixpkgs/pkgs/applications/audio/mpg321/default.nix
index 65dfe3484b66..08fe9b4f9af1 100644
--- a/nixpkgs/pkgs/applications/audio/mpg321/default.nix
+++ b/nixpkgs/pkgs/applications/audio/mpg321/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, libao, libmad, libid3tag, zlib, alsaLib
+{stdenv, fetchurl, fetchpatch, libao, libmad, libid3tag, zlib, alsaLib
 # Specify default libao output plugin to use (e.g. "alsa", "pulse" …).
 # If null, it will use the libao system default.
 , defaultAudio ? null
@@ -13,6 +13,14 @@ stdenv.mkDerivation rec {
     sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2018-7263.patch";
+      url = "https://sources.debian.org/data/main/m/mpg321/0.3.2-3/debian/patches/handle_illegal_bitrate_value.patch";
+      sha256 = "15simp5fjvm9b024ryfh441rkh2d5bcrizqkzlrh07n9sm7fkw6x";
+    })
+  ];
+
   hardeningDisable = [ "format" ];
 
   configureFlags =
@@ -23,7 +31,7 @@ stdenv.mkDerivation rec {
   buildInputs = [libao libid3tag libmad zlib]
     ++ stdenv.lib.optional stdenv.isLinux alsaLib;
 
-  installTargets = "install install-man";
+  installTargets = [ "install" "install-man" ];
 
   meta = with stdenv.lib; {
     description = "Command-line MP3 player";