cdparanoia: fix darwin; add security patches

patches are from macports and debian:

- add patches to include files containing function prototypes on darwin
- fix fprintf format error -- use "%s" buffer
- check buffer for null before dereferencing
- use labs for long
- scan additional ides 4-9

pkgs/applications/audio/cdparanoia/default.nix

@@ -1,6 +1,5 @@
 { lib, stdenv, fetchurl, fetchpatch
 , updateAutotoolsGnuConfigScriptsHook, autoreconfHook
-, IOKit, Carbon
 }:
 
 stdenv.mkDerivation rec {
@@ -14,8 +13,8 @@ stdenv.mkDerivation rec {
 
   patches = lib.optionals stdenv.hostPlatform.isDarwin [
     (fetchpatch {
-      url = "https://trac.macports.org/export/70964/trunk/dports/audio/cdparanoia/files/osx_interface.patch";
-      sha256 = "0hq3lvfr0h1m3p0r33jij0s1aspiqlpy533rwv19zrfllb39qvr8";
+      url = "https://github.com/macports/macports-ports/raw/c8e15973bc3c1e1ab371bc0ee2de14209e639f17/audio/cdparanoia/files/osx_interface.patch";
+      hash = "sha256-9p4+9dRvqLHkpR0RWLQcNL1m7fb7L6r+c9Q2tt4jh0U=";
       # Our configure patch will subsume it, but we want our configure
       # patch to be used on all platforms so we cannot just start where
       # this leaves off.
@@ -23,13 +22,38 @@ stdenv.mkDerivation rec {
     })
     (fetchurl {
       url = "https://trac.macports.org/export/70964/trunk/dports/audio/cdparanoia/files/patch-paranoia_paranoia.c.10.4.diff";
-      sha256 = "17l2qhn8sh4jy6ryy5si6ll6dndcm0r537rlmk4a6a8vkn852vad";
+      hash = "sha256-TW1RkJ0bKaPIrDSfUTKorNlmKDVRF++z8ZJAjSzEgp4=";
+    })
+    # add missing include files needed for function prototypes
+    (fetchpatch {
+      url = "https://github.com/macports/macports-ports/raw/f210a6061bc53c746730a37922399c6de6d69cb7/audio/cdparanoia/files/fixing-include.patch";
+      hash = "sha256-6a/u4b8/H/4XjyFup23xySgyAI9SMVMom4PLvH8KzhE=";
     })
   ] ++ [
     # Has to come after darwin patches
     ./fix_private_keyword.patch
     # Order does not matter
     ./configure.patch
+    # labs for long
+    (fetchpatch {
+      url = "https://github.com/macports/macports-ports/raw/f210a6061bc53c746730a37922399c6de6d69cb7/audio/cdparanoia/files/fixing-labs.patch";
+      hash = "sha256-BMMQ5bbPP3eevuwWUVjQCtRBiWbkAHD+O0C0fp+BPaw=";
+    })
+    # use "%s" for passing a buffer to fprintf
+    (fetchpatch {
+      url = "https://github.com/macports/macports-ports/raw/f210a6061bc53c746730a37922399c6de6d69cb7/audio/cdparanoia/files/fixing-fprintf.patch";
+      hash = "sha256-2dJl16p+f5l3wxVOJhsuLiQ9a4prq7jsRZP8/ygEae4=";
+    })
+    # add support for IDE4-9
+    (fetchpatch {
+      url = "https://salsa.debian.org/optical-media-team/cdparanoia/-/raw/bbf353721834b3784ccc0fd54a36a6b25181f5a4/debian/patches/02-ide-devices.patch";
+      hash = "sha256-S6OzftUIPPq9JHsoAE2K51ltsI1WkVaQrpgCjgm5AG4=";
+    })
+    # check buffer is non-null before dereferencing
+    (fetchpatch {
+      url = "https://salsa.debian.org/optical-media-team/cdparanoia/-/raw/f7bab3024c5576da1fdb7497abbd6abc8959a98c/debian/patches/04-endian.patch";
+      hash = "sha256-krfprwls0L3hsNfoj2j69J5k1RTKEQtzE0fLYG9EJKo=";
+    })
   ] ++ lib.optional stdenv.hostPlatform.isMusl ./utils.patch;
 
   nativeBuildInputs = [
@@ -37,13 +61,6 @@ stdenv.mkDerivation rec {
     autoreconfHook
   ];
 
-  propagatedBuildInputs = lib.optionals stdenv.hostPlatform.isDarwin [
-    Carbon
-    IOKit
-  ];
-
-  hardeningDisable = [ "format" ];
-
   # Build system reuses the same object file names for shared and static
   # library. Occasionally fails in the middle:
   #    gcc -O2 -fsigned-char -g -O2 -c scan_devices.c

pkgs/top-level/all-packages.nix

@@ -28383,10 +28383,7 @@ with pkgs;
 
   cdparanoia = cdparanoiaIII;
 
-  cdparanoiaIII = callPackage ../applications/audio/cdparanoia {
-    inherit (darwin) IOKit;
-    inherit (darwin.apple_sdk.frameworks) Carbon;
-  };
+  cdparanoiaIII = callPackage ../applications/audio/cdparanoia { };
 
   celeste = callPackage ../applications/networking/sync/celeste { };