exiv2: 0.26.2018.06.09 -> 0.26.2018.12.30 (security)

The bump includes all the patches we had and adds some more,
e.g. for CVE-2017-1000127.  I don't think all CVEs get fixed by that,
but 0.27 would currently break too many packages; /cc #50496.

pkgs/development/libraries/exiv2/default.nix

@@ -2,38 +2,16 @@
 , autoconf }:
 
 stdenv.mkDerivation rec {
-  name = "exiv2-0.26.2018.06.09";
+  name = "exiv2-0.26.2018.12.30";
 
     #url = "http://www.exiv2.org/builds/${name}-trunk.tar.gz";
   src = fetchFromGitHub rec {
     owner = "exiv2";
     repo  = "exiv2";
-    rev = "4aa57ad";
-    sha256 = "1kblpxbi4wlb0l57xmr7g23zn9adjmfswhs6kcwmd7skwi2yivcd";
+    rev = "f5d0b25"; # https://github.com/Exiv2/exiv2/commits/0.26
+    sha256 = "1blaz3g8dlij881g14nv2nsgr984wy6ypbwgi2pixk978p0gm70i";
   };
 
-  patches = [
-    (fetchurl rec {
-      name = "CVE-2017-9239.patch";
-      url = let patchname = "0006-1296-Fix-submitted.patch";
-          in "https://src.fedoraproject.org/lookaside/pkgs/exiv2/${patchname}"
-          + "/sha512/${sha512}/${patchname}";
-      sha512 = "3f9242dbd4bfa9dcdf8c9820243b13dc14990373a800c4ebb6cf7eac5653cfef"
-             + "e6f2c47a94fbee4ed24f0d8c2842729d721f6100a2b215e0f663c89bfefe9e32";
-    })
-    # Two backports from master, submitted as https://github.com/Exiv2/exiv2/pull/398
-    (fetchpatch {
-      name = "CVE-2018-12264.diff";
-      url = "https://github.com/vcunat/exiv2/commit/fd18e853.diff";
-      sha256 = "0y7ahh45lpaiazjnfllndfaa5pyixh6z4kcn2ywp7qy4ra7qpwdr";
-    })
-    (fetchpatch {
-      name = "CVE-2018-12265.diff";
-      url = "https://github.com/vcunat/exiv2/commit/9ed1671bd4.diff";
-      sha256 = "1cn446pfcgsh1bn9vxikkkcy1cqq7ghz2w291h1094ydqg6w7q6w";
-    })
-  ];
-
   postPatch = "patchShebangs ./src/svn_version.sh";
 
   preConfigure = "make config"; # needed because not using tarball