diff --git a/pkgs/development/libraries/exempi/default.nix b/pkgs/development/libraries/exempi/default.nix
index ac2c21d4cf0..3bc5270f053 100644
--- a/pkgs/development/libraries/exempi/default.nix
+++ b/pkgs/development/libraries/exempi/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, expat, zlib, boost, libiconv, darwin }:
+{ stdenv, fetchurl, fetchpatch, expat, zlib, boost, libiconv, darwin }:
 
 stdenv.mkDerivation rec {
   name = "exempi-2.4.5";
@@ -8,6 +8,17 @@ stdenv.mkDerivation rec {
     sha256 = "07i29xmg8bqriviaf4vi1mwha4lrw85kfla29cfym14fp3z8aqa0";
   };
 
+  patches = [
+    # CVE-2018-12648
+    # https://gitlab.freedesktop.org/libopenraw/exempi/issues/9
+    # remove with exempi > 2.4.5
+    (fetchpatch {
+      name = "CVE-2018-12648.patch";
+      url = https://gitlab.freedesktop.org/libopenraw/exempi/commit/8ed2f034705fd2d032c81383eee8208fd4eee0ac.patch;
+      sha256 = "1nh8irk5p26868875wq5n8g92xp4crfb8fdd8gyna76ldyzqqx9q";
+    })
+  ];
+
   configureFlags = [
     "--with-boost=${boost.dev}"
   ];
@@ -15,6 +26,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ expat zlib boost ]
     ++ stdenv.lib.optionals stdenv.isDarwin [ libiconv darwin.apple_sdk.frameworks.CoreServices ];
 
+  doCheck = stdenv.isLinux;
+
   meta = with stdenv.lib; {
     homepage = https://libopenraw.freedesktop.org/wiki/Exempi/;
     platforms = platforms.linux ++ platforms.darwin;