From 145fb3eae47ae8a88bf046ab53505b44ac6bda31 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Tue, 23 Jul 2024 20:03:47 +0100 Subject: [PATCH 01/35] libopenmpt: 0.7.8 -> 0.7.9 Changes: https://lib.openmpt.org/libopenmpt/2024/07/21/security-updates-0.7.9-0.6.18-0.5.32-0.4.44/ (cherry picked from commit 3f547bd512a485877a71f5a9b1f84377fb7629e6) --- pkgs/development/libraries/audio/libopenmpt/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/audio/libopenmpt/default.nix b/pkgs/development/libraries/audio/libopenmpt/default.nix index 8e32ae89502b8..a08b93a9b0e55 100644 --- a/pkgs/development/libraries/audio/libopenmpt/default.nix +++ b/pkgs/development/libraries/audio/libopenmpt/default.nix @@ -16,13 +16,13 @@ stdenv.mkDerivation rec { pname = "libopenmpt"; - version = "0.7.8"; + version = "0.7.9"; outputs = [ "out" "dev" "bin" ]; src = fetchurl { url = "https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-${version}+release.autotools.tar.gz"; - hash = "sha256-h3eMgEaiJsbL+xFPTI4+J8Eht7PczOXLfeRYmSUCdMw="; + hash = "sha256-A4bpGNddeX551bFO3QhHFl2LNZ6YEe9XZSwKNWot/PQ="; }; enableParallelBuilding = true; From df7ecf34cc68bc9f1d03057381a56c193255049a Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Thu, 1 Aug 2024 19:26:05 +0200 Subject: [PATCH 02/35] stdenv: make sure the `env-vars` file created is not world readable Under some circumstances this file might contain private information that should not be accessible to everybody. (cherry picked from commit c47a1e701df7f00352b8cf401fa79c0d2f5fcc59) --- pkgs/stdenv/generic/setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index d7521b1ad5da7..07f584ff22acb 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -981,7 +981,7 @@ substituteAllInPlace() { # the environment used for building. dumpVars() { if [ "${noDumpEnvVars:-0}" != 1 ]; then - export 2>/dev/null >| "$NIX_BUILD_TOP/env-vars" || true + install -m 0600 <(export 2>/dev/null) "$NIX_BUILD_TOP/env-vars" || true fi } From e5c3ef1ea21dd31c7ae8ab070f9f5509bc057295 Mon Sep 17 00:00:00 2001 From: jopejoe1 Date: Mon, 5 Aug 2024 20:14:42 +0200 Subject: [PATCH 03/35] ffmpeg_6: 6.1.1 -> 6.1.2 (cherry picked from commit 19eba8feb8f31af052f847fcec52069dba89be8f) --- pkgs/development/libraries/ffmpeg/default.nix | 4 ++-- pkgs/development/libraries/ffmpeg/generic.nix | 5 ----- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/pkgs/development/libraries/ffmpeg/default.nix b/pkgs/development/libraries/ffmpeg/default.nix index 5bd9171275bee..01ee5f82fdcd5 100644 --- a/pkgs/development/libraries/ffmpeg/default.nix +++ b/pkgs/development/libraries/ffmpeg/default.nix @@ -27,8 +27,8 @@ let }; v6 = { - version = "6.1.1"; - hash = "sha256-Q0c95hbCVUHQWPoh5uC8uzMylmB4BnWg+VhXEgSouzo="; + version = "6.1.2"; + hash = "sha256-h/N56iKkAR5kH+PRQceWZvHe3k+70KWMDEP5iVq/YFQ="; }; v7 = { diff --git a/pkgs/development/libraries/ffmpeg/generic.nix b/pkgs/development/libraries/ffmpeg/generic.nix index 4b487dbf9320e..0238a71e0e93c 100644 --- a/pkgs/development/libraries/ffmpeg/generic.nix +++ b/pkgs/development/libraries/ffmpeg/generic.nix @@ -475,11 +475,6 @@ stdenv.mkDerivation (finalAttrs: { url = "https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/cb049d377f54f6b747667a93e4b719380c3e9475"; hash = "sha256-sxRXKKgUak5vsQTiV7ge8vp+N22CdTIvuczNgVRP72c="; }) - (fetchpatch2 { - name = "fix_vulkan_av1"; - url = "https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/e06ce6d2b45edac4a2df04f304e18d4727417d24"; - hash = "sha256-73mlX1rdJrguw7OXaSItfHtI7gflDrFj+7SepVvvUIg="; - }) (fetchpatch2 { name = "CVE-2024-31582.patch"; url = "https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/99debe5f823f45a482e1dc08de35879aa9c74bd2"; From e0fbd153a7ce9e85f1e21446bc61ee5acdb16b8f Mon Sep 17 00:00:00 2001 From: jopejoe1 Date: Wed, 7 Aug 2024 01:01:37 +0200 Subject: [PATCH 04/35] ffmpeg_7: 7.0.1 -> 7.0.2 (cherry picked from commit 41c2a080d04d2af50200be3658fa65548c212889) --- pkgs/development/libraries/ffmpeg/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/ffmpeg/default.nix b/pkgs/development/libraries/ffmpeg/default.nix index 01ee5f82fdcd5..f7607862c3e53 100644 --- a/pkgs/development/libraries/ffmpeg/default.nix +++ b/pkgs/development/libraries/ffmpeg/default.nix @@ -32,8 +32,8 @@ let }; v7 = { - version = "7.0.1"; - hash = "sha256-HiCT6bvLx4zmJ6ffutoimdz5ENQ55CRF64WBT3HeXMA="; + version = "7.0.2"; + hash = "sha256-6bcTxMt0rH/Nso3X7zhrFNkkmWYtxsbUqVQKh25R1Fs="; }; in From b7fec1855f49841bb67428efadf9a7c69be13c62 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 17 May 2024 06:39:02 +0000 Subject: [PATCH 05/35] vim: 9.1.0377 -> 9.1.0412 (cherry picked from commit aadbb9eb6fd266a59bcfe893e4d167c2b7ea792e) --- pkgs/applications/editors/vim/common.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix index 8b38e1c6e6e4a..eb5b49a443450 100644 --- a/pkgs/applications/editors/vim/common.nix +++ b/pkgs/applications/editors/vim/common.nix @@ -1,6 +1,6 @@ { lib, fetchFromGitHub }: rec { - version = "9.1.0377"; + version = "9.1.0412"; outputs = [ "out" "xxd" ]; @@ -8,7 +8,7 @@ rec { owner = "vim"; repo = "vim"; rev = "v${version}"; - hash = "sha256-cfN/QbnpWIQmLtpXWPc1JnaaX+J10ietObN/B9lE1F0="; + hash = "sha256-uLdXFZ8eW+iMXrvkaEkArZmRfAiyORaEZxFFPt0TrdI="; }; enableParallelBuilding = true; From a8a718a756a65add1bbddbbefce2109e42cb9214 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 21 Jun 2024 08:29:07 +0000 Subject: [PATCH 06/35] vim: 9.1.0412 -> 9.1.0509 (cherry picked from commit 7861a5d64245ba146306e83edbbb8bcce07ddb7c) --- pkgs/applications/editors/vim/common.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix index eb5b49a443450..48bea7e4d8c10 100644 --- a/pkgs/applications/editors/vim/common.nix +++ b/pkgs/applications/editors/vim/common.nix @@ -1,6 +1,6 @@ { lib, fetchFromGitHub }: rec { - version = "9.1.0412"; + version = "9.1.0509"; outputs = [ "out" "xxd" ]; @@ -8,7 +8,7 @@ rec { owner = "vim"; repo = "vim"; rev = "v${version}"; - hash = "sha256-uLdXFZ8eW+iMXrvkaEkArZmRfAiyORaEZxFFPt0TrdI="; + hash = "sha256-CATjUalRjvVjEfWT5evFAk//Oj4iB1fDBsRU5MhDyn4="; }; enableParallelBuilding = true; From 6f1fa649400778ae90e7eb8e393a160466427626 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Thu, 18 Jul 2024 10:20:14 +0000 Subject: [PATCH 07/35] vim: 9.1.0509 -> 9.1.0595 (cherry picked from commit 6ac037b1b54a7a44787f0596798d1aeaf335eae8) --- pkgs/applications/editors/vim/common.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix index 48bea7e4d8c10..6f74ec97a905c 100644 --- a/pkgs/applications/editors/vim/common.nix +++ b/pkgs/applications/editors/vim/common.nix @@ -1,6 +1,6 @@ { lib, fetchFromGitHub }: rec { - version = "9.1.0509"; + version = "9.1.0595"; outputs = [ "out" "xxd" ]; @@ -8,7 +8,7 @@ rec { owner = "vim"; repo = "vim"; rev = "v${version}"; - hash = "sha256-CATjUalRjvVjEfWT5evFAk//Oj4iB1fDBsRU5MhDyn4="; + hash = "sha256-v8xVP1WuvE9XdQl1LDIq3pjaKyqPWM0fsFKcpIwPbNA="; }; enableParallelBuilding = true; From f463b78dff3d3d929686df7b57f112d43dc84739 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Fri, 16 Aug 2024 22:41:07 +0200 Subject: [PATCH 08/35] vim: 9.1.0595 -> 9.1.0679 Fixes CVE-2024-43374 (https://github.com/vim/vim/security/advisories/GHSA-2w8m-443v-cgvw), CVE-2024-41957 (https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4) and CVE-2024-41965 (https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2f). https://github.com/vim/vim/compare/v9.1.0595...v9.1.0679 (cherry picked from commit ee1d23853f5fd73ddeb48091346b4e700a26d10e) --- pkgs/applications/editors/vim/common.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix index 6f74ec97a905c..998f7d2271d4b 100644 --- a/pkgs/applications/editors/vim/common.nix +++ b/pkgs/applications/editors/vim/common.nix @@ -1,6 +1,6 @@ { lib, fetchFromGitHub }: rec { - version = "9.1.0595"; + version = "9.1.0679"; outputs = [ "out" "xxd" ]; @@ -8,7 +8,7 @@ rec { owner = "vim"; repo = "vim"; rev = "v${version}"; - hash = "sha256-v8xVP1WuvE9XdQl1LDIq3pjaKyqPWM0fsFKcpIwPbNA="; + hash = "sha256-o8GQfHw7KNjDx4zrCfZXyViS9WGiYD3tzS8inq0xqh0="; }; enableParallelBuilding = true; From bbfff12880e50585796af54ca07689420a66a62b Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 19 Jun 2024 05:07:36 +0200 Subject: [PATCH 09/35] python3Packages.urllib3: 2.2.1 -> 2.2.2 https://github.com/urllib3/urllib3/blob/2.2.2/CHANGES.rst (cherry picked from commit 0ee11f47251eae83cb2d8461ae85eaa8ea8430c6) --- pkgs/development/python-modules/urllib3/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/urllib3/default.nix b/pkgs/development/python-modules/urllib3/default.nix index 77742a521d242..1bffd501e763d 100644 --- a/pkgs/development/python-modules/urllib3/default.nix +++ b/pkgs/development/python-modules/urllib3/default.nix @@ -24,12 +24,12 @@ let self = buildPythonPackage rec { pname = "urllib3"; - version = "2.2.1"; + version = "2.2.2"; pyproject = true; src = fetchPypi { inherit pname version; - hash = "sha256-0FcIdsYaueUg13bDisu7WwWndtP5/5ilyP1RYqREzxk="; + hash = "sha256-3VBUhVSaelUoM9peYGNjnQ0XfATyO8OGTkHl3F9hIWg="; }; nativeBuildInputs = [ hatchling ]; From 0ab819db177151e74180b37c8f25f2b2db8ea7be Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sun, 18 Aug 2024 14:18:02 +0200 Subject: [PATCH 10/35] stdenv: create `env-vars` file before writing data to it This fixes the regression introduced by c47a1e701df7f00352b8cf401fa79c0d2f5fcc59 on Darwin. The creation of the file using `install` and process substitution does not work on Darwin, you get the following complain: ``` install: skipping file '/dev/fd/63', as it was replaced while being copied ``` Fixes #335016 (cherry picked from commit d00775c1d9a3acbff2d121fbae54691a7f07d18a) --- pkgs/stdenv/generic/setup.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index 07f584ff22acb..e46c3c61ee68c 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -981,7 +981,13 @@ substituteAllInPlace() { # the environment used for building. dumpVars() { if [ "${noDumpEnvVars:-0}" != 1 ]; then - install -m 0600 <(export 2>/dev/null) "$NIX_BUILD_TOP/env-vars" || true + # On darwin, install(1) cannot be called with /dev/stdin or fd from process substitution + # so first we create the file and then write to it + # See https://github.com/NixOS/nixpkgs/issues/335016 + { + install -m 0600 /dev/null "$NIX_BUILD_TOP/env-vars" && + export 2>/dev/null >| "$NIX_BUILD_TOP/env-vars" + } || true fi } From 04cc9358a7bd96c227934f16eea6a3668fbde049 Mon Sep 17 00:00:00 2001 From: Michael Paepcke Date: Thu, 27 Jun 2024 17:08:50 +0000 Subject: [PATCH 11/35] linux: enable CONFIG_SND_HDA_CODEC_CS8409 Add linux kernel support for Cirrus Logic CS8409 as module. This will for example unlock on-board Sound for some 2016-2019 Apple Intel Hardware Series (iMac, MacBookAir, MacBookPro) - tested on MacBookPro14,1 (cherry picked from commit 14d17610a912a810741c58ae2498d540179f5215) --- pkgs/os-specific/linux/kernel/common-config.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index aa7ac85312da4..723fceba3f5b9 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -507,6 +507,7 @@ let # Support configuring jack functions via fw mechanism at boot SND_HDA_PATCH_LOADER = yes; SND_HDA_CODEC_CA0132_DSP = whenOlder "5.7" yes; # Enable DSP firmware loading on Creative Soundblaster Z/Zx/ZxR/Recon + SND_HDA_CODEC_CS8409 = module; # Cirrus Logic HDA Bridge CS8409 SND_OSSEMUL = yes; SND_USB_CAIAQ_INPUT = yes; SND_USB_AUDIO_MIDI_V2 = whenAtLeast "6.5" yes; From 8c5a6413637a099d4f05e61d4a63dfd63af25b30 Mon Sep 17 00:00:00 2001 From: Michael Paepcke Date: Sun, 30 Jun 2024 19:57:27 +0000 Subject: [PATCH 12/35] linux: enable CONFIG_SND_HDA_CODEC_CS8409: restrict kernel >=6.6 (cherry picked from commit 14d51d6ebc4021939b57dd2554bd75e1cba2ad1f) --- pkgs/os-specific/linux/kernel/common-config.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 723fceba3f5b9..bce3d13ed0326 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -507,7 +507,7 @@ let # Support configuring jack functions via fw mechanism at boot SND_HDA_PATCH_LOADER = yes; SND_HDA_CODEC_CA0132_DSP = whenOlder "5.7" yes; # Enable DSP firmware loading on Creative Soundblaster Z/Zx/ZxR/Recon - SND_HDA_CODEC_CS8409 = module; # Cirrus Logic HDA Bridge CS8409 + SND_HDA_CODEC_CS8409 = whenAtLeast "6.6" module; # Cirrus Logic HDA Bridge CS8409 SND_OSSEMUL = yes; SND_USB_CAIAQ_INPUT = yes; SND_USB_AUDIO_MIDI_V2 = whenAtLeast "6.5" yes; From 7a0cc0df321bc4ea4012bae7102fe66c91b800b8 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Fri, 23 Aug 2024 00:38:42 +0200 Subject: [PATCH 13/35] vim: 9.1.0679 -> 9.1.0689 Fixes GHSA-v2x2-cjcg-f9jm https://www.openwall.com/lists/oss-security/2024/08/22/3 (cherry picked from commit cc390828efcd16cb1c32899471cafc53c0821662) --- pkgs/applications/editors/vim/common.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix index 998f7d2271d4b..8710f5926f925 100644 --- a/pkgs/applications/editors/vim/common.nix +++ b/pkgs/applications/editors/vim/common.nix @@ -1,6 +1,6 @@ { lib, fetchFromGitHub }: rec { - version = "9.1.0679"; + version = "9.1.0689"; outputs = [ "out" "xxd" ]; @@ -8,7 +8,7 @@ rec { owner = "vim"; repo = "vim"; rev = "v${version}"; - hash = "sha256-o8GQfHw7KNjDx4zrCfZXyViS9WGiYD3tzS8inq0xqh0="; + hash = "sha256-87y/STnGB2Yf64TMwCd6VCFF2kvy+DmNyaXVKPIc86E="; }; enableParallelBuilding = true; From 47c7c372e76b9526284006e4b62a59012e296bc6 Mon Sep 17 00:00:00 2001 From: Ivan Trubach Date: Mon, 19 Aug 2024 17:28:11 +0300 Subject: [PATCH 14/35] gnupatch: fix segfault on cleanup See https://savannah.gnu.org/bugs/?57717 Reproducer: ```console $ patch -p1 <<'EOF' diff --git a/file2.txt b/file2.txt index e69de29..d20e9cd 100644 --- a/file2.txt +++ b/file2.txt @@ -1 +1 @@ -old content +new content EOF ``` ``` (repeated lines omitted) patch: **** Can't create file file2.txt.orig : Too many open files patch: **** Can't create file file2.txt.orig : Too many open files patch: **** Can't create file file2.txt.origSegmentation fault (core dumped) ``` (cherry picked from commit 23eacd40cf5907665262e0dbeb24dc4347c575d1) --- .../Abort_when_cleaning_up_fails.patch | 51 +++++++++++++++++++ pkgs/tools/text/gnupatch/default.nix | 3 ++ 2 files changed, 54 insertions(+) create mode 100644 pkgs/tools/text/gnupatch/Abort_when_cleaning_up_fails.patch diff --git a/pkgs/tools/text/gnupatch/Abort_when_cleaning_up_fails.patch b/pkgs/tools/text/gnupatch/Abort_when_cleaning_up_fails.patch new file mode 100644 index 0000000000000..ab3baf80f8c17 --- /dev/null +++ b/pkgs/tools/text/gnupatch/Abort_when_cleaning_up_fails.patch @@ -0,0 +1,51 @@ +From b7b028a77bd855f6f56b17c8837fc1cca77b469d Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Fri, 28 Jun 2019 00:30:25 +0200 +Subject: Abort when cleaning up fails + +When a fatal error triggers during cleanup, another attempt will be made to +clean up, which will likely lead to the same fatal error. So instead, bail out +when that happens. +src/patch.c (cleanup): Bail out when called recursively. +(main): There is no need to call output_files() before cleanup() as cleanup() +already does that. +--- + src/patch.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/patch.c b/src/patch.c +index 4616a48..02fd982 100644 +--- a/src/patch.c ++++ b/src/patch.c +@@ -685,7 +685,6 @@ main (int argc, char **argv) + } + if (outstate.ofp && (ferror (outstate.ofp) || fclose (outstate.ofp) != 0)) + write_fatal (); +- output_files (NULL); + cleanup (); + delete_files (); + if (somefailed) +@@ -1991,7 +1990,6 @@ void + fatal_exit (int sig) + { + cleanup (); +- + if (sig) + exit_with_signal (sig); + +@@ -2011,6 +2009,12 @@ remove_if_needed (char const *name, bool *needs_removal) + static void + cleanup (void) + { ++ static bool already_cleaning_up; ++ ++ if (already_cleaning_up) ++ return; ++ already_cleaning_up = true; ++ + remove_if_needed (TMPINNAME, &TMPINNAME_needs_removal); + remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal); + remove_if_needed (TMPPATNAME, &TMPPATNAME_needs_removal); +-- +cgit v1.1 + diff --git a/pkgs/tools/text/gnupatch/default.nix b/pkgs/tools/text/gnupatch/default.nix index c19e087ea5478..19d8652396c91 100644 --- a/pkgs/tools/text/gnupatch/default.nix +++ b/pkgs/tools/text/gnupatch/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=b5a91a01e5d0897facdd0f49d64b76b0f02b43e1 ./Allow_input_files_to_be_missing_for_ed-style_patches.patch + # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=b7b028a77bd855f6f56b17c8837fc1cca77b469d + ./Abort_when_cleaning_up_fails.patch + # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=123eaff0d5d1aebe128295959435b9ca5909c26d ./CVE-2018-1000156.patch From dfe96032b8b02a9d3b3e07081178dbe331fbae2a Mon Sep 17 00:00:00 2001 From: Yarny0 <41838844+Yarny0@users.noreply.github.com> Date: Tue, 27 Aug 2024 15:01:23 +0200 Subject: [PATCH 15/35] cups: replace CVE-2024-35235 patch file with fetchpatch The patch from commit https://github.com/NixOS/nixpkgs/commit/bdf63d7dcb4c04ff2f17fbadc56d158eb318e097 is also available in the cups source repository (up to some variations in code comments). --- pkgs/misc/cups/2.4.8-CVE-2024-35235.patch | 86 ----------------------- pkgs/misc/cups/default.nix | 7 +- 2 files changed, 6 insertions(+), 87 deletions(-) delete mode 100644 pkgs/misc/cups/2.4.8-CVE-2024-35235.patch diff --git a/pkgs/misc/cups/2.4.8-CVE-2024-35235.patch b/pkgs/misc/cups/2.4.8-CVE-2024-35235.patch deleted file mode 100644 index 243be682ceb66..0000000000000 --- a/pkgs/misc/cups/2.4.8-CVE-2024-35235.patch +++ /dev/null @@ -1,86 +0,0 @@ -Based on upstream ff1f8a623e090dee8a8aadf12a6a4b25efac143d, adjusted to -apply to 2.4.8 - -diff --git a/cups/http-addr.c b/cups/http-addr.c -index 6aeeb8074..73a6b2f37 100644 ---- a/cups/http-addr.c -+++ b/cups/http-addr.c -@@ -206,27 +206,30 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ - * Remove any existing domain socket file... - */ - -- unlink(addr->un.sun_path); -- -- /* -- * Save the current umask and set it to 0 so that all users can access -- * the domain socket... -- */ -- -- mask = umask(0); -+ // Remove any existing domain socket file... -+ if ((status = unlink(addr->un.sun_path)) < 0) -+ { -+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); - -- /* -- * Bind the domain socket... -- */ -+ if (errno == ENOENT) -+ status = 0; -+ } - -- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); -+ if (!status) -+ { -+ // Save the current umask and set it to 0 so that all users can access -+ // the domain socket... -+ mask = umask(0); - -- /* -- * Restore the umask and fix permissions... -- */ -+ // Bind the domain socket... -+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) -+ { -+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); -+ } - -- umask(mask); -- chmod(addr->un.sun_path, 0140777); -+ // Restore the umask... -+ umask(mask); -+ } - } - else - #endif /* AF_LOCAL */ -diff --git a/scheduler/conf.c b/scheduler/conf.c -index defca78aa..ebf8ca8cc 100644 ---- a/scheduler/conf.c -+++ b/scheduler/conf.c -@@ -3083,6 +3083,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ - cupsd_listener_t *lis; /* New listeners array */ - - -+ /* -+ * If we are launched on-demand, do not use domain sockets from the config -+ * file. Also check that the domain socket path is not too long... -+ */ -+ -+#ifdef HAVE_ONDEMAND -+ if (*value == '/' && OnDemand) -+ { -+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) -+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); -+ continue; -+ } -+#endif // HAVE_ONDEMAND -+ -+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) -+ { -+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); -+ continue; -+ } -+ - /* - * Get the address list... - */ diff --git a/pkgs/misc/cups/default.nix b/pkgs/misc/cups/default.nix index 5d4b6f00acae1..5735d193fe5fe 100644 --- a/pkgs/misc/cups/default.nix +++ b/pkgs/misc/cups/default.nix @@ -19,6 +19,7 @@ , libpaper ? null , coreutils , nixosTests +, fetchpatch }: stdenv.mkDerivation rec { @@ -33,7 +34,11 @@ stdenv.mkDerivation rec { outputs = [ "out" "lib" "dev" "man" ]; patches = [ - ./2.4.8-CVE-2024-35235.patch + (fetchpatch { + name = "CVE-2024-35235.patch"; + url = "https://github.com/OpenPrinting/cups/commit/b273a1f29bda87317c551614cf9ab6125f56e317.patch"; + hash = "sha256-nzWKEMOEBKZMjqVPl2mcATtXZSrh++yhv9VMvbA+49E="; + }) ]; postPatch = '' From df3ad55663ecce0983be0da25d2c87657158f4f4 Mon Sep 17 00:00:00 2001 From: Yarny0 <41838844+Yarny0@users.noreply.github.com> Date: Tue, 27 Aug 2024 15:04:37 +0200 Subject: [PATCH 16/35] cups: fix socket-only usage If cups is started with no network listeners, i.e., only with `Listen /path/to/unix.socket` lines in cupsd.conf, it fails to start. This is caused by the patch of CVE-2024-35235, see also https://github.com/NixOS/nixpkgs/commit/bdf63d7dcb4c04ff2f17fbadc56d158eb318e097 https://github.com/NixOS/nixpkgs/commit/dfe96032b8b02a9d3b3e07081178dbe331fbae2a Upstream documented the problem here https://github.com/OpenPrinting/cups/issues/985 and fixed it here https://github.com/OpenPrinting/cups/pull/988 . In NixOS, the problem manifests itself with this configuration: > services.printing.listenAddresses = []; The commit at hand adds three more patches from the upstream repository. This is the smalles possible change that fixes the regression caused by the initial patch. --- pkgs/misc/cups/default.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkgs/misc/cups/default.nix b/pkgs/misc/cups/default.nix index 5735d193fe5fe..396914479d4a5 100644 --- a/pkgs/misc/cups/default.nix +++ b/pkgs/misc/cups/default.nix @@ -39,6 +39,23 @@ stdenv.mkDerivation rec { url = "https://github.com/OpenPrinting/cups/commit/b273a1f29bda87317c551614cf9ab6125f56e317.patch"; hash = "sha256-nzWKEMOEBKZMjqVPl2mcATtXZSrh++yhv9VMvbA+49E="; }) + # the following three patches fix a regression introduced by the patch above + (fetchpatch { + name = "CVE-2024-35235-fixup-domainsocket-1.patch"; + url = "https://github.com/OpenPrinting/cups/commit/6131f6a73c188f3db0ec94ae488991ce80cfd7ea.patch"; + hash = "sha256-uftOI0zkwPXsW8CY8BoOkx4BysjDUc66LuzyZDjUHCI="; + }) + (fetchpatch { + name = "CVE-2024-35235-fixup-domainsocket-2.patch"; + url = "https://github.com/OpenPrinting/cups/commit/4417cd366f7baf64f4ada3efbb3ec13cd773a0f4.patch"; + hash = "sha256-ighA4Vmf43iiwkNl71//Ml8ynh8nF/bcNOKELeJFPKo="; + }) + (fetchpatch { + name = "CVE-2024-35235-fixup-domainsocket-3.patch"; + url = "https://github.com/OpenPrinting/cups/commit/145b946a86062aafab76c656ee9c1112bfd4f804.patch"; + includes = [ "scheduler/conf.c" ]; + hash = "sha256-2jQFHUFav8XDfqA/PVKNvbUnZI34na8Wbuu4XRy3uqc="; + }) ]; postPatch = '' From 362354165517b722e7ffadac18df3ae84923583d Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 8 Aug 2024 15:36:12 +0200 Subject: [PATCH 17/35] python312: 3.12.4 -> 3.12.5 https://docs.python.org/release/3.12.5/whatsnew/changelog.html (cherry picked from commit 8878d8afcd31cfdcd363d323cf3dabaed6929845) --- pkgs/development/interpreters/python/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index f31df964319cd..aa725e0e7a2d8 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -79,10 +79,10 @@ in { sourceVersion = { major = "3"; minor = "12"; - patch = "4"; + patch = "5"; suffix = ""; }; - hash = "sha256-9tQZpth0OrJnAIAbSQjSbZfouYbhT5XeMbMt4rDnlVQ="; + hash = "sha256-+oouEsXmILCfU+ZbzYdVDS5aHi4Ev4upkdzFUROHY5c="; inherit (darwin) configd; inherit passthruFun; }; From 9654c12c66d9a0c07278d713f7793fb8b2e4814d Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 1 Sep 2024 22:25:35 +0100 Subject: [PATCH 18/35] grpc: 1.62.1 -> 1.62.3 addressing CVE-2024-7246 --- pkgs/development/libraries/grpc/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/grpc/default.nix b/pkgs/development/libraries/grpc/default.nix index bf9b58ec4a092..b8428cde6ad03 100644 --- a/pkgs/development/libraries/grpc/default.nix +++ b/pkgs/development/libraries/grpc/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { pname = "grpc"; - version = "1.62.1"; # N.B: if you change this, please update: + version = "1.62.3"; # N.B: if you change this, please update: # pythonPackages.grpcio-tools # pythonPackages.grpcio-status @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { owner = "grpc"; repo = "grpc"; rev = "v${version}"; - hash = "sha256-L0bn6Bg36UKIRxznH9o4T7WXUqMwFjr8ybeQfbUi8xM="; + hash = "sha256-ShcC90WSMFVjpuM1up+0JShqK3RGW2edxlp9wMt6dPg="; fetchSubmodules = true; }; From 2403d2b662a2ee531ac7d5a5df4766a999d2b360 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 1 Sep 2024 22:25:58 +0100 Subject: [PATCH 19/35] python311Packages.grpcio-status: 1.62.2 -> 1.62.3 --- pkgs/development/python-modules/grpcio-status/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/grpcio-status/default.nix b/pkgs/development/python-modules/grpcio-status/default.nix index c587948f185f5..de9631d6876f1 100644 --- a/pkgs/development/python-modules/grpcio-status/default.nix +++ b/pkgs/development/python-modules/grpcio-status/default.nix @@ -10,14 +10,14 @@ buildPythonPackage rec { pname = "grpcio-status"; - version = "1.62.2"; + version = "1.62.3"; format = "setuptools"; disabled = pythonOlder "3.6"; src = fetchPypi { inherit pname version; - hash = "sha256-YuG/ywICWhzXNzKi0zZy0+nQ300hwSxR4LvK8JurdCo="; + hash = "sha256-KJvdeyRZeUoSz5XcDLcnvUoXQsN72CP3YCNsk35TpIU="; }; postPatch = '' From 87689c772893b4d00f8fcfa91e1f9620cb20be61 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 1 Sep 2024 22:26:23 +0100 Subject: [PATCH 20/35] python311Packages.grpcio-tools: 1.62.2 -> 1.62.3 --- pkgs/development/python-modules/grpcio-tools/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/grpcio-tools/default.nix b/pkgs/development/python-modules/grpcio-tools/default.nix index d98f1bee9ee20..396f3cdef4817 100644 --- a/pkgs/development/python-modules/grpcio-tools/default.nix +++ b/pkgs/development/python-modules/grpcio-tools/default.nix @@ -9,12 +9,12 @@ buildPythonPackage rec { pname = "grpcio-tools"; - version = "1.62.2"; + version = "1.62.3"; format = "setuptools"; src = fetchPypi { inherit pname version; - hash = "sha256-X9XhWCtnjmuUHuX1gJNAvl4HJGkd9SmaroImZA+U4Y8="; + hash = "sha256-fHE2AVw9YsPu9JPvq6+eM4Dj5m0k7o6UwBy3E3f1eDM="; }; postPatch = '' From 986d01943ab0f5bc4571597143e8c4cedeb6cb6b Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sat, 31 Aug 2024 21:26:58 +0200 Subject: [PATCH 21/35] vim: 9.1.0689 -> 9.1.0707 Fixes 2 heap-buffer-overflows (GHSA-4ghr-c62x-cqfh / CVE-2024-43802, GHSA-wxf9-c5gx-qrwr). https://www.openwall.com/lists/oss-security/2024/08/31/1 https://www.openwall.com/lists/oss-security/2024/08/25/1 (cherry picked from commit 90534869fb973c7d8d49f343ff1c999d19f06e55) --- pkgs/applications/editors/vim/common.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix index 8710f5926f925..8a66a71bbe155 100644 --- a/pkgs/applications/editors/vim/common.nix +++ b/pkgs/applications/editors/vim/common.nix @@ -1,6 +1,6 @@ { lib, fetchFromGitHub }: rec { - version = "9.1.0689"; + version = "9.1.0707"; outputs = [ "out" "xxd" ]; @@ -8,7 +8,7 @@ rec { owner = "vim"; repo = "vim"; rev = "v${version}"; - hash = "sha256-87y/STnGB2Yf64TMwCd6VCFF2kvy+DmNyaXVKPIc86E="; + hash = "sha256-iHOLABPk5B7Sh7EBYnM7wdxnK2Wv7q4WS3FEp780SV4="; }; enableParallelBuilding = true; From 5e7ac3737ac5abca6dc4b4506455b2cc5908931c Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 29 Jun 2024 04:01:01 +0200 Subject: [PATCH 22/35] cacert: 3.101 -> 3.101.1 https://github.com/nss-dev/nss/blob/master/doc/rst/releases/nss_3_101_1.rst (cherry picked from commit 2fdd709e7a385179aceee46adca4e1d8a72b50e3) --- pkgs/data/misc/cacert/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 7668c67b31e39..98ba4a18a1d70 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -20,7 +20,7 @@ let blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); - srcVersion = "3.101"; + srcVersion = "3.101.1"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; @@ -37,7 +37,7 @@ let owner = "nss-dev"; repo = "nss"; rev = "NSS_${lib.replaceStrings ["."] ["_"] version}_RTM"; - hash = "sha256-lO+81zYBBFwqcjh4cd/fpiznHZ9rTJpfDW/yF8phYts="; + hash = "sha256-KcRiOUbdFnH618MFM6uxmRn+/Jn4QMHtv1BELXrCAX4="; }; dontBuild = true; From 1417a968b2321f20367e8fae8f5f192ef72fa409 Mon Sep 17 00:00:00 2001 From: ajs124 Date: Mon, 2 Sep 2024 15:36:53 +0200 Subject: [PATCH 23/35] cacert: 3.101.1 -> 3.104 https://github.com/nss-dev/nss/blob/NSS_3_104_BRANCH/doc/rst/releases/nss_3_104.rst (cherry picked from commit 4fd0cbfb5bf2c664d5bf845cd125975dbafc0427) --- pkgs/data/misc/cacert/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 98ba4a18a1d70..35a628d1f6035 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -20,7 +20,7 @@ let blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); - srcVersion = "3.101.1"; + srcVersion = "3.104"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; @@ -37,7 +37,7 @@ let owner = "nss-dev"; repo = "nss"; rev = "NSS_${lib.replaceStrings ["."] ["_"] version}_RTM"; - hash = "sha256-KcRiOUbdFnH618MFM6uxmRn+/Jn4QMHtv1BELXrCAX4="; + hash = "sha256-TEGEKocapU5OTqx69n8nrn/X3SZr49d1alHM73UnDJw="; }; dontBuild = true; From a9269f5f7a16a15ec5c20b00b97f430fd1b1bc13 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 4 Sep 2024 02:41:21 +0200 Subject: [PATCH 24/35] python312Packages.django_4: 4.2.15 -> 4.2.16 https://docs.djangoproject.com/en/4.2/releases/4.2.16/ https://www.djangoproject.com/weblog/2024/sep/03/security-releases/ Fixes: CVE-2024-45230, CVE-2024-45231 (cherry picked from commit dfefafb8f66a9269882f60f72a3d27b695820c36) --- pkgs/development/python-modules/django/4.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/django/4.nix b/pkgs/development/python-modules/django/4.nix index 808f119b7ddae..990409fd36adf 100644 --- a/pkgs/development/python-modules/django/4.nix +++ b/pkgs/development/python-modules/django/4.nix @@ -44,7 +44,7 @@ buildPythonPackage rec { pname = "django"; - version = "4.2.15"; + version = "4.2.16"; format = "pyproject"; disabled = pythonOlder "3.8"; @@ -53,7 +53,7 @@ buildPythonPackage rec { owner = "django"; repo = "django"; rev = "refs/tags/${version}"; - hash = "sha256-SWENMUsTgP3X3EvFiTgpKCZO0/KaZ1x1stSyp2kM/P4="; + hash = "sha256-VW/qfqOadivtU8Xg70FLqENtOV7GqJM4bR2Ik6Yag+o="; }; patches = From f74e2ab10614e8f13011e77dc3b6ff2a7d6ad100 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sun, 1 Sep 2024 07:16:07 +0100 Subject: [PATCH 25/35] tcpdump: 4.99.4 -> 4.99.5 Changes: https://www.tcpdump.org/index.html#latest-releases (cherry picked from commit 9987b44d937d4169a3e4c0180912e7e99556f48b) --- pkgs/tools/networking/tcpdump/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/networking/tcpdump/default.nix b/pkgs/tools/networking/tcpdump/default.nix index 996466901201d..b61f42eae308e 100644 --- a/pkgs/tools/networking/tcpdump/default.nix +++ b/pkgs/tools/networking/tcpdump/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "tcpdump"; - version = "4.99.4"; + version = "4.99.5"; src = fetchurl { url = "https://www.tcpdump.org/release/tcpdump-${version}.tar.gz"; - hash = "sha256-AjIjG7LynWvyQm5woIp+DGOg1ZqbRIY7f14jV6bkn+o="; + hash = "sha256-jHWFbgCt3urfcNrWfJ/z3TaFNrK4Vjq/aFTXx2TNOts="; }; postPatch = '' From cac1d4288030e3add0f6e374214bed64aab03ce0 Mon Sep 17 00:00:00 2001 From: Michael Stahnke Date: Sat, 7 Sep 2024 01:53:28 -0500 Subject: [PATCH 26/35] ruby: 3.3.4 -> 3.3.5 (#340137) Fixes: CVE-2024-43398 Fixes: CVE-2024-41946 Fixes: CVE-2024-41123 Fixes: CVE-2024-39908 (cherry picked from commit a48704428792db4901fd41bc940f4e610a4edd00) --- pkgs/development/interpreters/ruby/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/ruby/default.nix b/pkgs/development/interpreters/ruby/default.nix index df46440ea54a4..25314cd999e89 100644 --- a/pkgs/development/interpreters/ruby/default.nix +++ b/pkgs/development/interpreters/ruby/default.nix @@ -307,8 +307,8 @@ in { }; ruby_3_3 = generic { - version = rubyVersion "3" "3" "4" ""; - hash = "sha256-/mow+X1U4Cl2jy3fSSNpnEFs28Om6W2z4tVxbH25ajQ="; + version = rubyVersion "3" "3" "5" ""; + hash = "sha256-N4GjUEIiwvJstLnrnBoS2/SUTTZs4kqf+M+Z7LznUZY="; cargoHash = "sha256-GeelTMRFIyvz1QS2L+Q3KAnyQy7jc0ejhx3TdEFVEbk="; }; From a83b19a8991e35cf9d36c1d3afe1215a1f03436b Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Thu, 5 Sep 2024 22:05:30 +0100 Subject: [PATCH 27/35] tzdata: 2024a -> 2024b Changes: https://github.com/eggert/tz/blob/2024b/NEWS (cherry picked from commit d71d9e86b1f9ff0e979276f0a9afa3774db48d39) --- pkgs/data/misc/tzdata/default.nix | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/pkgs/data/misc/tzdata/default.nix b/pkgs/data/misc/tzdata/default.nix index 522b2da68ca5c..939b75218f4fe 100644 --- a/pkgs/data/misc/tzdata/default.nix +++ b/pkgs/data/misc/tzdata/default.nix @@ -2,16 +2,16 @@ stdenv.mkDerivation (finalAttrs: { pname = "tzdata"; - version = "2024a"; + version = "2024b"; srcs = [ (fetchurl { url = "https://data.iana.org/time-zones/releases/tzdata${finalAttrs.version}.tar.gz"; - hash = "sha256-DQQ0RZrL0gWaeo2h8zBKhKhlkfbtacYkj/+lArbt/+M="; + hash = "sha256-cOdU2xJqjQ2z0W1rTLX37B4E1fJhJV5FWKZ/6S055VA="; }) (fetchurl { url = "https://data.iana.org/time-zones/releases/tzcode${finalAttrs.version}.tar.gz"; - hash = "sha256-gAcolK3/WkWPHRQ+FuTKHYsqEiycU5naSCy2jLpqH/g="; + hash = "sha256-XkOPxEliSQavFqGP9Fc3OfDNqYYuXsKNO8sZy67Q9nI="; }) ]; @@ -45,11 +45,10 @@ stdenv.mkDerivation (finalAttrs: { "CFLAGS+=-DRESERVE_STD_EXT_IDS" ]; + enableParallelBuilding = true; + doCheck = true; - # everything except for: - # - check_web, because that needs curl and wants to talk to https://validator.w3.org - # - check_now, because that depends on the current time - checkTarget = "check_back check_character_set check_white_space check_links check_name_lengths check_slashed_abbrs check_sorted check_tables check_ziguard check_zishrink check_tzs"; + checkTarget = "check"; installFlags = lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [ "zic=${buildPackages.tzdata.bin}/bin/zic" From fb7de0f563e2e9d0148571a5c4c5661ddee3ee43 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sat, 7 Sep 2024 07:14:29 +0100 Subject: [PATCH 28/35] expat: 2.6.2 -> 2.6.3 Changes: https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes (cherry picked from commit 41723c52fa412d1c3fdb16ffc413fd6205014119) --- pkgs/development/libraries/expat/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/expat/default.nix b/pkgs/development/libraries/expat/default.nix index 9944277e946b6..be4083e042765 100644 --- a/pkgs/development/libraries/expat/default.nix +++ b/pkgs/development/libraries/expat/default.nix @@ -16,7 +16,7 @@ # files. let - version = "2.6.2"; + version = "2.6.3"; tag = "R_${lib.replaceStrings ["."] ["_"] version}"; in stdenv.mkDerivation (finalAttrs: { @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = with finalAttrs; "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz"; - hash = "sha256-7hS0xdiQixvsN62TdgfqsYPU2YBqCK3uRyw8MSHSc2Q="; + hash = "sha256-J02yVKaXm95arUBHY6cElWlA5GWEPyqb2e168i4sDvw="; }; strictDeps = true; From 757ad392b4af2d37dd932821d3f55a3bd310fc76 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Tue, 3 Sep 2024 20:18:31 +0100 Subject: [PATCH 29/35] python312Packages.webob: 1.8.7 -> 1.8.8 addresses CVE-2024-42353 switch to github source as pypi isn't up to date (cherry picked from commit 5097974f8e231d14862ed2def077cc7c775f608e) --- pkgs/development/python-modules/webob/default.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/pkgs/development/python-modules/webob/default.nix b/pkgs/development/python-modules/webob/default.nix index 921b75ef0778a..60cf24f37191c 100644 --- a/pkgs/development/python-modules/webob/default.nix +++ b/pkgs/development/python-modules/webob/default.nix @@ -1,22 +1,23 @@ { lib, buildPythonPackage, - fetchPypi, + fetchFromGitHub, pytestCheckHook, pythonOlder, }: buildPythonPackage rec { pname = "webob"; - version = "1.8.7"; + version = "1.8.8"; format = "setuptools"; disabled = pythonOlder "3.7"; - src = fetchPypi { - pname = "WebOb"; - inherit version; - hash = "sha256-tk71FBvlWc+t5EjwRPpFwiYDUe3Lao72t+AMfc7wwyM="; + src = fetchFromGitHub { + owner = "Pylons"; + repo = "webob"; + rev = "refs/tags/${version}"; + hash = "sha256-QN0UMLzO0g8Oalnn5GlOulXUxtXOx89jeeEvJV53rVs="; }; nativeCheckInputs = [ pytestCheckHook ]; From 5284e6f47e9684064705584f736823fb533a9260 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Tue, 3 Sep 2024 21:47:44 +0100 Subject: [PATCH 30/35] python312Packages.webob: add some key reverse dependencies to passthru.tests (cherry picked from commit 1a171ee732761a15ed743b9fe36b0e387c74f79b) --- pkgs/development/python-modules/webob/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/development/python-modules/webob/default.nix b/pkgs/development/python-modules/webob/default.nix index 60cf24f37191c..93ad2874aab98 100644 --- a/pkgs/development/python-modules/webob/default.nix +++ b/pkgs/development/python-modules/webob/default.nix @@ -4,6 +4,11 @@ fetchFromGitHub, pytestCheckHook, pythonOlder, + + # for passthru.tests + pyramid, + routes, + tokenlib, }: buildPythonPackage rec { @@ -30,6 +35,10 @@ buildPythonPackage rec { "tests/test_client_functional.py" ]; + passthru.tests = { + inherit pyramid routes tokenlib; + }; + meta = with lib; { description = "WSGI request and response object"; homepage = "https://webob.org/"; From 5dd3a70bbcda4d8277038cc2b20e2dc5012116f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 11 Sep 2024 15:12:13 +0200 Subject: [PATCH 31/35] Revert "tzdata: 2024a -> 2024b (#340296)" This reverts commit 90de4369dbccda6d7066edd36ae2137f5a326d7f, reversing changes made to 012ba86a5a7fd6ec7ebfe9686823ceeea072162e. It's quite broken; even blocking stdenv on aarch64-darwin. --- pkgs/data/misc/tzdata/default.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/pkgs/data/misc/tzdata/default.nix b/pkgs/data/misc/tzdata/default.nix index 939b75218f4fe..522b2da68ca5c 100644 --- a/pkgs/data/misc/tzdata/default.nix +++ b/pkgs/data/misc/tzdata/default.nix @@ -2,16 +2,16 @@ stdenv.mkDerivation (finalAttrs: { pname = "tzdata"; - version = "2024b"; + version = "2024a"; srcs = [ (fetchurl { url = "https://data.iana.org/time-zones/releases/tzdata${finalAttrs.version}.tar.gz"; - hash = "sha256-cOdU2xJqjQ2z0W1rTLX37B4E1fJhJV5FWKZ/6S055VA="; + hash = "sha256-DQQ0RZrL0gWaeo2h8zBKhKhlkfbtacYkj/+lArbt/+M="; }) (fetchurl { url = "https://data.iana.org/time-zones/releases/tzcode${finalAttrs.version}.tar.gz"; - hash = "sha256-XkOPxEliSQavFqGP9Fc3OfDNqYYuXsKNO8sZy67Q9nI="; + hash = "sha256-gAcolK3/WkWPHRQ+FuTKHYsqEiycU5naSCy2jLpqH/g="; }) ]; @@ -45,10 +45,11 @@ stdenv.mkDerivation (finalAttrs: { "CFLAGS+=-DRESERVE_STD_EXT_IDS" ]; - enableParallelBuilding = true; - doCheck = true; - checkTarget = "check"; + # everything except for: + # - check_web, because that needs curl and wants to talk to https://validator.w3.org + # - check_now, because that depends on the current time + checkTarget = "check_back check_character_set check_white_space check_links check_name_lengths check_slashed_abbrs check_sorted check_tables check_ziguard check_zishrink check_tzs"; installFlags = lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [ "zic=${buildPackages.tzdata.bin}/bin/zic" From b0b618ebc9dc4fa6d9c22740258638b4d4dd327b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 12 Sep 2024 12:21:57 +0200 Subject: [PATCH 32/35] python312Packages.mercurial: fix build by upstream patch https://hydra.nixos.org/build/272412560/nixlog/1/tail --- .../version-management/mercurial/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/applications/version-management/mercurial/default.nix b/pkgs/applications/version-management/mercurial/default.nix index b6bf52048f5e4..d9e80637367f0 100644 --- a/pkgs/applications/version-management/mercurial/default.nix +++ b/pkgs/applications/version-management/mercurial/default.nix @@ -1,4 +1,5 @@ { lib, stdenv, fetchurl, python3Packages, makeWrapper, gettext, installShellFiles +, fetchpatch , re2Support ? true # depends on rust-cpython which won't support python312 # https://github.com/dgrunwald/rust-cpython/commit/e815555629e557be084813045ca1ddebc2f76ef9 @@ -30,6 +31,14 @@ let hash = "sha256-911qSnWCOht9cTpJZ+yi9Zb0ZuWPxrwG1yZCky/X4wc="; }; + patches = lib.optionals (!python3Packages.isPy311) [ # avoid rebuild on 3.11 + (fetchpatch { + name = "circular-import.patch"; + url = "https://foss.heptapod.net/mercurial/mercurial-devel/-/commit/63ede7a43a3731fecc7e5b535144c6bd59911284.diff"; + hash = "sha256-qoqg1QCHhfzTXmp0sfJvsH2SCP+KRjuIy+TJZFHqAQw="; + }) + ]; + format = "other"; passthru = { inherit python; }; # pass it so that the same version can be used in hg2git From 42fb94a04caea94c4ece0c22da8bbb11ef77500e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Fri, 13 Sep 2024 16:05:01 +0200 Subject: [PATCH 33/35] python312Packages.executing: patch build with python-3.12.5 --- pkgs/development/python-modules/executing/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkgs/development/python-modules/executing/default.nix b/pkgs/development/python-modules/executing/default.nix index 7eb94f3b13481..68617d003475e 100644 --- a/pkgs/development/python-modules/executing/default.nix +++ b/pkgs/development/python-modules/executing/default.nix @@ -2,6 +2,7 @@ lib, buildPythonPackage, fetchFromGitHub, + fetchpatch, pythonAtLeast, pythonOlder, @@ -30,6 +31,13 @@ buildPythonPackage rec { hash = "sha256-PBvfkv9GQ5Vj5I5SygtmHXtqqHMJ4XgNV1/I+lSU0/U="; }; + patches = lib.optionals (pythonAtLeast "3.12") [ + (fetchpatch { # https://github.com/alexmojaki/executing/pull/83 + url = "https://github.com/alexmojaki/executing/commit/230ef110f004a8cecf03e983561f26a5fecede8f.diff"; + hash = "sha256-McMUIbOWozoDDQSfrJqcxBjuAZ/rrHePfqp5+AVUKI4="; + }) + ]; + nativeBuildInputs = [ setuptools setuptools-scm From 713b09b71cd9da800ee17ca07ec8fffef328254d Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 15 Aug 2024 23:11:54 +0200 Subject: [PATCH 34/35] python312Packages.uvloop: 0.19.0 -> 0.20.0 https://github.com/MagicStack/uvloop/releases/tag/v0.20.0 (cherry picked from commit fca63549ac4dcd414225889b3fc025e93baedac3) --- pkgs/development/python-modules/uvloop/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/python-modules/uvloop/default.nix b/pkgs/development/python-modules/uvloop/default.nix index 4f2ff7d11ceae..533efe1f81cae 100644 --- a/pkgs/development/python-modules/uvloop/default.nix +++ b/pkgs/development/python-modules/uvloop/default.nix @@ -23,17 +23,17 @@ buildPythonPackage rec { pname = "uvloop"; - version = "0.19.0"; + version = "0.20.0"; pyproject = true; disabled = pythonOlder "3.8"; src = fetchPypi { inherit pname version; - hash = "sha256-Akb0/Rvyv3AuBrDUXukWd+5cMSQvOaq06m/gxRrt0P0="; + hash = "sha256-RgPKcUp1T8jZsZfjJdslsuoEU4Xoo60F00Y95yX99Gk="; }; - nativeBuildInputs = [ + build-system = [ cython_0 setuptools ]; From e7d8069780150e190532cbad33f7eb430a3ed697 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 18 Sep 2024 12:07:51 +0200 Subject: [PATCH 35/35] handbrake: fix build by applying an upstream patch again Override hell as usual for handbrake. The patch was dropped from the base package in e5c3ef1ea21dd31 --- pkgs/applications/video/handbrake/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkgs/applications/video/handbrake/default.nix b/pkgs/applications/video/handbrake/default.nix index f3f6dacd4a540..8b1dd0d4e8ed5 100644 --- a/pkgs/applications/video/handbrake/default.nix +++ b/pkgs/applications/video/handbrake/default.nix @@ -11,6 +11,7 @@ , lib , fetchFromGitHub , fetchpatch +, fetchpatch2 # For tests , testers , runCommand @@ -135,6 +136,12 @@ let "${src}/contrib/ffmpeg/A18-qsv-fix-decode-10bit-hdr.patch" "${src}/contrib/ffmpeg/A19-ffbuild-common-use-gzip-n-flag-for-cuda.patch" + + (fetchpatch2 { + name = "fix_vulkan_av1.patch"; + url = "https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/e06ce6d2b45edac4a2df04f304e18d4727417d24"; + hash = "sha256-73mlX1rdJrguw7OXaSItfHtI7gflDrFj+7SepVvvUIg="; + }) ]; });