diff --git a/pkgs/applications/audio/fluidsynth/default.nix b/pkgs/applications/audio/fluidsynth/default.nix index 41ee34847a845..81dbbf2921b44 100644 --- a/pkgs/applications/audio/fluidsynth/default.nix +++ b/pkgs/applications/audio/fluidsynth/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, fetchFromGitHub, buildPackages, pkg-config, cmake +{ stdenv, lib, fetchFromGitHub, fetchpatch, buildPackages, pkg-config, cmake , alsa-lib, glib, libjack2, libsndfile, libpulseaudio , AppKit, AudioUnit, CoreAudio, CoreMIDI, CoreServices }: @@ -14,6 +14,16 @@ stdenv.mkDerivation rec { sha256 = "sha256-BSJu3jB7b5G2ThXBUHUNnBGl55EXe3nIzdBdgfOWDSM="; }; + patches = [ + # Fixes bad CMAKE_INSTALL_PREFIX + CMAKE_INSTALL_LIBDIR concatenation for Darwin install name dir + # Remove when PR merged & in release + (fetchpatch { + name = "0001-Fix-incorrect-way-of-turning-CMAKE_INSTALL_LIBDIR-absolute.patch"; + url = "https://github.com/FluidSynth/fluidsynth/pull/1261/commits/03cd38dd909fc24aa39553d869afbb4024416de8.patch"; + hash = "sha256-nV+MbFttnbNBO4zWnPLpnnEuoiESkV9BGFlUS9tQQfk="; + }) + ]; + outputs = [ "out" "dev" "man" ]; nativeBuildInputs = [ buildPackages.stdenv.cc pkg-config cmake ]; @@ -24,8 +34,6 @@ stdenv.mkDerivation rec { cmakeFlags = [ "-Denable-framework=off" - # set CMAKE_INSTALL_NAME_DIR to correct value on darwin - "-DCMAKE_INSTALL_LIBDIR=lib" ]; meta = with lib; { diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix index b4288cb7d7b5d..46bbb4314cb7c 100644 --- a/pkgs/applications/virtualization/qemu/default.nix +++ b/pkgs/applications/virtualization/qemu/default.nix @@ -48,11 +48,11 @@ stdenv.mkDerivation rec { + lib.optionalString xenSupport "-xen" + lib.optionalString hostCpuOnly "-host-cpu-only" + lib.optionalString nixosTestRunner "-for-vm-tests"; - version = "8.0.0"; + version = "8.0.2"; src = fetchurl { url = "https://download.qemu.org/qemu-${version}.tar.xz"; - sha256 = "u2DwNBUxGB1sw5ad0ZoBPQQnqH+RgZOXDZrbkRMeVtA="; + sha256 = "8GCr1DX75nlBJeLDmFaP/Dz6VABCWWkHqLGO3KNM9qU="; }; depsBuildBuild = [ buildPackages.stdenv.cc ] diff --git a/pkgs/development/compilers/go/1.20.nix b/pkgs/development/compilers/go/1.20.nix index 7eb40c23691e6..18fa8db98792e 100644 --- a/pkgs/development/compilers/go/1.20.nix +++ b/pkgs/development/compilers/go/1.20.nix @@ -46,11 +46,11 @@ let in stdenv.mkDerivation rec { pname = "go"; - version = "1.20.5"; + version = "1.20.6"; src = fetchurl { url = "https://go.dev/dl/go${version}.src.tar.gz"; - hash = "sha256-mhXBM7os+v55ZS9IFbYufPwmf2jfG5RUxqsqPKi5aog="; + hash = "sha256-Yu5bxvtVuLro9wXgy434bWRTYmtOz5MnnihnCS4Lf3A="; }; strictDeps = true; diff --git a/pkgs/development/libraries/dbus/default.nix b/pkgs/development/libraries/dbus/default.nix index f984f33103001..53e3c0be22ec8 100644 --- a/pkgs/development/libraries/dbus/default.nix +++ b/pkgs/development/libraries/dbus/default.nix @@ -19,11 +19,11 @@ stdenv.mkDerivation rec { pname = "dbus"; - version = "1.14.6"; + version = "1.14.8"; src = fetchurl { url = "https://dbus.freedesktop.org/releases/dbus/dbus-${version}.tar.xz"; - sha256 = "sha256-/SvfG7idw2WkZTG/9jFTbyKw0cbVzixcXlm1UmWz1ms="; + sha256 = "sha256-pr1brFzxnww8WUva4lZaCVaWmApoOg7zfLYhLgk73jU="; }; patches = lib.optional stdenv.isSunOS ./implement-getgrouplist.patch; diff --git a/pkgs/development/libraries/libde265/default.nix b/pkgs/development/libraries/libde265/default.nix index c7a5a85ae6b67..9c1a10f9f5b10 100644 --- a/pkgs/development/libraries/libde265/default.nix +++ b/pkgs/development/libraries/libde265/default.nix @@ -1,13 +1,12 @@ { lib , stdenv , fetchFromGitHub -, fetchpatch , autoreconfHook , pkg-config , callPackage -# for passthru.tests + # for passthru.tests , imagemagick , libheif , imlib2Full @@ -15,29 +14,16 @@ }: stdenv.mkDerivation (finalAttrs: rec { - version = "1.0.11"; + version = "1.0.12"; pname = "libde265"; src = fetchFromGitHub { owner = "strukturag"; repo = "libde265"; - rev = "v${version}"; - sha256 = "sha256-0aRUh5h49fnjBjy42A5fWYHnhnQ4CFoeSIXZilZewW8="; + rev = "refs/tags/v${version}"; + hash = "sha256-pl1r3n4T4FcJ4My/wCE54R2fmTdrlJOvgb2U0MZf1BI="; }; - patches = [ - (fetchpatch { - name = "CVE-2023-27102.patch"; - url = "https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1.patch"; - sha256 = "sha256-q0NKuk2r5RQT9MJpRO3CTPj6VqYRBnffs9yZ+GM+lNc="; - }) - (fetchpatch { - name = "CVE-2023-27103.patch"; - url = "https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995.patch"; - sha256 = "sha256-vxciVzSuVCVDpdz+TKg2tMWp2ArubYji5GLaR9VP4F0="; - }) - ]; - nativeBuildInputs = [ autoreconfHook pkg-config ]; enableParallelBuilding = true; diff --git a/pkgs/development/libraries/libwebp/default.nix b/pkgs/development/libraries/libwebp/default.nix index 65fa55a787e15..89cbae6e1a5dd 100644 --- a/pkgs/development/libraries/libwebp/default.nix +++ b/pkgs/development/libraries/libwebp/default.nix @@ -1,5 +1,4 @@ { lib, stdenv, fetchFromGitHub, autoreconfHook, libtool -, fetchpatch , threadingSupport ? true # multi-threading , openglSupport ? false, freeglut, libGL, libGLU # OpenGL (required for vwebp) , pngSupport ? true, libpng # PNG image format @@ -12,6 +11,7 @@ , libwebpmuxSupport ? true # Build libwebpmux , libwebpdemuxSupport ? true # Build libwebpdemux , libwebpdecoderSupport ? true # Build libwebpdecoder +, fetchpatch # for passthru.tests , freeimage @@ -28,21 +28,22 @@ stdenv.mkDerivation rec { pname = "libwebp"; - version = "1.3.0"; + version = "1.3.1"; src = fetchFromGitHub { owner = "webmproject"; repo = pname; rev = "v${version}"; - hash = "sha256-nhXkq+qKpaa75YQB/W/cRozslTIFPdXeqj1y6emQeHk="; + hash = "sha256-Q94avvKjPdwdGt5ADo30cf2V4T7MCTubDHJxTtbG4xQ="; }; patches = [ - # https://www.mozilla.org/en-US/security/advisories/mfsa2023-13/#MFSA-TMP-2023-0001 + # Avoid unnecessary and disruptive change on stable nixpkgs. (fetchpatch { - url = "https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129.patch"; - name = "fix-msfa-tmp-2023-0001.patch"; - hash = "sha256-TRKXpNkYVzftBw09mX+WeQRhRoOzBgXFTNZBzSdCKvc="; + name = "revert-pkgconfig-changes.patch"; + url = "https://github.com/webmproject/libwebp/commit/31c28db53c6fa3be7026212fdd1526280e3f0f52.patch"; + revert = true; + hash = "sha256-yy/T0IZolk5JLbVRevtLWErOSVQIZqNRg/a6J6JHDHg="; }) ]; diff --git a/pkgs/development/libraries/tpm2-tss/CVE-2023-22745.patch b/pkgs/development/libraries/tpm2-tss/CVE-2023-22745.patch new file mode 100644 index 0000000000000..d8ee348423d5e --- /dev/null +++ b/pkgs/development/libraries/tpm2-tss/CVE-2023-22745.patch @@ -0,0 +1,113 @@ +diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c +index 15ced567..4e146593 100644 +--- a/src/tss2-rc/tss2_rc.c ++++ b/src/tss2-rc/tss2_rc.c +@@ -1,5 +1,8 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ +- ++#ifdef HAVE_CONFIG_H ++#include "config.h" ++#endif ++#include + #include + #include + #include +@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc) + static struct { + char name[TSS2_ERR_LAYER_NAME_MAX]; + TSS2_RC_HANDLER handler; +-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = { ++} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = { + ADD_HANDLER("tpm" , tpm2_ehandler), + ADD_NULL_HANDLER, /* layer 1 is unused */ + ADD_NULL_HANDLER, /* layer 2 is unused */ +@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc) + static __thread char buf[32]; + + clearbuf(buf); +- catbuf(buf, "0x%X", tpm2_error_get(rc)); ++ catbuf(buf, "0x%X", rc); + + return buf; + } +@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc) + catbuf(buf, "%u:", layer); + } + +- handler = !handler ? unknown_layer_handler : handler; +- + /* + * Handlers only need the error bits. This way they don't + * need to concern themselves with masking off the layer + * bits or anything else. + */ +- UINT16 err_bits = tpm2_error_get(rc); +- const char *e = err_bits ? handler(err_bits) : "success"; +- if (e) { +- catbuf(buf, "%s", e); ++ if (handler) { ++ UINT16 err_bits = tpm2_error_get(rc); ++ const char *e = err_bits ? handler(err_bits) : "success"; ++ if (e) { ++ catbuf(buf, "%s", e); ++ } else { ++ catbuf(buf, "0x%X", err_bits); ++ } + } else { +- catbuf(buf, "0x%X", err_bits); ++ /* ++ * we don't want to drop any bits if we don't know what to do with it ++ * so drop the layer byte since we we already have that. ++ */ ++ const char *e = unknown_layer_handler(rc >> 8); ++ assert(e); ++ catbuf(buf, "%s", e); + } + + return buf; +diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c +index f4249b7b..c297298d 100644 +--- a/test/unit/test_tss2_rc.c ++++ b/test/unit/test_tss2_rc.c +@@ -199,7 +199,7 @@ test_custom_handler(void **state) + * Test an unknown layer + */ + e = Tss2_RC_Decode(rc); +- assert_string_equal(e, "1:0x2A"); ++ assert_string_equal(e, "1:0x100"); + } + + static void +@@ -282,6 +282,23 @@ test_tcti(void **state) + assert_string_equal(e, "tcti:Fails to connect to next lower layer"); + } + ++static void ++test_all_FFs(void **state) ++{ ++ (void) state; ++ ++ const char *e = Tss2_RC_Decode(0xFFFFFFFF); ++ assert_string_equal(e, "255:0xFFFFFF"); ++} ++ ++static void ++test_all_FFs_set_handler(void **state) ++{ ++ (void) state; ++ Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler); ++ Tss2_RC_SetHandler(0xFF, NULL, NULL); ++} ++ + /* link required symbol, but tpm2_tool.c declares it AND main, which + * we have a main below for cmocka tests. + */ +@@ -313,6 +330,8 @@ main(int argc, char* argv[]) + cmocka_unit_test(test_esys), + cmocka_unit_test(test_mu), + cmocka_unit_test(test_tcti), ++ cmocka_unit_test(test_all_FFs), ++ cmocka_unit_test(test_all_FFs_set_handler), + }; + + return cmocka_run_group_tests(tests, NULL, NULL); diff --git a/pkgs/development/libraries/tpm2-tss/default.nix b/pkgs/development/libraries/tpm2-tss/default.nix index ec17a2d515a06..32bdb798d1d60 100644 --- a/pkgs/development/libraries/tpm2-tss/default.nix +++ b/pkgs/development/libraries/tpm2-tss/default.nix @@ -53,6 +53,9 @@ stdenv.mkDerivation rec { # Do not rely on dynamic loader path # TCTI loader relies on dlopen(), this patch prefixes all calls with the output directory ./no-dynamic-loader-path.patch + # Backport of https://github.com/tpm2-software/tpm2-tss/commit/306490c8d848c367faa2d9df81f5e69dab46ffb5 + # Does not apply cleanly because of tests + ./CVE-2023-22745.patch ]; postPatch = '' @@ -91,6 +94,6 @@ stdenv.mkDerivation rec { homepage = "https://github.com/tpm2-software/tpm2-tss"; license = licenses.bsd2; platforms = platforms.linux; - maintainers = with maintainers; [ ]; + maintainers = with maintainers; [ baloo ]; }; } diff --git a/pkgs/development/python-modules/django/3.nix b/pkgs/development/python-modules/django/3.nix index cd07c13358d50..9c8e13842422f 100644 --- a/pkgs/development/python-modules/django/3.nix +++ b/pkgs/development/python-modules/django/3.nix @@ -15,14 +15,14 @@ buildPythonPackage rec { pname = "django"; - version = "3.2.19"; + version = "3.2.20"; disabled = pythonOlder "3.7"; src = fetchPypi { pname = "Django"; inherit version; - hash = "sha256-AxNluuloFNoZwQcGIYxE3/O2VMxN4gqYvS0pub3kafA="; + hash = "sha256-3sKhFnh7jhSWIBS/eOEgu6RUE1EI4a+em5Gt57KWTEA="; }; patches = [ diff --git a/pkgs/misc/cups/default.nix b/pkgs/misc/cups/default.nix index 75dab9a828d3d..99d56af97c3d0 100644 --- a/pkgs/misc/cups/default.nix +++ b/pkgs/misc/cups/default.nix @@ -1,6 +1,5 @@ { lib, stdenv , fetchurl -, fetchpatch , pkg-config , removeReferencesTo , zlib @@ -24,24 +23,15 @@ stdenv.mkDerivation rec { pname = "cups"; - version = "2.4.2"; + version = "2.4.6"; src = fetchurl { url = "https://github.com/OpenPrinting/cups/releases/download/v${version}/cups-${version}-source.tar.gz"; - sha256 = "sha256-8DzLQLCH0eMJQKQOAUHcu6Jj85l0wg658lIQZsnGyQg="; + sha256 = "sha256-WOlwzxlV4cyH0IR8MlJtnCzO4zXl8OOIKygxOLoOcmI="; }; outputs = [ "out" "lib" "dev" "man" ]; - patches = [ - (fetchpatch { - # https://www.openwall.com/lists/oss-security/2023/06/01/1 - name = "CVE-2023-32324.patch"; - url = "https://github.com/OpenPrinting/cups/commit/fd8bc2d32589d1fd91fe1c0521be2a7c0462109e.patch"; - hash = "sha256-Q0Pw+MC7KE5VEiugY+GFtvPERG8x6ngNHUsWTEaDCHA="; - }) - ]; - postPatch = '' substituteInPlace cups/testfile.c \ --replace 'cupsFileFind("cat", "/bin' 'cupsFileFind("cat", "${coreutils}/bin' @@ -50,6 +40,9 @@ stdenv.mkDerivation rec { # service would stop the socket and break subsequent socket activations. # See https://github.com/apple/cups/issues/6005 sed -i '/PartOf=cups.service/d' scheduler/cups.socket.in + '' + lib.optionalString (stdenv.isDarwin && lib.versionOlder stdenv.targetPlatform.darwinSdkVersion "12") '' + substituteInPlace backend/usb-darwin.c \ + --replace "kIOMainPortDefault" "kIOMasterPortDefault" ''; nativeBuildInputs = [ pkg-config removeReferencesTo ]; diff --git a/pkgs/misc/ghostscript/default.nix b/pkgs/misc/ghostscript/default.nix index 2588e7e9140a3..95e212c323657 100644 --- a/pkgs/misc/ghostscript/default.nix +++ b/pkgs/misc/ghostscript/default.nix @@ -60,12 +60,12 @@ let in stdenv.mkDerivation rec { - pname = "ghostscript${lib.optionalString (x11Support) "-with-X"}"; - version = "10.01.1"; + pname = "ghostscript${lib.optionalString x11Support "-with-X"}"; + version = "10.01.2"; src = fetchurl { url = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${lib.replaceStrings ["."] [""] version}/ghostscript-${version}.tar.xz"; - hash = "sha512-2US+norvaNEXbWTEDbb6htVdDJ4wBH8hR8AoBqthz+msLLANTlshj/PFHMbtR87/4brE3Z1MwXYLeXTzDGwnNQ=="; + hash = "sha512-7iDw4S9VOj0EV45xoNRd7+vHERfOTcLBQEOYW/5zSK1/iy/pj8m09bk17LMuUNw0C+Z9bvWBkFQuxtD52h3jgA=="; }; patches = [