NixOS · vcunat · Jul 17, 2023 · Jun 6, 2023 · Jun 16, 2023 · Jun 9, 2023
diff --git a/pkgs/applications/audio/fluidsynth/default.nix b/pkgs/applications/audio/fluidsynth/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchFromGitHub, buildPackages, pkg-config, cmake
+{ stdenv, lib, fetchFromGitHub, fetchpatch, buildPackages, pkg-config, cmake
 , alsa-lib, glib, libjack2, libsndfile, libpulseaudio
 , AppKit, AudioUnit, CoreAudio, CoreMIDI, CoreServices
 }:
@@ -14,6 +14,16 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-BSJu3jB7b5G2ThXBUHUNnBGl55EXe3nIzdBdgfOWDSM=";
   };
 
+  patches = [
+    # Fixes bad CMAKE_INSTALL_PREFIX + CMAKE_INSTALL_LIBDIR concatenation for Darwin install name dir
+    # Remove when PR merged & in release
+    (fetchpatch {
+      name = "0001-Fix-incorrect-way-of-turning-CMAKE_INSTALL_LIBDIR-absolute.patch";
+      url = "https://github.com/FluidSynth/fluidsynth/pull/1261/commits/03cd38dd909fc24aa39553d869afbb4024416de8.patch";
+      hash = "sha256-nV+MbFttnbNBO4zWnPLpnnEuoiESkV9BGFlUS9tQQfk=";
+    })
+  ];
+
   outputs = [ "out" "dev" "man" ];
 
   nativeBuildInputs = [ buildPackages.stdenv.cc pkg-config cmake ];
@@ -24,8 +34,6 @@ stdenv.mkDerivation rec {
 
   cmakeFlags = [
     "-Denable-framework=off"
-    # set CMAKE_INSTALL_NAME_DIR to correct value on darwin
-    "-DCMAKE_INSTALL_LIBDIR=lib"
   ];
 
   meta = with lib; {

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
@@ -48,11 +48,11 @@ stdenv.mkDerivation rec {
     + lib.optionalString xenSupport "-xen"
     + lib.optionalString hostCpuOnly "-host-cpu-only"
     + lib.optionalString nixosTestRunner "-for-vm-tests";
-  version = "8.0.0";
+  version = "8.0.2";
 
   src = fetchurl {
     url = "https://download.qemu.org/qemu-${version}.tar.xz";
-    sha256 = "u2DwNBUxGB1sw5ad0ZoBPQQnqH+RgZOXDZrbkRMeVtA=";
+    sha256 = "8GCr1DX75nlBJeLDmFaP/Dz6VABCWWkHqLGO3KNM9qU=";
   };
 
   depsBuildBuild = [ buildPackages.stdenv.cc ]

@@ -46,11 +46,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "go";
-  version = "1.20.5";
+  version = "1.20.6";
 
   src = fetchurl {
     url = "https://go.dev/dl/go${version}.src.tar.gz";
-    hash = "sha256-mhXBM7os+v55ZS9IFbYufPwmf2jfG5RUxqsqPKi5aog=";
+    hash = "sha256-Yu5bxvtVuLro9wXgy434bWRTYmtOz5MnnihnCS4Lf3A=";
   };
 
   strictDeps = true;

diff --git a/pkgs/development/libraries/dbus/default.nix b/pkgs/development/libraries/dbus/default.nix
@@ -19,11 +19,11 @@
 
 stdenv.mkDerivation rec {
   pname = "dbus";
-  version = "1.14.6";
+  version = "1.14.8";
 
   src = fetchurl {
     url = "https://dbus.freedesktop.org/releases/dbus/dbus-${version}.tar.xz";
-    sha256 = "sha256-/SvfG7idw2WkZTG/9jFTbyKw0cbVzixcXlm1UmWz1ms=";
+    sha256 = "sha256-pr1brFzxnww8WUva4lZaCVaWmApoOg7zfLYhLgk73jU=";
   };
 
   patches = lib.optional stdenv.isSunOS ./implement-getgrouplist.patch;

diff --git a/pkgs/development/libraries/libde265/default.nix b/pkgs/development/libraries/libde265/default.nix
@@ -1,43 +1,29 @@
 { lib
 , stdenv
 , fetchFromGitHub
-, fetchpatch
 , autoreconfHook
 , pkg-config
 
 , callPackage
 
-# for passthru.tests
+  # for passthru.tests
 , imagemagick
 , libheif
 , imlib2Full
 , gst_all_1
 }:
 
 stdenv.mkDerivation (finalAttrs: rec {
-  version = "1.0.11";
+  version = "1.0.12";
   pname = "libde265";
 
   src = fetchFromGitHub {
     owner = "strukturag";
     repo = "libde265";
-    rev = "v${version}";
-    sha256 = "sha256-0aRUh5h49fnjBjy42A5fWYHnhnQ4CFoeSIXZilZewW8=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-pl1r3n4T4FcJ4My/wCE54R2fmTdrlJOvgb2U0MZf1BI=";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "CVE-2023-27102.patch";
-      url = "https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1.patch";
-      sha256 = "sha256-q0NKuk2r5RQT9MJpRO3CTPj6VqYRBnffs9yZ+GM+lNc=";
-    })
-    (fetchpatch {
-      name = "CVE-2023-27103.patch";
-      url = "https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995.patch";
-      sha256 = "sha256-vxciVzSuVCVDpdz+TKg2tMWp2ArubYji5GLaR9VP4F0=";
-    })
-  ];
-
   nativeBuildInputs = [ autoreconfHook pkg-config ];
 
   enableParallelBuilding = true;

diff --git a/pkgs/development/libraries/libwebp/default.nix b/pkgs/development/libraries/libwebp/default.nix
@@ -1,5 +1,4 @@
 { lib, stdenv, fetchFromGitHub, autoreconfHook, libtool
-, fetchpatch
 , threadingSupport ? true # multi-threading
 , openglSupport ? false, freeglut, libGL, libGLU # OpenGL (required for vwebp)
 , pngSupport ? true, libpng # PNG image format
@@ -12,6 +11,7 @@
 , libwebpmuxSupport ? true # Build libwebpmux
 , libwebpdemuxSupport ? true # Build libwebpdemux
 , libwebpdecoderSupport ? true # Build libwebpdecoder
+, fetchpatch
 
 # for passthru.tests
 , freeimage
@@ -28,21 +28,22 @@
 
 stdenv.mkDerivation rec {
   pname = "libwebp";
-  version = "1.3.0";
+  version = "1.3.1";
 
   src = fetchFromGitHub {
     owner  = "webmproject";
     repo   = pname;
     rev    = "v${version}";
-    hash   = "sha256-nhXkq+qKpaa75YQB/W/cRozslTIFPdXeqj1y6emQeHk=";
+    hash   = "sha256-Q94avvKjPdwdGt5ADo30cf2V4T7MCTubDHJxTtbG4xQ=";
   };
 
   patches = [
-    # https://www.mozilla.org/en-US/security/advisories/mfsa2023-13/#MFSA-TMP-2023-0001
+    # Avoid unnecessary and disruptive change on stable nixpkgs.
     (fetchpatch {
-      url = "https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129.patch";
-      name = "fix-msfa-tmp-2023-0001.patch";
-      hash = "sha256-TRKXpNkYVzftBw09mX+WeQRhRoOzBgXFTNZBzSdCKvc=";
+      name = "revert-pkgconfig-changes.patch";
+      url = "https://github.com/webmproject/libwebp/commit/31c28db53c6fa3be7026212fdd1526280e3f0f52.patch";
+      revert = true;
+      hash = "sha256-yy/T0IZolk5JLbVRevtLWErOSVQIZqNRg/a6J6JHDHg=";
     })
   ];
 

diff --git a/pkgs/development/libraries/tpm2-tss/CVE-2023-22745.patch b/pkgs/development/libraries/tpm2-tss/CVE-2023-22745.patch
@@ -0,0 +1,113 @@
+diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
+index 15ced567..4e146593 100644
+--- a/src/tss2-rc/tss2_rc.c
++++ b/src/tss2-rc/tss2_rc.c
+@@ -1,5 +1,8 @@
+ /* SPDX-License-Identifier: BSD-2-Clause */
+-
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++#include <assert.h>
+ #include <stdarg.h>
+ #include <stdbool.h>
+ #include <stdio.h>
+@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc)
+ static struct {
+     char name[TSS2_ERR_LAYER_NAME_MAX];
+     TSS2_RC_HANDLER handler;
+-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
++} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
+     ADD_HANDLER("tpm" , tpm2_ehandler),
+     ADD_NULL_HANDLER,                       /* layer 1  is unused */
+     ADD_NULL_HANDLER,                       /* layer 2  is unused */
+@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc)
+     static __thread char buf[32];
+
+     clearbuf(buf);
+-    catbuf(buf, "0x%X", tpm2_error_get(rc));
++    catbuf(buf, "0x%X", rc);
+
+     return buf;
+ }
+@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc)
+         catbuf(buf, "%u:", layer);
+     }
+
+-    handler = !handler ? unknown_layer_handler : handler;
+-
+     /*
+      * Handlers only need the error bits. This way they don't
+      * need to concern themselves with masking off the layer
+      * bits or anything else.
+      */
+-    UINT16 err_bits = tpm2_error_get(rc);
+-    const char *e = err_bits ? handler(err_bits) : "success";
+-    if (e) {
+-        catbuf(buf, "%s", e);
++    if (handler) {
++        UINT16 err_bits = tpm2_error_get(rc);
++        const char *e = err_bits ? handler(err_bits) : "success";
++        if (e) {
++            catbuf(buf, "%s", e);
++        } else {
++            catbuf(buf, "0x%X", err_bits);
++        }
+     } else {
+-        catbuf(buf, "0x%X", err_bits);
++        /*
++         * we don't want to drop any bits if we don't know what to do with it
++         * so drop the layer byte since we we already have that.
++         */
++        const char *e = unknown_layer_handler(rc >> 8);
++        assert(e);
++        catbuf(buf, "%s", e);
+     }
+
+     return buf;
+diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
+index f4249b7b..c297298d 100644
+--- a/test/unit/test_tss2_rc.c
++++ b/test/unit/test_tss2_rc.c
+@@ -199,7 +199,7 @@ test_custom_handler(void **state)
+      * Test an unknown layer
+      */
+     e = Tss2_RC_Decode(rc);
+-    assert_string_equal(e, "1:0x2A");
++    assert_string_equal(e, "1:0x100");
+ }
+
+ static void
+@@ -282,6 +282,23 @@ test_tcti(void **state)
+     assert_string_equal(e, "tcti:Fails to connect to next lower layer");
+ }
+
++static void
++test_all_FFs(void **state)
++{
++    (void) state;
++
++    const char *e = Tss2_RC_Decode(0xFFFFFFFF);
++    assert_string_equal(e, "255:0xFFFFFF");
++}
++
++static void
++test_all_FFs_set_handler(void **state)
++{
++    (void) state;
++    Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler);
++    Tss2_RC_SetHandler(0xFF, NULL, NULL);
++}
++
+ /* link required symbol, but tpm2_tool.c declares it AND main, which
+  * we have a main below for cmocka tests.
+  */
+@@ -313,6 +330,8 @@ main(int argc, char* argv[])
+             cmocka_unit_test(test_esys),
+             cmocka_unit_test(test_mu),
+             cmocka_unit_test(test_tcti),
++            cmocka_unit_test(test_all_FFs),
++            cmocka_unit_test(test_all_FFs_set_handler),
+     };
+
+     return cmocka_run_group_tests(tests, NULL, NULL);
diff --git a/pkgs/development/libraries/tpm2-tss/default.nix b/pkgs/development/libraries/tpm2-tss/default.nix
@@ -53,6 +53,9 @@ stdenv.mkDerivation rec {
     # Do not rely on dynamic loader path
     # TCTI loader relies on dlopen(), this patch prefixes all calls with the output directory
     ./no-dynamic-loader-path.patch
+    # Backport of https://github.com/tpm2-software/tpm2-tss/commit/306490c8d848c367faa2d9df81f5e69dab46ffb5
+    # Does not apply cleanly because of tests
+    ./CVE-2023-22745.patch
   ];
 
   postPatch = ''
@@ -91,6 +94,6 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/tpm2-software/tpm2-tss";
     license = licenses.bsd2;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ baloo ];
   };
 }
diff --git a/pkgs/development/python-modules/django/3.nix b/pkgs/development/python-modules/django/3.nix
@@ -15,14 +15,14 @@
 
 buildPythonPackage rec {
   pname = "django";
-  version = "3.2.19";
+  version = "3.2.20";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     pname = "Django";
     inherit version;
-    hash = "sha256-AxNluuloFNoZwQcGIYxE3/O2VMxN4gqYvS0pub3kafA=";
+    hash = "sha256-3sKhFnh7jhSWIBS/eOEgu6RUE1EI4a+em5Gt57KWTEA=";
   };
 
   patches = [

diff --git a/pkgs/misc/cups/default.nix b/pkgs/misc/cups/default.nix
@@ -1,6 +1,5 @@
 { lib, stdenv
 , fetchurl
-, fetchpatch
 , pkg-config
 , removeReferencesTo
 , zlib
@@ -24,24 +23,15 @@
 
 stdenv.mkDerivation rec {
   pname = "cups";
-  version = "2.4.2";
+  version = "2.4.6";
 
   src = fetchurl {
     url = "https://github.com/OpenPrinting/cups/releases/download/v${version}/cups-${version}-source.tar.gz";
-    sha256 = "sha256-8DzLQLCH0eMJQKQOAUHcu6Jj85l0wg658lIQZsnGyQg=";
+    sha256 = "sha256-WOlwzxlV4cyH0IR8MlJtnCzO4zXl8OOIKygxOLoOcmI=";
   };
 
   outputs = [ "out" "lib" "dev" "man" ];
 
-  patches = [
-    (fetchpatch {
-      # https://www.openwall.com/lists/oss-security/2023/06/01/1
-      name = "CVE-2023-32324.patch";
-      url = "https://github.com/OpenPrinting/cups/commit/fd8bc2d32589d1fd91fe1c0521be2a7c0462109e.patch";
-      hash = "sha256-Q0Pw+MC7KE5VEiugY+GFtvPERG8x6ngNHUsWTEaDCHA=";
-    })
-  ];
-
   postPatch = ''
     substituteInPlace cups/testfile.c \
       --replace 'cupsFileFind("cat", "/bin' 'cupsFileFind("cat", "${coreutils}/bin'
@@ -50,6 +40,9 @@ stdenv.mkDerivation rec {
       # service would stop the socket and break subsequent socket activations.
       # See https://github.com/apple/cups/issues/6005
       sed -i '/PartOf=cups.service/d' scheduler/cups.socket.in
+  '' + lib.optionalString (stdenv.isDarwin && lib.versionOlder stdenv.targetPlatform.darwinSdkVersion "12") ''
+    substituteInPlace backend/usb-darwin.c \
+      --replace "kIOMainPortDefault" "kIOMasterPortDefault"
   '';
 
   nativeBuildInputs = [ pkg-config removeReferencesTo ];

diff --git a/pkgs/misc/ghostscript/default.nix b/pkgs/misc/ghostscript/default.nix
@@ -60,12 +60,12 @@ let
 
 in
 stdenv.mkDerivation rec {
-  pname = "ghostscript${lib.optionalString (x11Support) "-with-X"}";
-  version = "10.01.1";
+  pname = "ghostscript${lib.optionalString x11Support "-with-X"}";
+  version = "10.01.2";
 
   src = fetchurl {
     url = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${lib.replaceStrings ["."] [""] version}/ghostscript-${version}.tar.xz";
-    hash = "sha512-2US+norvaNEXbWTEDbb6htVdDJ4wBH8hR8AoBqthz+msLLANTlshj/PFHMbtR87/4brE3Z1MwXYLeXTzDGwnNQ==";
+    hash = "sha512-7iDw4S9VOj0EV45xoNRd7+vHERfOTcLBQEOYW/5zSK1/iy/pj8m09bk17LMuUNw0C+Z9bvWBkFQuxtD52h3jgA==";
   };
 
   patches = [