diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix index 33dd080943a1a..f55bffa67262f 100644 --- a/pkgs/applications/graphics/ImageMagick/default.nix +++ b/pkgs/applications/graphics/ImageMagick/default.nix @@ -173,7 +173,7 @@ stdenv.mkDerivation (finalAttrs: { configDestination=($out/share/ImageMagick-*) grep -v '/nix/store' $dev/lib/ImageMagick-*/config-Q16HDRI/configure.xml > $configDestination/configure.xml for file in "$dev"/bin/*-config; do - substituteInPlace "$file" --replace pkg-config \ + substituteInPlace "$file" --replace-fail "$PKG_CONFIG" \ "PKG_CONFIG_PATH='$dev/lib/pkgconfig' '$(command -v $PKG_CONFIG)'" done '' diff --git a/pkgs/by-name/al/alsa-lib/CVE-2026-25068.patch b/pkgs/by-name/al/alsa-lib/CVE-2026-25068.patch new file mode 100644 index 0000000000000..7aa23ea7c1981 --- /dev/null +++ b/pkgs/by-name/al/alsa-lib/CVE-2026-25068.patch @@ -0,0 +1,31 @@ +From 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 Mon Sep 17 00:00:00 2001 +From: Jaroslav Kysela +Date: Thu, 29 Jan 2026 16:51:09 +0100 +Subject: [PATCH] topology: decoder - add boundary check for channel mixer + count + +Malicious binary topology file may cause heap corruption. + +CVE: CVE-2026-25068 + +Signed-off-by: Jaroslav Kysela +--- + src/topology/ctl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/topology/ctl.c b/src/topology/ctl.c +index a0c24518..322c461c 100644 +--- a/src/topology/ctl.c ++++ b/src/topology/ctl.c +@@ -1250,6 +1250,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg, + if (mc->num_channels > 0) { + map = tplg_calloc(heap, sizeof(*map)); + map->num_channels = mc->num_channels; ++ if (map->num_channels > SND_TPLG_MAX_CHAN || ++ map->num_channels > SND_SOC_TPLG_MAX_CHAN) { ++ SNDERR("mixer: unexpected channel count %d", map->num_channels); ++ return -EINVAL; ++ } + for (i = 0; i < map->num_channels; i++) { + map->channel[i].reg = mc->channel[i].reg; + map->channel[i].shift = mc->channel[i].shift; diff --git a/pkgs/by-name/al/alsa-lib/package.nix b/pkgs/by-name/al/alsa-lib/package.nix index d0768cf443e31..1ced2ec453612 100644 --- a/pkgs/by-name/al/alsa-lib/package.nix +++ b/pkgs/by-name/al/alsa-lib/package.nix @@ -23,6 +23,16 @@ stdenv.mkDerivation (finalAttrs: { # "libs" field to declare locations for both native and 32bit plugins, in # order to support apps with 32bit sound running on x86_64 architecture. ./alsa-plugin-conf-multilib.patch + + # Patch for CVE-2026-25058. Relies on a function `snd_error` which does not + # exist in alsa-lib 1.2.14, so we vendor the change to use the old `SNDERR` + # macro instead. + # + # Upstream fix: + # https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 + # Introduction of `snd_error`: + # https://github.com/alsa-project/alsa-lib/commit/62c8e635dcce3d750985505ad20f8711d6dabf0d + ./CVE-2026-25068.patch ]; enableParallelBuilding = true; diff --git a/pkgs/by-name/ca/cacert/package.nix b/pkgs/by-name/ca/cacert/package.nix index e92080542defb..61c9fcded8c6b 100644 --- a/pkgs/by-name/ca/cacert/package.nix +++ b/pkgs/by-name/ca/cacert/package.nix @@ -2,15 +2,12 @@ lib, stdenv, writeText, - fetchFromGitHub, + fetchurl, buildcatrust, blacklist ? [ ], extraCertificateFiles ? [ ], extraCertificateStrings ? [ ], - # Used by update.sh - nssOverride ? null, - # Used for tests only runCommand, cacert, @@ -23,10 +20,9 @@ let lib.concatStringsSep "\n\n" extraCertificateStrings ); - srcVersion = "3.117"; - version = if nssOverride != null then nssOverride.version else srcVersion; + version = "3.121"; meta = { - homepage = "https://curl.haxx.se/docs/caextract.html"; + homepage = "https://firefox-source-docs.mozilla.org/security/nss/runbooks/rootstore.html#root-store-consumers"; description = "Bundle of X.509 certificates of public Certificate Authorities (CA)"; platforms = lib.platforms.all; maintainers = with lib.maintainers; [ @@ -35,40 +31,31 @@ let ]; license = lib.licenses.mpl20; }; - certdata = stdenv.mkDerivation { - pname = "nss-cacert-certdata"; - inherit version; - - src = - if nssOverride != null then - nssOverride.src - else - fetchFromGitHub { - owner = "nss-dev"; - repo = "nss"; - rev = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM"; - hash = "sha256-sAs0TiV3TK/WtgHvEjl2KFAgebyWZYmcRcmxjpn2AME="; - }; - - dontBuild = true; - - installPhase = '' - runHook preInstall - - mkdir $out - cp lib/ckfw/builtins/certdata.txt $out - - runHook postInstall - ''; - - inherit meta; - }; in stdenv.mkDerivation { pname = "nss-cacert"; inherit version; - src = certdata; + src = fetchurl { + urls = + let + # This file is effectively a public interface, see the homepage link + file = "lib/ckfw/builtins/certdata.txt"; + tag = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM"; + in + [ + # Prefer mercurial as the canonical source, while github is just a mirror + "https://hg-edge.mozilla.org/projects/nss/raw-file/${tag}/${file}" + "https://raw.githubusercontent.com/nss-dev/nss/refs/tags/${tag}/${file}" + ]; + hash = "sha256-O5jU4/9XoybZWHwzYzA5yMOpzwtV98pYHXWY/zKesfM="; + }; + + unpackPhase = '' + runHook preUnpack + cp "$src" "$(stripHash "$src")" + runHook postUnpack + ''; outputs = [ "out" diff --git a/pkgs/by-name/ca/cacert/update.sh b/pkgs/by-name/ca/cacert/update.sh index d578102ad56bd..ca7c2969bda70 100755 --- a/pkgs/by-name/ca/cacert/update.sh +++ b/pkgs/by-name/ca/cacert/update.sh @@ -25,7 +25,7 @@ BASEDIR="$(dirname "$0")/../../../.." CURRENT_PATH=$(nix-build --no-out-link -A cacert.out) -PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.override { nssOverride = nss_latest; }).out") +PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.overrideAttrs { src = nss_latest.src + \"/lib/ckfw/builtins/certdata.txt\"; }).out") # Check the hash of the etc subfolder # We can't check the entire output as that contains the nix-support folder @@ -35,5 +35,5 @@ PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc") if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss_latest.version" | jq -r .) - update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION" + update-source-version cacert "$NSS_VERSION" fi diff --git a/pkgs/by-name/cr/cryptsetup/package.nix b/pkgs/by-name/cr/cryptsetup/package.nix index d310ed986ca9b..79a0af738ce08 100644 --- a/pkgs/by-name/cr/cryptsetup/package.nix +++ b/pkgs/by-name/cr/cryptsetup/package.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "cryptsetup"; - version = "2.8.3"; + version = "2.8.4"; outputs = [ "bin" @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { url = "mirror://kernel/linux/utils/cryptsetup/v${lib.versions.majorMinor finalAttrs.version}/" + "cryptsetup-${finalAttrs.version}.tar.xz"; - hash = "sha256-SoojuLnRoyUEUuQKzq1EIaA+RaOJVK0FlWNPQmaqgA8="; + hash = "sha256-RD5G+JZMmsx4D0Va+7jiOqDo7X7FBM/FngT0BvoeioM="; }; patches = [ diff --git a/pkgs/by-name/ex/expat/package.nix b/pkgs/by-name/ex/expat/package.nix index 39dca62d6c1e0..80f5f017a36a5 100644 --- a/pkgs/by-name/ex/expat/package.nix +++ b/pkgs/by-name/ex/expat/package.nix @@ -18,7 +18,7 @@ # files. let - version = "2.7.3"; + version = "2.7.4"; tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}"; in stdenv.mkDerivation (finalAttrs: { @@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: { url = with finalAttrs; "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz"; - hash = "sha256-cd+PQHBqe7CoClNnB56nXZHaT4xlxY7Fm837997Nq58="; + hash = "sha256-npyrtFfB4J3pHbJwbYNlZFeSY46zvh+U27IUkwEIasA="; }; strictDeps = true; diff --git a/pkgs/by-name/li/libvpx/package.nix b/pkgs/by-name/li/libvpx/package.nix index 3887adeddd399..c25668287dd34 100644 --- a/pkgs/by-name/li/libvpx/package.nix +++ b/pkgs/by-name/li/libvpx/package.nix @@ -131,13 +131,13 @@ assert isCygwin -> unitTestsSupport && webmIOSupport && libyuvSupport; stdenv.mkDerivation rec { pname = "libvpx"; - version = "1.15.2"; + version = "1.16.0"; src = fetchFromGitHub { owner = "webmproject"; repo = "libvpx"; rev = "v${version}"; - hash = "sha256-1F5Zlue2DY1yJXwfDfGeh3KcFTQVo9voHcGkgItKgh0="; + hash = "sha256-z1Ov3BHnAGuayeY4D86oTRiDfuZ2Wpc4ZD7pXGaakVI="; }; postPatch = '' diff --git a/pkgs/by-name/lo/lowdown/package.nix b/pkgs/by-name/lo/lowdown/package.nix index a7d4f1dd8b6c2..d4720161aa07b 100644 --- a/pkgs/by-name/lo/lowdown/package.nix +++ b/pkgs/by-name/lo/lowdown/package.nix @@ -11,13 +11,14 @@ enableDarwinSandbox ? true, # for passthru.tests nix, + lowdown-unsandboxed, }: stdenv.mkDerivation rec { pname = "lowdown${ lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) "-unsandboxed" }"; - version = "2.0.2"; + version = "2.0.4"; outputs = [ "out" @@ -28,7 +29,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://kristaps.bsd.lv/lowdown/snapshots/lowdown-${version}.tar.gz"; - hash = "sha512-cfzhuF4EnGmLJf5EGSIbWqJItY3npbRSALm+GarZ7SMU7Hr1xw0gtBFMpOdi5PBar4TgtvbnG4oRPh+COINGlA=="; + sha512 = "649a508b7727df6e7e1203abb3853e05f167b64832fd5e1271f142ccf782e600b1de73c72dc02673d7b175effdc54f2c0f60318208a968af9f9763d09cf4f9ef"; }; nativeBuildInputs = [ @@ -38,6 +39,12 @@ stdenv.mkDerivation rec { ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ fixDarwinDylibNames ]; + postPatch = '' + # fails test, some column width mismatch + rm regress/table-footnotes.md + rm regress/table-styles.md + ''; + # The Darwin sandbox calls fail inside Nix builds, presumably due to # being nested inside another sandbox. preConfigure = lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) '' @@ -74,32 +81,8 @@ stdenv.mkDerivation rec { "install_static" ]; - postInstall = - let - soVersion = "2"; - in - - # Check that soVersion is up to date even if we are not on darwin - lib.optionalString (enableShared && !stdenv.hostPlatform.isDarwin) '' - test -f $lib/lib/liblowdown.so.${soVersion} || \ - die "postInstall: expected $lib/lib/liblowdown.so.${soVersion} is missing" - '' - # Fix lib extension so that fixDarwinDylibNames detects it, see - # . - + lib.optionalString (enableShared && stdenv.hostPlatform.isDarwin) '' - darwinDylib="$lib/lib/liblowdown.${soVersion}.dylib" - mv "$lib/lib/liblowdown.so.${soVersion}" "$darwinDylib" - - # Make sure we are re-creating a symbolic link here - test -L "$lib/lib/liblowdown.so" || \ - die "postInstall: expected $lib/lib/liblowdown.so to be a symlink" - ln -s "$darwinDylib" "$lib/lib/liblowdown.dylib" - rm "$lib/lib/liblowdown.so" - ''; - - doInstallCheck = true; - - installCheckPhase = lib.optionalString (!stdenv.hostPlatform.isDarwin || !enableDarwinSandbox) '' + doInstallCheck = !stdenv.hostPlatform.isDarwin || !enableDarwinSandbox; + installCheckPhase = '' runHook preInstallCheck echo '# TEST' > test.md @@ -108,12 +91,12 @@ stdenv.mkDerivation rec { runHook postInstallCheck ''; - doCheck = true; + doCheck = !stdenv.hostPlatform.isDarwin || !enableDarwinSandbox; checkTarget = "regress"; passthru.tests = { - # most important consumer in nixpkgs - inherit nix; + # most important consumers in nixpkgs + inherit nix lowdown-unsandboxed; }; meta = { diff --git a/pkgs/by-name/mi/mimir/package.nix b/pkgs/by-name/mi/mimir/package.nix index ebc6e2bfead33..739d2c1a9a6a0 100644 --- a/pkgs/by-name/mi/mimir/package.nix +++ b/pkgs/by-name/mi/mimir/package.nix @@ -7,13 +7,13 @@ }: buildGoModule (finalAttrs: { pname = "mimir"; - version = "3.0.1"; + version = "3.0.3"; src = fetchFromGitHub { rev = "mimir-${finalAttrs.version}"; owner = "grafana"; repo = "mimir"; - hash = "sha256-tYGzU/sn6KLLetDmAyph5u8bCocmfF4ZysTkOCSVf+U="; + hash = "sha256-OUFmtHGGDU1+7EwfGVzrjPS2hqba0FfIuQl0V7up9Yk="; }; vendorHash = null; diff --git a/pkgs/by-name/mi/minizip/package.nix b/pkgs/by-name/mi/minizip/package.nix index 3a09845916197..e2e1757f03d47 100644 --- a/pkgs/by-name/mi/minizip/package.nix +++ b/pkgs/by-name/mi/minizip/package.nix @@ -3,12 +3,23 @@ stdenv, zlib, autoreconfHook, + fetchpatch, }: stdenv.mkDerivation { pname = "minizip"; inherit (zlib) src version; + patches = [ + # install missing header for qtwebengine: + # https://github.com/madler/zlib/pull/1178 + (fetchpatch { + name = "add-int.h.patch"; + url = "https://github.com/madler/zlib/commit/cb14dc9ade3759352417a300e6c2ed73268f1d97.patch"; + hash = "sha256-eX06nYLRPqpkbBAOso1ynGDYs9dcRAI14cG89qXuUzo="; + }) + ]; + patchFlags = [ "-p3" ]; nativeBuildInputs = [ autoreconfHook ]; diff --git a/pkgs/by-name/mo/modemmanager/package.nix b/pkgs/by-name/mo/modemmanager/package.nix index d2f43bb425722..a7a73ee2c50fc 100644 --- a/pkgs/by-name/mo/modemmanager/package.nix +++ b/pkgs/by-name/mo/modemmanager/package.nix @@ -32,14 +32,14 @@ stdenv.mkDerivation rec { pname = "modemmanager"; - version = "1.24.0"; + version = "1.24.2"; src = fetchFromGitLab { domain = "gitlab.freedesktop.org"; owner = "mobile-broadband"; repo = "ModemManager"; rev = version; - hash = "sha256-3jI75aR2esmv5dkE4TrdCHIcCvtdOBKnBC5XLEKoVFs="; + hash = "sha256-rBLOqpx7Y2BB6/xvhIw+rDEXsLtePhHLBvfpSuJzQik="; }; patches = [ diff --git a/pkgs/by-name/pu/publicsuffix-list/package.nix b/pkgs/by-name/pu/publicsuffix-list/package.nix index 4d53a001b9972..bdfb3b97e38e2 100644 --- a/pkgs/by-name/pu/publicsuffix-list/package.nix +++ b/pkgs/by-name/pu/publicsuffix-list/package.nix @@ -7,13 +7,13 @@ stdenvNoCC.mkDerivation { pname = "publicsuffix-list"; - version = "0-unstable-2025-12-28"; + version = "0-unstable-2026-01-25"; src = fetchFromGitHub { owner = "publicsuffix"; repo = "list"; - rev = "1ef6d3bc102c85d12e92be54ec0dad8ee990dd5f"; - hash = "sha256-rQdum6XLgfXwzpKTneakFmC80tOmlPFrZ8C7dfEnlSo="; + rev = "6c40921fc61160568b101aff506d548ba3300ba6"; + hash = "sha256-BOSau54FwCHNLordlN0+I708acXSogjnfKINpfMeYcc="; }; dontBuild = true; diff --git a/pkgs/by-name/un/unzip/CVE-2021-4217.patch b/pkgs/by-name/un/unzip/CVE-2021-4217.patch new file mode 100644 index 0000000000000..9344d1d0cf8dc --- /dev/null +++ b/pkgs/by-name/un/unzip/CVE-2021-4217.patch @@ -0,0 +1,47 @@ +From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001 +From: Nils Bars +Date: Mon, 17 Jan 2022 16:53:16 +0000 +Subject: [PATCH] Fix null pointer dereference and use of uninitialized data + +This fixes a bug that causes use of uninitialized heap data if `readbuf` fails +to read as many bytes as indicated by the extra field length attribute. +Furthermore, this fixes a null pointer dereference if an archive contains an +`EF_UNIPATH` extra field but does not have a filename set. +--- + fileio.c | 5 ++++- + process.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/fileio.c ++++ b/fileio.c +@@ -2310,8 +2310,11 @@ int do_string(__G__ length, option) /* + seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + + (G.inptr-G.inbuf) + length); + } else { +- if (readbuf(__G__ (char *)G.extra_field, length) == 0) ++ unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length); ++ if (bytes_read == 0) + return PK_EOF; ++ if (bytes_read != length) ++ return PK_ERR; + /* Looks like here is where extra fields are read */ + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) + { +--- a/process.c ++++ b/process.c +@@ -2067,10 +2067,14 @@ int getUnicodeData(__G__ ef_buf, ef_len) + G.unipath_checksum = makelong(offset + ef_buf); + offset += 4; + ++ if (!G.filename_full) { ++ /* Check if we have a unicode extra section but no filename set */ ++ return PK_ERR; ++ } ++ + /* + * Compute 32-bit crc + */ +- + chksum = crc32(chksum, (uch *)(G.filename_full), + strlen(G.filename_full)); + diff --git a/pkgs/by-name/un/unzip/package.nix b/pkgs/by-name/un/unzip/package.nix index 1b35d4f52f936..37f9b313a1d0d 100644 --- a/pkgs/by-name/un/unzip/package.nix +++ b/pkgs/by-name/un/unzip/package.nix @@ -73,11 +73,7 @@ stdenv.mkDerivation rec { # Clang 16 makes implicit declarations an error by default for C99 and newer, causing the # configure script to fail to detect errno and the directory libraries on Darwin. ./implicit-declarations-fix.patch - (fetchurl { - name = "CVE-2021-4217.patch"; - url = "https://git.launchpad.net/ubuntu/+source/unzip/plain/debian/patches/CVE-2021-4217.patch?id=94a790fcbb5d6c53cdf5d786bcaa0b8dc10309b6"; - hash = "sha256-YKE4jVNSlrHLbszXNYYRtAQs0ly4AsodEz6tadMIVqE="; - }) + ./CVE-2021-4217.patch ] ++ lib.optional enableNLS (fetchurl { url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/app-arch/unzip/files/unzip-6.0-natspec.patch?id=56bd759df1d0c750a065b8c845e93d5dfa6b549d"; diff --git a/pkgs/development/compilers/go/1.25.nix b/pkgs/development/compilers/go/1.25.nix index 7e76017801425..15924f0934bd5 100644 --- a/pkgs/development/compilers/go/1.25.nix +++ b/pkgs/development/compilers/go/1.25.nix @@ -25,11 +25,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "go"; - version = "1.25.6"; + version = "1.25.7"; src = fetchurl { url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; - hash = "sha256-WMv3ceRNdt5vVtGeM7d9dFoeSJNAkih15GWFuXXCsFk="; + hash = "sha256-F48oMoICdLQ+F30y8Go+uwEp5CfdIKXkyI3ywXY88Qo="; }; strictDeps = true; diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index 7b0a4bfd85915..2e3bc851f5ad0 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -20,10 +20,10 @@ sourceVersion = { major = "3"; minor = "13"; - patch = "11"; + patch = "12"; suffix = ""; }; - hash = "sha256-Fu3nu3zb+oldEbBkL6DlI/KR5khxlNU89tOzOMOhfqI="; + hash = "sha256-KoTNMd2Njqiq/3XeZvwbSwEn3VeZqlCmSumjE4hbRZM="; }; }; @@ -91,10 +91,10 @@ sourceVersion = { major = "3"; minor = "14"; - patch = "2"; + patch = "3"; suffix = ""; }; - hash = "sha256-zlQ6uFS8JWthtx6bJ/gx/9G/1gpHnWOfi+f5dXz1c+k="; + hash = "sha256-qX1VSemtgf4XFZ7QLGh3StXSZscvjZoLWpw3H+hdkCs="; inherit passthruFun; }; diff --git a/pkgs/development/libraries/capstone/default.nix b/pkgs/development/libraries/capstone/default.nix index 5fd139afecce9..5689bb07ff4ec 100644 --- a/pkgs/development/libraries/capstone/default.nix +++ b/pkgs/development/libraries/capstone/default.nix @@ -8,13 +8,13 @@ stdenv.mkDerivation rec { pname = "capstone"; - version = "5.0.6"; + version = "5.0.7"; src = fetchFromGitHub { owner = "capstone-engine"; repo = "capstone"; rev = version; - hash = "sha256-ovIvsxVq+/q5UUMzP4WpxzaE0898uayNc1g2Coignnc="; + hash = "sha256-+6QReHZK+iIXspizy6Kvk7cj016HOKgiaKSaP4h7mao="; }; cmakeFlags = [ diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix index 2cce91e8115dd..2f3a53bd1327c 100644 --- a/pkgs/development/libraries/gnutls/default.nix +++ b/pkgs/development/libraries/gnutls/default.nix @@ -59,11 +59,11 @@ in stdenv.mkDerivation rec { pname = "gnutls"; - version = "3.8.11"; + version = "3.8.12"; src = fetchurl { url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz"; - hash = "sha256-kb0jxKhuvGFS6BMD0gz2zq65e8j4QmbQ+uxuKfF7qiA="; + hash = "sha256-p7NBQhv9RZrPejdMpK87ngZgjc1715Kyv0cL6gErjlE="; }; outputs = [ diff --git a/pkgs/development/libraries/libpng/default.nix b/pkgs/development/libraries/libpng/default.nix index e548f82bdbb8f..074a520d8acb0 100644 --- a/pkgs/development/libraries/libpng/default.nix +++ b/pkgs/development/libraries/libpng/default.nix @@ -20,11 +20,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "libpng" + whenPatched "-apng"; - version = "1.6.54"; + version = "1.6.55"; src = fetchurl { url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz"; - hash = "sha256-AcnYowPJQewsURwUMSo7HTbO20Hi9RaMzaqF1TuIeAU="; + hash = "sha256-2SVyKGSDetWuKoIHDUsuBgPccq9EvUV8OWIpgli46C0="; }; postPatch = whenPatched "gunzip < ${patch_src} | patch -Np1" diff --git a/pkgs/development/libraries/libsoup/3.x.nix b/pkgs/development/libraries/libsoup/3.x.nix index 0611a148e7065..3b82e60baaa66 100644 --- a/pkgs/development/libraries/libsoup/3.x.nix +++ b/pkgs/development/libraries/libsoup/3.x.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { pname = "libsoup"; - version = "3.6.5"; + version = "3.6.6"; outputs = [ "out" @@ -34,7 +34,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "mirror://gnome/sources/${pname}/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz"; - hash = "sha256-aJF2Wqw+lJAXlFw+rr2MyCFt93JFbcn0YJdvvbetojQ="; + hash = "sha256-Ue0K4G+dWkD0Af9Fni5fZS+aUQt3MOE1nuZtFNSHJ0A="; }; depsBuildBuild = [ @@ -112,6 +112,7 @@ stdenv.mkDerivation rec { description = "HTTP client/server library for GNOME"; homepage = "https://gitlab.gnome.org/GNOME/libsoup"; license = lib.licenses.lgpl2Plus; + changelog = "https://gitlab.gnome.org/GNOME/libsoup/-/blob/${version}/NEWS"; inherit (glib.meta) maintainers platforms teams; }; } diff --git a/pkgs/development/libraries/nss/esr.nix b/pkgs/development/libraries/nss/esr.nix index c7e53ae11ab65..6e835d0dc71fb 100644 --- a/pkgs/development/libraries/nss/esr.nix +++ b/pkgs/development/libraries/nss/esr.nix @@ -1,6 +1,6 @@ import ./generic.nix { - version = "3.112.2"; - hash = "sha256-hK0TovR0LrVkB96BwCnhwaljDSElR85fnobzCa9+uKo="; + version = "3.112.3"; + hash = "sha256-1gOfP3HM1irGuJ+ln6n1toJC46+K5Z7pGm26vSryU7M="; filename = "esr.nix"; versionRegex = "NSS_(3)_(112)(?:_(\\d+))?_RTM"; } diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix index cf8664c78e4fb..6808a2ca0ae53 100644 --- a/pkgs/development/libraries/zlib/default.nix +++ b/pkgs/development/libraries/zlib/default.nix @@ -27,7 +27,7 @@ assert splitStaticOutput -> static; stdenv.mkDerivation (finalAttrs: { pname = "zlib"; - version = "1.3.1"; + version = "1.3.2"; src = let @@ -40,7 +40,7 @@ stdenv.mkDerivation (finalAttrs: { # Stable archive path, but captcha can be encountered, causing hash mismatch. "https://www.zlib.net/fossils/zlib-${version}.tar.gz" ]; - hash = "sha256-mpOyt9/ax3zrpaVYpYDnRmfdb+3kWFuR7vtg8Dty3yM="; + hash = "sha256-uzKaCizQJ00FUZ1hxmfAYuBpkNcuEl7i36jeZPARnRY="; }; postPatch = lib.optionalString stdenv.hostPlatform.isDarwin '' diff --git a/pkgs/development/php-packages/imagick/default.nix b/pkgs/development/php-packages/imagick/default.nix index bea439c594172..8b1e40cc033c8 100644 --- a/pkgs/development/php-packages/imagick/default.nix +++ b/pkgs/development/php-packages/imagick/default.nix @@ -1,21 +1,23 @@ { buildPecl, - fetchpatch, lib, imagemagick, pkg-config, pcre2, - php, }: buildPecl { pname = "imagick"; version = "3.8.1"; - sha256 = "sha256-OjWHwKUkwX0NrZZzoWC5DNd26DaDhHThc7VJ7YZDUu4="; + hash = "sha256-OjWHwKUkwX0NrZZzoWC5DNd26DaDhHThc7VJ7YZDUu4="; configureFlags = [ "--with-imagick=${imagemagick.dev}" ]; + + depsBuildBuild = [ pkg-config ]; + nativeBuildInputs = [ pkg-config ]; + buildInputs = [ pcre2 ]; meta = { diff --git a/pkgs/development/python-modules/certbot/default.nix b/pkgs/development/python-modules/certbot/default.nix index 662b4ca4c8a5e..08091a2328283 100644 --- a/pkgs/development/python-modules/certbot/default.nix +++ b/pkgs/development/python-modules/certbot/default.nix @@ -5,6 +5,7 @@ python, runCommand, fetchFromGitHub, + fetchpatch, configargparse, acme, configobj, @@ -34,6 +35,14 @@ buildPythonPackage rec { hash = "sha256-jKhdclLBeWv6IxIZQtD8VWbSQ3SDZePA/kTxjiBXJ4o="; }; + patches = [ + (fetchpatch { + name = "fix-test_rollback_too_many.patch"; + url = "https://github.com/certbot/certbot/commit/4c61a450d4a843c66baab6d5d9a42ce0554e99d7.patch"; + hash = "sha256-PSh2JXoEWNUrqxNh8X5QchyIP8KRHT60T/cLax6VRWo="; + }) + ]; + postPatch = "cd certbot"; # using sourceRoot would interfere with patches build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/cryptography/default.nix b/pkgs/development/python-modules/cryptography/default.nix index d9b3a68715ae1..eef08b32b5461 100644 --- a/pkgs/development/python-modules/cryptography/default.nix +++ b/pkgs/development/python-modules/cryptography/default.nix @@ -22,7 +22,7 @@ buildPythonPackage rec { pname = "cryptography"; - version = "46.0.2"; + version = "46.0.5"; pyproject = true; disabled = pythonOlder "3.7"; @@ -31,12 +31,12 @@ buildPythonPackage rec { owner = "pyca"; repo = "cryptography"; tag = version; - hash = "sha256-gsEHKEYiMw2eliEpxwzFGDetOp77PivlMoBD3HBbbFA="; + hash = "sha256-jzdkAVMnKr0z1MBUgs6xjLnTZrqNOBwq3w56JDwgFgk="; }; cargoDeps = rustPlatform.fetchCargoVendor { inherit pname version src; - hash = "sha256-aCQzY2gBjVVwiqlqAxkH4y6yf4lqdQuSEnQSIjLPRJg="; + hash = "sha256-5ElDEl7MdcQfu/hy+POSBcvkNCFAMo6La5s6uRhZ/fM="; }; postPatch = '' diff --git a/pkgs/development/python-modules/exceptiongroup/default.nix b/pkgs/development/python-modules/exceptiongroup/default.nix index 2e8cdbff1c702..2aea62325c6bf 100644 --- a/pkgs/development/python-modules/exceptiongroup/default.nix +++ b/pkgs/development/python-modules/exceptiongroup/default.nix @@ -6,6 +6,7 @@ pytestCheckHook, pythonAtLeast, pythonOlder, + isPy313, typing-extensions, }: @@ -23,6 +24,15 @@ buildPythonPackage rec { hash = "sha256-b3Z1NsYKp0CecUq8kaC/j3xR/ZZHDIw4MhUeadizz88="; }; + # CPython fixed https://github.com/python/cpython/issues/141732 in + # https://github.com/python/cpython/pull/141736, but exceptiongroup 1.3.1, + # including its test suite, still matches the old repr behavior. + # The CPython fix has only been backported to 3.13 so far, where it was + # first included in version 3.13.12, so we only need to patch for 3.13 + # and 3.15+. + # Upstream issue: https://github.com/agronholm/exceptiongroup/issues/154 + patches = lib.optional (isPy313 || pythonAtLeast "3.15") ./match-repr-fix.patch; + build-system = [ flit-scm ]; dependencies = lib.optionals (pythonOlder "3.13") [ typing-extensions ]; @@ -31,6 +41,12 @@ buildPythonPackage rec { doCheck = pythonAtLeast "3.11"; # infinite recursion with pytest + disabledTests = lib.optionals (pythonAtLeast "3.14") [ + # RecursionError not raised + "test_deep_split" + "test_deep_subgroup" + ]; + pythonImportsCheck = [ "exceptiongroup" ]; meta = { diff --git a/pkgs/development/python-modules/exceptiongroup/match-repr-fix.patch b/pkgs/development/python-modules/exceptiongroup/match-repr-fix.patch new file mode 100644 index 0000000000000..ed09c9f39600c --- /dev/null +++ b/pkgs/development/python-modules/exceptiongroup/match-repr-fix.patch @@ -0,0 +1,48 @@ +From 9be2b65dbd8366da27cd79c09195493217dbf539 Mon Sep 17 00:00:00 2001 +From: Tom Hunze +Date: Sat, 7 Feb 2026 11:37:49 +0100 +Subject: [PATCH] Fix `ExceptionGroup` repr changing when original exception + sequence is mutated + +https://github.com/python/cpython/pull/141736 +--- + src/exceptiongroup/_exceptions.py | 3 ++- + tests/test_exceptions.py | 3 +-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/exceptiongroup/_exceptions.py b/src/exceptiongroup/_exceptions.py +index f42c1ad..996d8e1 100644 +--- a/src/exceptiongroup/_exceptions.py ++++ b/src/exceptiongroup/_exceptions.py +@@ -101,6 +101,7 @@ class BaseExceptionGroup(BaseException, Generic[_BaseExceptionT_co]): + ) + + instance = super().__new__(cls, __message, __exceptions) ++ instance._exceptions_str = repr(__exceptions) + instance._exceptions = tuple(__exceptions) + return instance + +@@ -275,7 +276,7 @@ class BaseExceptionGroup(BaseException, Generic[_BaseExceptionT_co]): + return f"{self.message} ({len(self._exceptions)} sub-exception{suffix})" + + def __repr__(self) -> str: +- return f"{self.__class__.__name__}({self.args[0]!r}, {self.args[1]!r})" ++ return f"{self.__class__.__name__}({self.args[0]!r}, {self._exceptions_str})" + + + class ExceptionGroup(BaseExceptionGroup[_ExceptionT_co], Exception): +diff --git a/tests/test_exceptions.py b/tests/test_exceptions.py +index e2bc81a..a253236 100644 +--- a/tests/test_exceptions.py ++++ b/tests/test_exceptions.py +@@ -883,6 +883,5 @@ def test_exceptions_mutate_original_sequence(): + exceptions.append(KeyError("bar")) + assert excgrp.exceptions is exc_tuple + assert repr(excgrp) == ( +- "BaseExceptionGroup('foo', [ValueError(1), KeyboardInterrupt(), " +- "KeyError('bar')])" ++ "BaseExceptionGroup('foo', [ValueError(1), KeyboardInterrupt()])" + ) +-- +2.51.2 + diff --git a/pkgs/development/python-modules/msrest/default.nix b/pkgs/development/python-modules/msrest/default.nix index 0e3062e4de945..435b5811657ec 100644 --- a/pkgs/development/python-modules/msrest/default.nix +++ b/pkgs/development/python-modules/msrest/default.nix @@ -70,6 +70,13 @@ buildPythonPackage { "test_eventgrid_domain_auth" ]; + disabledTestPaths = [ + # 2 AssertionErrors... See: + # https://github.com/Azure/msrest-for-python/issues/267 + "tests/asynctests/test_async_client.py::TestServiceClient::test_client_send" + "tests/test_client.py::TestServiceClient::test_client_send" + ]; + pythonImportsCheck = [ "msrest" ]; meta = { diff --git a/pkgs/development/python-modules/pillow/default.nix b/pkgs/development/python-modules/pillow/default.nix index 3b301afdc59b0..bc4007bd63c9b 100644 --- a/pkgs/development/python-modules/pillow/default.nix +++ b/pkgs/development/python-modules/pillow/default.nix @@ -44,14 +44,14 @@ buildPythonPackage rec { pname = "pillow"; - version = "12.1.0"; + version = "12.1.1"; pyproject = true; src = fetchFromGitHub { owner = "python-pillow"; repo = "pillow"; tag = version; - hash = "sha256-QGtuxKpkx2FScQHj9lH4mhEAo6jE+NAR2sR5/zvHUuA="; + hash = "sha256-NlmNabyoHiakwvomjivTA7N304ovNCMDSaBLSmcmZ7w="; }; build-system = [ diff --git a/pkgs/development/python-modules/posthog/default.nix b/pkgs/development/python-modules/posthog/default.nix index f2411acfa8455..5f8fa34e1c015 100644 --- a/pkgs/development/python-modules/posthog/default.nix +++ b/pkgs/development/python-modules/posthog/default.nix @@ -62,6 +62,8 @@ buildPythonPackage rec { "test_upload" # AssertionError: 2 != 3 "test_flush_interval" + # len(client.distinct_ids_feature_flags_reported) = 101 != i % 100 + 1 + "test_capture_multiple_users_doesnt_out_of_memory" ]; disabledTestPaths = [ diff --git a/pkgs/development/python-modules/tkinter/default.nix b/pkgs/development/python-modules/tkinter/default.nix index 233b2b2b0e4a9..4b7a0477c15fa 100644 --- a/pkgs/development/python-modules/tkinter/default.nix +++ b/pkgs/development/python-modules/tkinter/default.nix @@ -5,6 +5,7 @@ replaceVars, setuptools, python, + pythonAtLeast, pythonOlder, tcl, tclPackages, @@ -74,6 +75,18 @@ buildPythonPackage { preCheck = '' cd $NIX_BUILD_TOP/Python-*/Lib export HOME=$TMPDIR + '' + + lib.optionalString (pythonAtLeast "3.13" && pythonOlder "3.15") '' + # https://github.com/python/cpython/pull/143570 + # wantobject resources are only supported via libregrtest + substituteInPlace \ + test/test_tcl.py \ + test/test_ttk/__init__.py \ + test/test_tkinter/__init__.py \ + test/test_tkinter/support.py \ + --replace-fail \ + "support.get_resource_value('wantobjects')" \ + "0" ''; checkPhase = diff --git a/pkgs/development/python-modules/wandb/default.nix b/pkgs/development/python-modules/wandb/default.nix index 9e81d3601b941..85a52efa39eca 100644 --- a/pkgs/development/python-modules/wandb/default.nix +++ b/pkgs/development/python-modules/wandb/default.nix @@ -2,10 +2,12 @@ lib, stdenv, fetchFromGitHub, + pythonAtLeast, ## wandb-core - buildGo125Module, + buildGoModule, gitMinimal, + writableTmpDirAsHomeHook, versionCheckHook, ## gpu-stats @@ -20,11 +22,9 @@ # dependencies click, - docker-pycreds, gitpython, platformdirs, protobuf, - psutil, pydantic, pyyaml, requests, @@ -73,16 +73,15 @@ torch, torchvision, tqdm, - writableTmpDirAsHomeHook, }: let - version = "0.21.4"; + version = "0.25.0"; src = fetchFromGitHub { owner = "wandb"; repo = "wandb"; tag = "v${version}"; - hash = "sha256-1l68nU/rmYg/Npg1EVraGr2tu/lkNAo9M7Q0IyckEoc="; + hash = "sha256-ouJHMPcWiHn2p0mFatmC28xUmjzxsoDW9WBX6FzjyDc="; }; gpu-stats = rustPlatform.buildRustPackage { @@ -92,7 +91,7 @@ let sourceRoot = "${src.name}/gpu_stats"; - cargoHash = "sha256-iZinowkbBc3nuE0uRS2zLN2y97eCMD1mp/MKVKdnXaE="; + cargoHash = "sha256-yzvXJYkQTNOScOI3yfVBH6IGZzcFduuXqW3pI5hEZGw="; checkFlags = [ # fails in sandbox @@ -110,7 +109,7 @@ let }; }; - wandb-core = buildGo125Module rec { + wandb-core = buildGoModule rec { pname = "wandb-core"; inherit src version; @@ -128,6 +127,7 @@ let nativeBuildInputs = [ gitMinimal + writableTmpDirAsHomeHook ]; nativeInstallCheckInputs = [ @@ -196,11 +196,9 @@ buildPythonPackage rec { dependencies = [ click - docker-pycreds gitpython platformdirs protobuf - psutil pydantic pyyaml requests @@ -388,14 +386,17 @@ buildPythonPackage rec { # Breaks in sandbox: "Timed out waiting for wandb service to start" "test_setup_offline" + ] + ++ lib.optionals (pythonAtLeast "3.14") [ + # AttributeError: '...' object has no attribute '__annotations__' + "test_watch_graph_torch_jit" + "test_watch_parameters_torch_jit" ]; - pythonImportsCheck = [ "wandb" ]; - meta = { description = "CLI and library for interacting with the Weights and Biases API"; homepage = "https://github.com/wandb/wandb"; - changelog = "https://github.com/wandb/wandb/raw/v${version}/CHANGELOG.md"; + changelog = "https://github.com/wandb/wandb/raw/${version}/CHANGELOG.md"; license = lib.licenses.mit; maintainers = with lib.maintainers; [ samuela ]; broken = gpu-stats.meta.broken || wandb-core.meta.broken; diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 68255aed8a628..038e4fe2d4bd8 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -564,9 +564,9 @@ let DRM_DP_CEC = whenOlder "6.10" yes; DRM_DISPLAY_DP_AUX_CEC = whenAtLeast "6.10" yes; - # Required for Nova - # FIXME: remove after https://gitlab.freedesktop.org/drm/rust/kernel/-/commit/3d3352e73a55a4ccf110f8b3419bbe2fbfd8a030 lands - RUST_FW_LOADER_ABSTRACTIONS = lib.mkIf withRust (whenAtLeast "6.12" yes); + # Do not enable Nova drivers, which are still WIP. This is the Kconfig default. + NOVA_CORE = whenAtLeast "6.15" no; + DRM_NOVA = whenAtLeast "6.16" no; } // lib.optionalAttrs @@ -589,6 +589,8 @@ let DRM_VC4_HDMI_CEC = yes; # Enable HDMI out on platforms using the RK3588 lineup of SoCs. ROCKCHIP_DW_HDMI_QP = whenAtLeast "6.13" yes; + # Enable DSI out on platforms using the RK3588 lineup of SoCs. + ROCKCHIP_DW_MIPI_DSI2 = whenAtLeast "6.16" yes; }; # Enable Rust and features that depend on it diff --git a/pkgs/servers/home-assistant/default.nix b/pkgs/servers/home-assistant/default.nix index 5ef698f83c68c..eb0fd582d4baf 100644 --- a/pkgs/servers/home-assistant/default.nix +++ b/pkgs/servers/home-assistant/default.nix @@ -498,6 +498,10 @@ python.pkgs.buildPythonApplication rec { "tests/test_test_fixtures.py::test_evict_faked_translations" "tests/helpers/test_backup.py::test_async_get_manager" "tests/helpers/test_trigger.py::test_platform_multiple_triggers[sync_action]" + # various failing after python-updates + "tests/helpers/test_entity_platform.py::test_platform_warn_slow_setup" # ValueError: not enough values to unpack (expected 2, got 0) + "tests/helpers/test_entity_component.py::test_set_scan_interval_via_config" # assert 10 == 30.0 + "tests/helpers/test_entity_component.py::test_set_entity_namespace_via_config" # AssertionError: assert [] == ['test_domain...named_device'] ]; preCheck = '' diff --git a/pkgs/servers/sql/postgresql/libpq.nix b/pkgs/servers/sql/postgresql/libpq.nix index 0faf9f4f6ed52..393341f0c919d 100644 --- a/pkgs/servers/sql/postgresql/libpq.nix +++ b/pkgs/servers/sql/postgresql/libpq.nix @@ -40,14 +40,14 @@ stdenv.mkDerivation (finalAttrs: { pname = "libpq"; - version = "18.1"; + version = "18.2"; src = fetchFromGitHub { owner = "postgres"; repo = "postgres"; # rev, not tag, on purpose: see generic.nix. - rev = "refs/tags/REL_18_1"; - hash = "sha256-cZA2hWtr5RwsUrRWkvl/yvUzFPSfdtpyAKGXfrVUr0g="; + rev = "refs/tags/REL_18_2"; + hash = "sha256-cvBXxA7/kEwDGxFv/YoZCIh17jzUujrCtfKAmtSxKTw="; }; __structuredAttrs = true; diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix index ddca7735483a7..46774bfdbfdd8 100644 --- a/pkgs/tools/security/gnupg/24.nix +++ b/pkgs/tools/security/gnupg/24.nix @@ -36,11 +36,11 @@ assert guiSupport -> !enableMinimal; stdenv.mkDerivation rec { pname = "gnupg"; - version = "2.4.8"; + version = "2.4.9"; src = fetchurl { url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; - hash = "sha256-tYyA15sE0yQ/9JwcP8a1+DE46zeEaJVjvN0GBZUxhhY="; + hash = "sha256-3RerLpoE/XnTnYU/WZy8hSBi3bmrUqTd60F2/YswKWQ="; }; depsBuildBuild = [ buildPackages.stdenv.cc ]; @@ -87,8 +87,8 @@ stdenv.mkDerivation rec { domain = "gitlab.com"; owner = "freepg"; repo = "gnupg"; - rev = "361c223eb00ca372fbf9506f5150ddbec193936f"; - hash = "sha256-hRuwrB6G2vjp7Md6m+cwoi7g4GtW0sazAEN5RC+AKdg="; + tag = "source-2.4.9-freepg"; + hash = "sha256-wF+iR0OgnU8VI90NlFOXtN5aCRC0YY/X7sPiDXjJm5M="; }; patches = [ @@ -128,6 +128,7 @@ stdenv.mkDerivation rec { "0029-Add-keyboxd-systemd-support.patch" "0033-Support-large-RSA-keygen-in-non-batch-mode.patch" "0034-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch" + "0039-gpg-Do-not-use-a-default-when-asking-for-another-out.patch" ]; postPatch = @@ -139,7 +140,10 @@ stdenv.mkDerivation rec { # A significant difference between the two seems to be that keys.openpgp.org is verifying keys, while keyserver.ubuntu.com isn't: https://unix.stackexchange.com/a/694528 # The keys.openpgp.org also has a great FAQ: https://keys.openpgp.org/about/faq '' - sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1 + substituteInPlace configure configure.ac \ + --replace-fail "hkps://keyserver.ubuntu.com" "hkps://keys.openpgp.org" + substituteInPlace doc/gnupg.info-1 doc/dirmngr.texi \ + --replace-fail "https://keyserver.ubuntu.com" "https://keys.openpgp.org" '' + lib.optionalString (stdenv.hostPlatform.isLinux && withPcsc) '' sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c diff --git a/pkgs/tools/security/gnupg/static.patch b/pkgs/tools/security/gnupg/static.patch index ce1b75aaf210f..cfa7b7ea41d5f 100644 --- a/pkgs/tools/security/gnupg/static.patch +++ b/pkgs/tools/security/gnupg/static.patch @@ -1,4 +1,4 @@ -From 6a426b8093cf6633425d08a2d33ed24d200473a0 Mon Sep 17 00:00:00 2001 +From 5eec11089067947bd850e069651cfa9bf4c48d07 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Sun, 9 Feb 2025 08:51:32 +0100 Subject: [PATCH] build: use pkg-config to find tss2-esys @@ -8,15 +8,15 @@ won't be linked when tss2-esys is a static library. --- Link: https://dev.gnupg.org/D606 - configure | 131 +++++++++++++++++++++++++++++---------------------- + configure | 132 ++++++++++++++++++++++++++++----------------------- configure.ac | 5 +- - 2 files changed, 76 insertions(+), 60 deletions(-) + 2 files changed, 75 insertions(+), 62 deletions(-) diff --git a/configure b/configure -index 59f027d..f53c99d 100755 +index f5d8bef90..e7f4fb175 100755 --- a/configure +++ b/configure -@@ -669,12 +669,12 @@ TEST_LIBTSS_FALSE +@@ -696,12 +696,12 @@ TEST_LIBTSS_FALSE TEST_LIBTSS_TRUE HAVE_LIBTSS_FALSE HAVE_LIBTSS_TRUE @@ -31,7 +31,7 @@ index 59f027d..f53c99d 100755 W32SOCKLIBS NETLIBS CROSS_COMPILING_FALSE -@@ -1005,7 +1005,9 @@ PKG_CONFIG_LIBDIR +@@ -1030,7 +1030,9 @@ PKG_CONFIG_LIBDIR SQLITE3_CFLAGS SQLITE3_LIBS LIBGNUTLS_CFLAGS @@ -42,7 +42,7 @@ index 59f027d..f53c99d 100755 # Initialize some variables set by options. -@@ -1771,6 +1773,9 @@ Some influential environment variables: +@@ -1805,6 +1807,9 @@ Some influential environment variables: C compiler flags for LIBGNUTLS, overriding pkg-config LIBGNUTLS_LIBS linker flags for LIBGNUTLS, overriding pkg-config @@ -52,15 +52,16 @@ index 59f027d..f53c99d 100755 Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. -@@ -15465,64 +15470,77 @@ else +@@ -16616,67 +16621,77 @@ else $as_nop fi elif test "$with_tss" = intel; then -- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing Esys_Initialize" >&5 --$as_echo_n "checking for library containing Esys_Initialize... " >&6; } --if ${ac_cv_search_Esys_Initialize+:} false; then : -- $as_echo_n "(cached) " >&6 --else +- { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing Esys_Initialize" >&5 +-printf %s "checking for library containing Esys_Initialize... " >&6; } +-if test ${ac_cv_search_Esys_Initialize+y} +-then : +- printf %s "(cached) " >&6 +-else $as_nop - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ @@ -68,52 +69,54 @@ index 59f027d..f53c99d 100755 -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ --#ifdef __cplusplus --extern "C" --#endif -char Esys_Initialize (); -int --main () +-main (void) -{ -return Esys_Initialize (); - ; - return 0; -} -_ACEOF --for ac_lib in '' tss2-esys; do +-for ac_lib in '' tss2-esys +-do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi -- if ac_fn_c_try_link "$LINENO"; then : +- if ac_fn_c_try_link "$LINENO" +-then : - ac_cv_search_Esys_Initialize=$ac_res -fi --rm -f core conftest.err conftest.$ac_objext \ +-rm -f core conftest.err conftest.$ac_objext conftest.beam \ - conftest$ac_exeext -- if ${ac_cv_search_Esys_Initialize+:} false; then : +- if test ${ac_cv_search_Esys_Initialize+y} +-then : - break -fi -done --if ${ac_cv_search_Esys_Initialize+:} false; then : +-if test ${ac_cv_search_Esys_Initialize+y} +-then : +pkg_failed=no -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBTSS" >&5 -+$as_echo_n "checking for LIBTSS... " >&6; } ++{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for LIBTSS" >&5 ++printf %s "checking for LIBTSS... " >&6; } +-else $as_nop +- ac_cv_search_Esys_Initialize=no +if test -n "$LIBTSS_CFLAGS"; then + pkg_cv_LIBTSS_CFLAGS="$LIBTSS_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tss2-esys tss2-mu tss2-rc tss2-tctildr\""; } >&5 ++ { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tss2-esys tss2-mu tss2-rc tss2-tctildr\""; } >&5 + ($PKG_CONFIG --exists --print-errors "tss2-esys tss2-mu tss2-rc tss2-tctildr") 2>&5 + ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBTSS_CFLAGS=`$PKG_CONFIG --cflags "tss2-esys tss2-mu tss2-rc tss2-tctildr" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes - else -- ac_cv_search_Esys_Initialize=no ++else + pkg_failed=yes fi -rm conftest.$ac_ext @@ -121,25 +124,27 @@ index 59f027d..f53c99d 100755 + else + pkg_failed=untried fi --{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_Esys_Initialize" >&5 --$as_echo "$ac_cv_search_Esys_Initialize" >&6; } +-{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_Esys_Initialize" >&5 +-printf "%s\n" "$ac_cv_search_Esys_Initialize" >&6; } -ac_res=$ac_cv_search_Esys_Initialize --if test "$ac_res" != no; then : +-if test "$ac_res" != no +-then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - have_libtss=Intel +-else $as_nop +- as_fn_error $? "Intel TPM Software Stack requested but not found" "$LINENO" 5 +if test -n "$LIBTSS_LIBS"; then + pkg_cv_LIBTSS_LIBS="$LIBTSS_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tss2-esys tss2-mu tss2-rc tss2-tctildr\""; } >&5 ++ { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tss2-esys tss2-mu tss2-rc tss2-tctildr\""; } >&5 + ($PKG_CONFIG --exists --print-errors "tss2-esys tss2-mu tss2-rc tss2-tctildr") 2>&5 + ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBTSS_LIBS=`$PKG_CONFIG --libs "tss2-esys tss2-mu tss2-rc tss2-tctildr" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes - else -- as_fn_error $? "Intel TPM Software Stack requested but not found" "$LINENO" 5 ++else + pkg_failed=yes +fi + else @@ -149,8 +154,8 @@ index 59f027d..f53c99d 100755 + + +if test $pkg_failed = yes; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } ++ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++printf "%s\n" "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes @@ -167,29 +172,29 @@ index 59f027d..f53c99d 100755 + + as_fn_error $? "Intel TPM Software Stack requested but not found" "$LINENO" 5 +elif test $pkg_failed = untried; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } ++ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++printf "%s\n" "no" >&6; } + as_fn_error $? "Intel TPM Software Stack requested but not found" "$LINENO" 5 +else + LIBTSS_CFLAGS=$pkg_cv_LIBTSS_CFLAGS + LIBTSS_LIBS=$pkg_cv_LIBTSS_LIBS -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } ++ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++printf "%s\n" "yes" >&6; } + have_libtss=Intel +fi else as_fn_error $? "Invalid TPM Software Stack requested: $with_tss" "$LINENO" 5 fi -@@ -15616,7 +15634,6 @@ $as_echo "$as_me: WARNING: Need Esys_TR_GetTpmHandle API (usually requires Intel +@@ -16768,7 +16783,6 @@ printf "%s\n" "$as_me: WARNING: Need Esys_TR_GetTpmHandle API (usually requires fi - LIBTSS_LIBS="$LIBS -ltss2-mu -ltss2-rc -ltss2-tctildr" - $as_echo "#define HAVE_INTEL_TSS 1" >>confdefs.h + printf "%s\n" "#define HAVE_INTEL_TSS 1" >>confdefs.h diff --git a/configure.ac b/configure.ac -index dc44465..92880e6 100644 +index 94bc80583..e88d0f650 100644 --- a/configure.ac +++ b/configure.ac @@ -1574,8 +1574,8 @@ if test "$build_tpm2d" = "yes"; then @@ -212,5 +217,5 @@ index dc44465..92880e6 100644 fi LIBS="$_save_libs" -- -2.47.2 +2.51.0 diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 11df88a69a88c..0af514d4c3973 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -7453,10 +7453,10 @@ with self; CryptURandom = buildPerlPackage { pname = "Crypt-URandom"; - version = "0.54"; + version = "0.55"; src = fetchurl { - url = "mirror://cpan/authors/id/D/DD/DDICK/Crypt-URandom-0.54.tar.gz"; - hash = "sha256-SnPNOUkzMo2khKrrhkXXNbNUZd9gEJ5VngoosGYFOlc="; + url = "mirror://cpan/authors/id/D/DD/DDICK/Crypt-URandom-0.55.tar.gz"; + hash = "sha256-759EFBBzwTVz6FsUj/mpCJxFglt9ZgjYMuQmOJnTotQ="; }; meta = { description = "Provide non blocking randomness";