diff options
| author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-04-09 00:13:57 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-09 00:13:57 +0000 |
| commit | 12054e47f10f57dc3615b06b2bfcbf49344a3570 (patch) | |
| tree | 499c7dcf87e89b3bc03a84048c25ae7ac01844fb | |
| parent | 41c6cc963fb1269a95e3c0a16ba935b3b9f44ca3 (diff) | |
| parent | d7329da4b1cd24f4383455071346f4f81b7becba (diff) | |
Merge release-23.11 into staging-next-23.11
30 files changed, 811 insertions, 135 deletions
diff --git a/.github/workflows/check-cherry-picks.yml b/.github/workflows/check-cherry-picks.yml new file mode 100644 index 0000000000000..9e7f6e277e993 --- /dev/null +++ b/.github/workflows/check-cherry-picks.yml @@ -0,0 +1,24 @@ +name: "Check cherry-picks" +on: + pull_request_target: + branches: + - 'release-*' + - 'staging-*' + +permissions: {} + +jobs: + check: + runs-on: ubuntu-latest + if: github.repository_owner == 'NixOS' + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + filter: blob:none + - name: Check cherry-picks + env: + BASE_SHA: ${{ github.event.pull_request.base.sha }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} + run: | + ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA" diff --git a/maintainers/scripts/check-cherry-picks.sh b/maintainers/scripts/check-cherry-picks.sh new file mode 100755 index 0000000000000..082c33fe088a0 --- /dev/null +++ b/maintainers/scripts/check-cherry-picks.sh @@ -0,0 +1,92 @@ +#!/usr/bin/env bash +# Find alleged cherry-picks + +set -e + +if [ $# != "2" ] ; then + echo "usage: check-cherry-picks.sh base_rev head_rev" + exit 2 +fi + +PICKABLE_BRANCHES=${PICKABLE_BRANCHES:-master staging release-??.?? staging-??.??} +problem=0 + +while read new_commit_sha ; do + if [ "$GITHUB_ACTIONS" = 'true' ] ; then + echo "::group::Commit $new_commit_sha" + else + echo "=================================================" + fi + git rev-list --max-count=1 --format=medium "$new_commit_sha" + echo "-------------------------------------------------" + + original_commit_sha=$( + git rev-list --max-count=1 --format=format:%B "$new_commit_sha" \ + | grep -Ei -m1 "cherry.*[0-9a-f]{40}" \ + | grep -Eoi -m1 '[0-9a-f]{40}' + ) + if [ "$?" != "0" ] ; then + echo " ? Couldn't locate original commit hash in message" + [ "$GITHUB_ACTIONS" = 'true' ] && echo ::endgroup:: + continue + fi + + set -f # prevent pathname expansion of patterns + for branch_pattern in $PICKABLE_BRANCHES ; do + set +f # re-enable pathname expansion + + while read -r picked_branch ; do + if git merge-base --is-ancestor "$original_commit_sha" "$picked_branch" ; then + echo " ✔ $original_commit_sha present in branch $picked_branch" + + range_diff_common='git range-diff + --no-notes + --creation-factor=100 + '"$original_commit_sha~..$original_commit_sha"' + '"$new_commit_sha~..$new_commit_sha"' + ' + + if $range_diff_common --no-color | grep -E '^ {4}[+-]{2}' > /dev/null ; then + if [ "$GITHUB_ACTIONS" = 'true' ] ; then + echo ::endgroup:: + echo -n "::warning ::" + else + echo -n " ⚠ " + fi + echo "Difference between $new_commit_sha and original $original_commit_sha may warrant inspection:" + + $range_diff_common --color + + problem=1 + else + echo " ✔ $original_commit_sha highly similar to $new_commit_sha" + $range_diff_common --color + [ "$GITHUB_ACTIONS" = 'true' ] && echo ::endgroup:: + fi + + # move on to next commit + continue 3 + fi + done <<< "$( + git for-each-ref \ + --format="%(refname)" \ + "refs/remotes/origin/$branch_pattern" + )" + done + + if [ "$GITHUB_ACTIONS" = 'true' ] ; then + echo ::endgroup:: + echo -n "::error ::" + else + echo -n " ✘ " + fi + echo "$original_commit_sha not found in any pickable branch" + + problem=1 +done <<< "$( + git rev-list \ + -E -i --grep="cherry.*[0-9a-f]{40}" --reverse \ + "$1..$2" +)" + +exit $problem diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix index 3ac3beb4de078..30c2b26d8322e 100644 --- a/nixos/modules/services/misc/ollama.nix +++ b/nixos/modules/services/misc/ollama.nix @@ -13,48 +13,76 @@ in { options = { services.ollama = { - enable = lib.mkEnableOption ( - lib.mdDoc "Server for local large language models" - ); + enable = lib.mkEnableOption "ollama server for local large language models"; + package = lib.mkPackageOption pkgs "ollama" { }; + home = lib.mkOption { + type = types.str; + default = "%S/ollama"; + example = "/home/foo"; + description = '' + The home directory that the ollama service is started in. + ''; + }; + models = lib.mkOption { + type = types.str; + default = "%S/ollama/models"; + example = "/path/to/ollama/models"; + description = '' + The directory that the ollama service will read models from and download new models to. + ''; + }; listenAddress = lib.mkOption { type = types.str; default = "127.0.0.1:11434"; - description = lib.mdDoc '' - Specifies the bind address on which the ollama server HTTP interface listens. + example = "0.0.0.0:11111"; + description = '' + The address which the ollama server HTTP interface binds and listens to. ''; }; acceleration = lib.mkOption { type = types.nullOr (types.enum [ "rocm" "cuda" ]); default = null; example = "rocm"; - description = lib.mdDoc '' - Specifies the interface to use for hardware acceleration. + description = '' + What interface to use for hardware acceleration. - `rocm`: supported by modern AMD GPUs - `cuda`: supported by modern NVIDIA GPUs ''; }; - package = lib.mkPackageOption pkgs "ollama" { }; + environmentVariables = lib.mkOption { + type = types.attrsOf types.str; + default = { }; + example = { + HOME = "/tmp"; + OLLAMA_LLM_LIBRARY = "cpu"; + }; + description = '' + Set arbitrary environment variables for the ollama service. + + Be aware that these are only seen by the ollama server (systemd service), + not normal invocations like `ollama run`. + Since `ollama run` is mostly a shell around the ollama server, this is usually sufficient. + ''; + }; }; }; config = lib.mkIf cfg.enable { - systemd = { - services.ollama = { - wantedBy = [ "multi-user.target" ]; - description = "Server for local large language models"; - after = [ "network.target" ]; - environment = { - HOME = "%S/ollama"; - OLLAMA_MODELS = "%S/ollama/models"; - OLLAMA_HOST = cfg.listenAddress; - }; - serviceConfig = { - ExecStart = "${lib.getExe ollamaPackage} serve"; - WorkingDirectory = "/var/lib/ollama"; - StateDirectory = [ "ollama" ]; - DynamicUser = true; - }; + systemd.services.ollama = { + description = "Server for local large language models"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = cfg.environmentVariables // { + HOME = cfg.home; + OLLAMA_MODELS = cfg.models; + OLLAMA_HOST = cfg.listenAddress; + }; + serviceConfig = { + ExecStart = "${lib.getExe ollamaPackage} serve"; + WorkingDirectory = "%S/ollama"; + StateDirectory = [ "ollama" ]; + DynamicUser = true; }; }; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 72bc79f31b68a..a9aaf84877117 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -340,24 +340,12 @@ in removeLinuxDRM = lib.mkOption { type = types.bool; default = false; - description = lib.mdDoc '' - Linux 6.2 dropped some kernel symbols required on aarch64 required by zfs. - Enabling this option will bring them back to allow this kernel version. - Note that in some jurisdictions this may be illegal as it might be considered - removing copyright protection from the code. - See https://www.ifross.org/?q=en/artikel/ongoing-dispute-over-value-exportsymbolgpl-function for further information. - - If configure your kernel package with `zfs.latestCompatibleLinuxPackages`, you will need to also pass removeLinuxDRM to that package like this: + description = '' + Patch the kernel to change symbols needed by ZFS from + EXPORT_SYMBOL_GPL to EXPORT_SYMBOL. - ``` - { pkgs, ... }: { - boot.kernelPackages = (pkgs.zfs.override { - removeLinuxDRM = pkgs.hostPlatform.isAarch64; - }).latestCompatibleLinuxPackages; - - boot.zfs.removeLinuxDRM = true; - } - ``` + Currently has no effect, but may again in future if a kernel + update breaks ZFS due to symbols being newly changed to GPL. ''; }; }; @@ -583,7 +571,7 @@ in kernelParams = lib.optionals (!config.boot.zfs.allowHibernation) [ "nohibernate" ]; extraModulePackages = [ - (cfgZfs.modulePackage.override { inherit (cfgZfs) removeLinuxDRM; }) + cfgZfs.modulePackage ]; }; @@ -710,21 +698,6 @@ in services.udev.packages = [ cfgZfs.package ]; # to hook zvol naming, etc. systemd.packages = [ cfgZfs.package ]; - # Export kernel_neon_* symbols again. - # This change is necessary until ZFS figures out a solution - # with upstream or in their build system to fill the gap for - # this symbol. - # In the meantime, we restore what was once a working piece of code - # in the kernel. - boot.kernelPatches = lib.optional (cfgZfs.removeLinuxDRM && pkgs.stdenv.hostPlatform.system == "aarch64-linux") { - name = "export-neon-symbols-as-gpl"; - patch = pkgs.fetchpatch { - url = "https://github.com/torvalds/linux/commit/aaeca98456431a8d9382ecf48ac4843e252c07b3.patch"; - hash = "sha256-L2g4G1tlWPIi/QRckMuHDcdWBcKpObSWSRTvbHRIwIk="; - revert = true; - }; - }; - systemd.services = let createImportService' = pool: createImportService { inherit pool; diff --git a/pkgs/applications/networking/browsers/opera/default.nix b/pkgs/applications/networking/browsers/opera/default.nix index e890b35bc635d..3387f66920aa1 100644 --- a/pkgs/applications/networking/browsers/opera/default.nix +++ b/pkgs/applications/networking/browsers/opera/default.nix @@ -51,11 +51,11 @@ let in stdenv.mkDerivation rec { pname = "opera"; - version = "107.0.5045.36"; + version = "108.0.5067.29"; src = fetchurl { url = "${mirror}/${version}/linux/${pname}-stable_${version}_amd64.deb"; - hash = "sha256-NSJmPwDZbmZUv7HoTiZJbvJTAS6HENFWX+JjKVC0oPc="; + hash = "sha256-lPazFtTWb/AbK/5H5MQK+dn0imJqUHiL6/KRq1CNxfo="; }; unpackPhase = "dpkg-deb -x $src ."; diff --git a/pkgs/applications/networking/instant-messengers/telegram/telegram-desktop/default.nix b/pkgs/applications/networking/instant-messengers/telegram/telegram-desktop/default.nix index 4e598b5edd158..b5984367c224b 100644 --- a/pkgs/applications/networking/instant-messengers/telegram/telegram-desktop/default.nix +++ b/pkgs/applications/networking/instant-messengers/telegram/telegram-desktop/default.nix @@ -63,14 +63,14 @@ let in stdenv.mkDerivation rec { pname = "telegram-desktop"; - version = "4.16.1"; + version = "4.16.4"; src = fetchFromGitHub { owner = "telegramdesktop"; repo = "tdesktop"; rev = "v${version}"; fetchSubmodules = true; - hash = "sha256-sb7BpEIjSJS4ntv8s0RSJAj4BhTgHF7fEei5QXl60mA="; + hash = "sha256-WBLDsUUEbyn6/NqdbfaUKhoH0T/c9k6lKCy23WPRuqk="; }; patches = [ diff --git a/pkgs/by-name/re/renode/package.nix b/pkgs/by-name/re/renode/package.nix index ab0df9f5c3e10..0a514587f8384 100644 --- a/pkgs/by-name/re/renode/package.nix +++ b/pkgs/by-name/re/renode/package.nix @@ -1,5 +1,6 @@ { stdenv , lib +, fetchFromGitHub , fetchurl , autoPatchelfHook , makeWrapper @@ -17,7 +18,15 @@ let psutil pyyaml requests - robotframework + + (robotframework.overrideDerivation (oldAttrs: { + src = fetchFromGitHub { + owner = "robotframework"; + repo = "robotframework"; + rev = "v6.0.2"; + hash = "sha256-c7pPcDgqyqWQtiMbLQbQd0nAgx4TIFUFHrlBVDNdr8M="; + }; + })) ]; in stdenv.mkDerivation (finalAttrs: { diff --git a/pkgs/development/tools/metal-cli/default.nix b/pkgs/development/tools/metal-cli/default.nix index d41bf1360481a..e11a580ffb264 100644 --- a/pkgs/development/tools/metal-cli/default.nix +++ b/pkgs/development/tools/metal-cli/default.nix @@ -6,16 +6,16 @@ buildGoModule rec { pname = "metal-cli"; - version = "0.17.0"; + version = "0.22.0"; src = fetchFromGitHub { owner = "equinix"; repo = pname; rev = "v${version}"; - hash = "sha256-66RbqwAeBA0HKT+1CD5+O5W40NrU7jlzLOG45Lpn+J0="; + hash = "sha256-jnBD1MYQ3Tq/YzPEpCu5sifEUAI0cw59/NCbDLisEDo="; }; - vendorHash = "sha256-ls6CO5fwmD4JkxuoToeY4PyfPs65ACDrZhmbY0zNgT4="; + vendorHash = "sha256-dIZyBhoY6GkkMY4NQrDjVxKaOOPIdxGGRBFlTkyeFdo="; ldflags = [ "-s" diff --git a/pkgs/development/tools/rust/cargo-audit/default.nix b/pkgs/development/tools/rust/cargo-audit/default.nix index 0ef6f59b89c8d..a1268e9fb3183 100644 --- a/pkgs/development/tools/rust/cargo-audit/default.nix +++ b/pkgs/development/tools/rust/cargo-audit/default.nix @@ -2,34 +2,36 @@ , rustPlatform , fetchCrate , pkg-config -, libgit2_1_5 +, libgit2 , openssl , zlib , stdenv , Security +, SystemConfiguration }: rustPlatform.buildRustPackage rec { pname = "cargo-audit"; - version = "0.18.3"; + version = "0.20.0"; src = fetchCrate { inherit pname version; - hash = "sha256-8KLH6aPZhHtxC4hbMaebv1JiVkZH8p5QqnUXkJrmr4w="; + hash = "sha256-hzy+AVWGWzWYupllrLSryoi4rXPM0+G6WBlRbf03xA8="; }; - cargoHash = "sha256-8MOZvhREm4ch2flstx7J25j8mvwV3uGez5f1xkZ+S7I="; + cargoHash = "sha256-OOkJGdqEHNVbgZZIjQupGaSs4tB52b7kPGLKELUocn4="; nativeBuildInputs = [ pkg-config ]; buildInputs = [ - libgit2_1_5 + libgit2 openssl zlib ] ++ lib.optionals stdenv.isDarwin [ Security + SystemConfiguration ]; buildFeatures = [ "fix" ]; diff --git a/pkgs/development/tools/rust/cargo-c/default.nix b/pkgs/development/tools/rust/cargo-c/default.nix index 7ea4f6067becd..3356eee034bc5 100644 --- a/pkgs/development/tools/rust/cargo-c/default.nix +++ b/pkgs/development/tools/rust/cargo-c/default.nix @@ -13,16 +13,16 @@ rustPlatform.buildRustPackage rec { pname = "cargo-c"; - version = "0.9.24"; + version = "0.9.29"; src = fetchCrate { inherit pname; # this version may need to be updated along with package version - version = "${version}+cargo-0.73.0"; - hash = "sha256-eNaK+SRrHz/DXkCcJP040R6bdhyFmjxkwHbXVFlHub8="; + version = "${version}+cargo-0.76.0"; + hash = "sha256-Uy5Bm8WwN3jQO2btnV/ayxTlIJAe5q2FUvhxCCrn9U8="; }; - cargoHash = "sha256-Us50BbdNSJAx7JTKkvA4tjbGNueCJsAwGEelc1sP5pc="; + cargoHash = "sha256-fkekUCZReiexdtiQcWx+Hqz4XDDbRGa4fGheBCNZ3Qw="; nativeBuildInputs = [ pkg-config (lib.getDev curl) ]; buildInputs = [ openssl curl ] ++ lib.optionals stdenv.isDarwin [ diff --git a/pkgs/development/tools/rust/cargo-codspeed/default.nix b/pkgs/development/tools/rust/cargo-codspeed/default.nix index 849aa5a8ca595..23880c2480fc0 100644 --- a/pkgs/development/tools/rust/cargo-codspeed/default.nix +++ b/pkgs/development/tools/rust/cargo-codspeed/default.nix @@ -3,7 +3,7 @@ , fetchFromGitHub , curl , pkg-config -, libgit2_1_5 +, libgit2 , openssl , zlib , stdenv @@ -12,16 +12,16 @@ rustPlatform.buildRustPackage rec { pname = "cargo-codspeed"; - version = "2.3.3"; + version = "2.4.0"; src = fetchFromGitHub { owner = "CodSpeedHQ"; repo = "codspeed-rust"; rev = "v${version}"; - hash = "sha256-8wbJFvAXicchxI8FTthCiuYCZ2WA4nMUJTUD4WKG5FI="; + hash = "sha256-pi02Bn5m4JoTtCIZvxkiUVKkjmtCShKqZw+AyhaVdyY="; }; - cargoHash = "sha256-HkFROhjx4bh9QMUlCT1xj3s7aUQxn0ef3FCXoEsYCnY="; + cargoHash = "sha256-5Ps31Hdis+N/MT/o0IDHSJgHBM3F/ve50ovfFSviMtA="; nativeBuildInputs = [ curl @@ -30,7 +30,7 @@ rustPlatform.buildRustPackage rec { buildInputs = [ curl - libgit2_1_5 + libgit2 openssl zlib ] ++ lib.optionals stdenv.isDarwin [ @@ -40,6 +40,10 @@ rustPlatform.buildRustPackage rec { cargoBuildFlags = [ "-p=cargo-codspeed" ]; cargoTestFlags = cargoBuildFlags; + env = { + LIBGIT2_NO_VENDOR = 1; + }; + meta = with lib; { description = "Cargo extension to build & run your codspeed benchmarks"; homepage = "https://github.com/CodSpeedHQ/codspeed-rust"; diff --git a/pkgs/development/tools/rust/cargo-cyclonedx/default.nix b/pkgs/development/tools/rust/cargo-cyclonedx/default.nix index c8769abc8a68f..c4290a6e9cfa3 100644 --- a/pkgs/development/tools/rust/cargo-cyclonedx/default.nix +++ b/pkgs/development/tools/rust/cargo-cyclonedx/default.nix @@ -12,16 +12,16 @@ rustPlatform.buildRustPackage rec { pname = "cargo-cyclonedx"; - version = "0.3.8"; + version = "0.5.0"; src = fetchFromGitHub { owner = "CycloneDX"; repo = "cyclonedx-rust-cargo"; rev = "${pname}-${version}"; - hash = "sha256-6XW8aCXepbVnTubbM4sfRIC87uYSCEbuj+jJcPayEEU="; + hash = "sha256-791FZR9dmwVjORrkpm8el+2VMEEKJG+yKKqq+R1I9U4="; }; - cargoHash = "sha256-BG/vfa5L6Iibfon3A5TP8/K8jbJsWqc+axdvIXc7GmM="; + cargoHash = "sha256-Cbi1cnUy6HKkgBXVjK0xItx2pzuYVob/Qz4o8eT6Fws="; nativeBuildInputs = [ pkg-config diff --git a/pkgs/development/tools/rust/cargo-generate/default.nix b/pkgs/development/tools/rust/cargo-generate/default.nix index 869a0c8bbbc3d..299bcd7ffad7f 100644 --- a/pkgs/development/tools/rust/cargo-generate/default.nix +++ b/pkgs/development/tools/rust/cargo-generate/default.nix @@ -2,7 +2,7 @@ , rustPlatform , fetchFromGitHub , pkg-config -, libgit2_1_6 +, libgit2 , openssl , stdenv , darwin @@ -24,7 +24,7 @@ rustPlatform.buildRustPackage rec { nativeBuildInputs = [ pkg-config ]; - buildInputs = [ libgit2_1_6 openssl ] ++ lib.optionals stdenv.isDarwin [ + buildInputs = [ libgit2 openssl ] ++ lib.optionals stdenv.isDarwin [ darwin.apple_sdk.frameworks.Security ]; @@ -48,8 +48,12 @@ rustPlatform.buildRustPackage rec { "--skip=git::utils::should_canonicalize" ]; + env = { + LIBGIT2_NO_VENDOR = 1; + }; + meta = with lib; { - description = "A tool to generaet a new Rust project by leveraging a pre-existing git repository as a template"; + description = "A tool to generate a new Rust project by leveraging a pre-existing git repository as a template"; homepage = "https://github.com/cargo-generate/cargo-generate"; changelog = "https://github.com/cargo-generate/cargo-generate/blob/v${version}/CHANGELOG.md"; license = with licenses; [ asl20 /* or */ mit ]; diff --git a/pkgs/development/tools/rust/cargo-llvm-cov/default.nix b/pkgs/development/tools/rust/cargo-llvm-cov/default.nix index 34f524d5d1029..3ec655e1033d7 100644 --- a/pkgs/development/tools/rust/cargo-llvm-cov/default.nix +++ b/pkgs/development/tools/rust/cargo-llvm-cov/default.nix @@ -26,7 +26,7 @@ let pname = "cargo-llvm-cov"; - version = "0.6.6"; + version = "0.6.9"; owner = "taiki-e"; homepage = "https://github.com/${owner}/${pname}"; @@ -37,7 +37,7 @@ let cargoLock = fetchurl { name = "Cargo.lock"; url = "https://crates.io/api/v1/crates/${pname}/${version}/download"; - sha256 = "sha256-kY0Nb7bwF3o6DKQemZSwoZ55vw57jFGftNTpyprFxM0="; + sha256 = "sha256-r4C7z2/z4OVEf+IhFe061E7FzSx0VzADmg56Lb+DO/g="; downloadToTemp = true; postFetch = '' tar xzf $downloadedFile ${pname}-${version}/Cargo.lock @@ -55,7 +55,7 @@ rustPlatform.buildRustPackage { inherit owner; repo = pname; rev = "v${version}"; - sha256 = "sha256-lcB/GWEIg5Y+VUSWphNwzmTuFROfMaTm17HyokoKzrI="; + sha256 = "sha256-mNpZj8c+IHcW0StFzRPt7wcysADh01eLFcIK6fX/2KQ="; leaveDotGit = true; }; @@ -64,7 +64,7 @@ rustPlatform.buildRustPackage { cp ${cargoLock} source/Cargo.lock ''; - cargoSha256 = "sha256-DjWKjq5Vf4wOu6sDPT2yrGB00g80Z59oEpIUvIObjsQ="; + cargoSha256 = "sha256-pfNb5P3IG1fQdhiQE3FGW8s4Rt2YyLxTejuzs3nqZUU="; # `cargo-llvm-cov` reads these environment variables to find these binaries, # which are needed to run the tests diff --git a/pkgs/development/tools/rust/cargo-nextest/default.nix b/pkgs/development/tools/rust/cargo-nextest/default.nix index a9418f51c5fec..2826a3a7af06f 100644 --- a/pkgs/development/tools/rust/cargo-nextest/default.nix +++ b/pkgs/development/tools/rust/cargo-nextest/default.nix @@ -2,16 +2,16 @@ rustPlatform.buildRustPackage rec { pname = "cargo-nextest"; - version = "0.9.67"; + version = "0.9.68"; src = fetchFromGitHub { owner = "nextest-rs"; repo = "nextest"; rev = "cargo-nextest-${version}"; - hash = "sha256-M2WkgECTAKux+sq+1rYt2rg/LP4ctMMprY3MsBO5cn4="; + hash = "sha256-LC+0s38ufmMrhNaKSn13jka/M7PG1+gJnqZCXJ7ef6I="; }; - cargoHash = "sha256-hJAsmT8T3YGSWjishSQeVMFty6HmdNewRR9nr66fRN0="; + cargoHash = "sha256-E/bsVbSdFr1LMrIewsh15Vuk4Dt5UwETLCIhE7TT3kA="; buildInputs = lib.optionals stdenv.isDarwin [ darwin.apple_sdk.frameworks.SystemConfiguration diff --git a/pkgs/development/tools/rust/cargo-show-asm/default.nix b/pkgs/development/tools/rust/cargo-show-asm/default.nix index 139ea6c7f0682..1e313595358f9 100644 --- a/pkgs/development/tools/rust/cargo-show-asm/default.nix +++ b/pkgs/development/tools/rust/cargo-show-asm/default.nix @@ -9,14 +9,14 @@ rustPlatform.buildRustPackage rec { pname = "cargo-show-asm"; - version = "0.2.29"; + version = "0.2.31"; src = fetchCrate { inherit pname version; - hash = "sha256-9Q+BnzgoD95eKkMZrQF6+khbx5wqnER83PK3vbRrRv8="; + hash = "sha256-TjkEzqGFqhVKMmZEcwAoDnHOZWi7+wha228loJjLxgQ="; }; - cargoHash = "sha256-cyFAilqpaO6TDtJUmweUHYEpWxUAhHDYgCUGSz5EBFU="; + cargoHash = "sha256-oUfBpx/hElXMw58Dj09JeG2FKy+biFt+4pb4pYNidxc="; nativeBuildInputs = [ installShellFiles diff --git a/pkgs/development/tools/rust/cargo-tauri/default.nix b/pkgs/development/tools/rust/cargo-tauri/default.nix index 6ade17d202739..870285879d765 100644 --- a/pkgs/development/tools/rust/cargo-tauri/default.nix +++ b/pkgs/development/tools/rust/cargo-tauri/default.nix @@ -13,27 +13,27 @@ }: let - inherit (darwin.apple_sdk.frameworks) CoreServices Security; + inherit (darwin.apple_sdk.frameworks) CoreServices Security SystemConfiguration; in rustPlatform.buildRustPackage rec { pname = "tauri"; - version = "1.5.2"; + version = "1.6.1"; src = fetchFromGitHub { owner = "tauri-apps"; repo = pname; rev = "tauri-v${version}"; - hash = "sha256-HdA7c64ru21DvjhIswRW6r+EH3uYj4ipWzBcfVcc644="; + hash = "sha256-P0/c9GTQRdErwE3/uuZpMqiTl/nFGSaHoWGRtBDjc8M="; }; # Manually specify the sourceRoot since this crate depends on other crates in the workspace. Relevant info at # https://discourse.nixos.org/t/difficulty-using-buildrustpackage-with-a-src-containing-multiple-cargo-workspaces/10202 sourceRoot = "${src.name}/tooling/cli"; - cargoHash = "sha256-hmig/QKzdt/rIl4gggTygwZ6rEmekw0OlppN6pXvvmw="; + cargoHash = "sha256-+uRjitfaSbjsO1yO5NL3gw+qjx4neiht3BDvWltogX0="; buildInputs = [ openssl ] ++ lib.optionals stdenv.isLinux [ glibc libsoup cairo gtk3 webkitgtk ] - ++ lib.optionals stdenv.isDarwin [ CoreServices Security ]; + ++ lib.optionals stdenv.isDarwin [ CoreServices Security SystemConfiguration ]; nativeBuildInputs = [ pkg-config ]; meta = with lib; { diff --git a/pkgs/development/tools/rust/cargo-whatfeatures/default.nix b/pkgs/development/tools/rust/cargo-whatfeatures/default.nix index b2a5993343ef3..32189e0e03cb4 100644 --- a/pkgs/development/tools/rust/cargo-whatfeatures/default.nix +++ b/pkgs/development/tools/rust/cargo-whatfeatures/default.nix @@ -2,16 +2,16 @@ rustPlatform.buildRustPackage rec { pname = "cargo-whatfeatures"; - version = "0.9.9"; + version = "0.9.10"; src = fetchFromGitHub { owner = "museun"; repo = pname; rev = "v${version}"; - sha256 = "sha256-YENzXU7sud3gsh32zh1EwGEgfvnIIa4FzHMwGKuI3JA="; + sha256 = "sha256-80VbQyOg6jvX98QRcCVN/wwhAm4bO/UfHEIv4gP8IlA="; }; - cargoSha256 = "sha256-mUBqygJBisZl3wJh/pXVLLq7P6EWz0Pd2j+iu2pz7Os="; + cargoHash = "sha256-mp9KUJuwSwRuxQAEilYwNZwqe3ipN4JzsaO5Pi3V9xg="; nativeBuildInputs = [ pkg-config ]; diff --git a/pkgs/development/tools/rust/cargo-zigbuild/default.nix b/pkgs/development/tools/rust/cargo-zigbuild/default.nix index 3741be37772d3..adc845c67ea70 100644 --- a/pkgs/development/tools/rust/cargo-zigbuild/default.nix +++ b/pkgs/development/tools/rust/cargo-zigbuild/default.nix @@ -2,16 +2,16 @@ rustPlatform.buildRustPackage rec { pname = "cargo-zigbuild"; - version = "0.17.5"; + version = "0.18.3"; src = fetchFromGitHub { owner = "messense"; repo = pname; rev = "v${version}"; - hash = "sha256-x0TPbqwoCaXUlrjYQ47+x5KohsiK5yCrI2Q8yA2K8Zs="; + hash = "sha256-wL6Rmw5hJI8cJDw2WO9CDOyeOuZv6QoFxrn81JrYBR4="; }; - cargoHash = "sha256-FK6tTAbhP1f4VasG9HCahbMTDrJ9A6zXt/T6cs3HOZE="; + cargoHash = "sha256-uCZYDh4+Pri77DzqZj12cav7o8eDY2+fgwIwVBdcbHg="; nativeBuildInputs = [ makeWrapper ]; diff --git a/pkgs/os-specific/linux/zfs/2_1.nix b/pkgs/os-specific/linux/zfs/2_1.nix index 7da642c5278b1..97173a5154a59 100644 --- a/pkgs/os-specific/linux/zfs/2_1.nix +++ b/pkgs/os-specific/linux/zfs/2_1.nix @@ -2,7 +2,6 @@ , kernel ? null , stdenv , linuxKernel -, removeLinuxDRM ? false , lib , nixosTests , ... @@ -16,18 +15,15 @@ callPackage ./generic.nix args { # this attribute is the correct one for this package. kernelModuleAttribute = "zfs_2_1"; # check the release notes for compatible kernels - kernelCompatible = - if stdenv'.isx86_64 || removeLinuxDRM - then kernel.kernelOlder "6.6" - else kernel.kernelOlder "6.2"; + kernelCompatible = kernel.kernelOlder "6.8"; latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_6; # This is a fixed version to the 2.1.x series, move only # if the 2.1.x series moves. - version = "2.1.14"; + version = "2.1.15"; - hash = "sha256-RVAoZbV9yclGuN+D37SB6UCRFbbLEpBoyrQOQCVsQwE="; + hash = "sha256-zFO8fMbirEOrn5W57rAN7IWY6EIXG8jDXqhP7BWJyiY="; tests = [ nixosTests.zfs.series_2_1 diff --git a/pkgs/os-specific/linux/zfs/stable.nix b/pkgs/os-specific/linux/zfs/stable.nix index 8acc66d74636a..5b5084511a51a 100644 --- a/pkgs/os-specific/linux/zfs/stable.nix +++ b/pkgs/os-specific/linux/zfs/stable.nix @@ -2,7 +2,6 @@ , kernel ? null , stdenv , linuxKernel -, removeLinuxDRM ? false , nixosTests , ... } @ args: @@ -15,10 +14,7 @@ callPackage ./generic.nix args { # this attribute is the correct one for this package. kernelModuleAttribute = "zfs"; # check the release notes for compatible kernels - kernelCompatible = - if stdenv'.isx86_64 || removeLinuxDRM - then kernel.kernelOlder "6.8" - else kernel.kernelOlder "6.2"; + kernelCompatible = kernel.kernelOlder "6.8"; latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_6; diff --git a/pkgs/os-specific/linux/zfs/unstable.nix b/pkgs/os-specific/linux/zfs/unstable.nix index 28b07b73fc795..a9ad7a218207e 100644 --- a/pkgs/os-specific/linux/zfs/unstable.nix +++ b/pkgs/os-specific/linux/zfs/unstable.nix @@ -2,7 +2,6 @@ , kernel ? null , stdenv , linuxKernel -, removeLinuxDRM ? false , nixosTests , ... } @ args: @@ -14,11 +13,9 @@ callPackage ./generic.nix args { # You have to ensure that in `pkgs/top-level/linux-kernels.nix` # this attribute is the correct one for this package. kernelModuleAttribute = "zfsUnstable"; + # check the release notes for compatible kernels - kernelCompatible = - if stdenv'.isx86_64 || removeLinuxDRM - then kernel.kernelOlder "6.7" - else kernel.kernelOlder "6.2"; + kernelCompatible = kernel.kernelOlder "6.9"; latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_6; diff --git a/pkgs/servers/clickhouse/23.10-CVE-2024-22412.patch b/pkgs/servers/clickhouse/23.10-CVE-2024-22412.patch new file mode 100644 index 0000000000000..90881ffbeab00 --- /dev/null +++ b/pkgs/servers/clickhouse/23.10-CVE-2024-22412.patch @@ -0,0 +1,541 @@ +Based on upstream b176c0e08116dd53ecdb7ff3c5802e48595e420d (the patch for +23.12) except for one of src/Interpreters/executeQuery.cpp's hunks from +9bba341dde13327ca0c1e89f192b14d3299c787d (the patch for 23.8). All three +patches are extremely similar. + +diff --git a/src/Common/CacheBase.h b/src/Common/CacheBase.h +index 1cbfcc2165..a809136f45 100644 +--- a/src/Common/CacheBase.h ++++ b/src/Common/CacheBase.h +@@ -5,15 +5,15 @@ + #include <Common/LRUCachePolicy.h> + #include <Common/SLRUCachePolicy.h> + ++#include <base/UUID.h> ++#include <base/defines.h> ++ + #include <atomic> +-#include <cassert> +-#include <chrono> + #include <memory> + #include <mutex> ++#include <optional> + #include <unordered_map> + +-#include <base/defines.h> +- + + namespace DB + { +@@ -227,10 +227,10 @@ public: + cache_policy->setMaxSizeInBytes(max_size_in_bytes); + } + +- void setQuotaForUser(const String & user_name, size_t max_size_in_bytes, size_t max_entries) ++ void setQuotaForUser(const UUID & user_id, size_t max_size_in_bytes, size_t max_entries) + { + std::lock_guard lock(mutex); +- cache_policy->setQuotaForUser(user_name, max_size_in_bytes, max_entries); ++ cache_policy->setQuotaForUser(user_id, max_size_in_bytes, max_entries); + } + + virtual ~CacheBase() = default; +diff --git a/src/Common/ICachePolicy.h b/src/Common/ICachePolicy.h +index 189af4db19..8aa75d1d81 100644 +--- a/src/Common/ICachePolicy.h ++++ b/src/Common/ICachePolicy.h +@@ -2,10 +2,11 @@ + + #include <Common/Exception.h> + #include <Common/ICachePolicyUserQuota.h> ++#include <base/UUID.h> + + #include <functional> + #include <memory> +-#include <mutex> ++#include <optional> + + namespace DB + { +@@ -43,7 +44,7 @@ public: + + virtual void setMaxCount(size_t /*max_count*/) = 0; + virtual void setMaxSizeInBytes(size_t /*max_size_in_bytes*/) = 0; +- virtual void setQuotaForUser(const String & user_name, size_t max_size_in_bytes, size_t max_entries) { user_quotas->setQuotaForUser(user_name, max_size_in_bytes, max_entries); } ++ virtual void setQuotaForUser(const UUID & user_id, size_t max_size_in_bytes, size_t max_entries) { user_quotas->setQuotaForUser(user_id, max_size_in_bytes, max_entries); } + + /// HashFunction usually hashes the entire key and the found key will be equal the provided key. In such cases, use get(). It is also + /// possible to store other, non-hashed data in the key. In that case, the found key is potentially different from the provided key. +diff --git a/src/Common/ICachePolicyUserQuota.h b/src/Common/ICachePolicyUserQuota.h +index 717cb916f8..6fa4f7947c 100644 +--- a/src/Common/ICachePolicyUserQuota.h ++++ b/src/Common/ICachePolicyUserQuota.h +@@ -1,5 +1,6 @@ + #pragma once + ++#include <base/UUID.h> + #include <base/types.h> + + namespace DB +@@ -15,14 +16,14 @@ class ICachePolicyUserQuota + { + public: + /// Register or update the user's quota for the given resource. +- virtual void setQuotaForUser(const String & user_name, size_t max_size_in_bytes, size_t max_entries) = 0; ++ virtual void setQuotaForUser(const UUID & user_id, size_t max_size_in_bytes, size_t max_entries) = 0; + + /// Update the actual resource usage for the given user. +- virtual void increaseActual(const String & user_name, size_t entry_size_in_bytes) = 0; +- virtual void decreaseActual(const String & user_name, size_t entry_size_in_bytes) = 0; ++ virtual void increaseActual(const UUID & user_id, size_t entry_size_in_bytes) = 0; ++ virtual void decreaseActual(const UUID & user_id, size_t entry_size_in_bytes) = 0; + + /// Is the user allowed to write a new entry into the cache? +- virtual bool approveWrite(const String & user_name, size_t entry_size_in_bytes) const = 0; ++ virtual bool approveWrite(const UUID & user_id, size_t entry_size_in_bytes) const = 0; + + virtual ~ICachePolicyUserQuota() = default; + }; +@@ -33,10 +34,10 @@ using CachePolicyUserQuotaPtr = std::unique_ptr<ICachePolicyUserQuota>; + class NoCachePolicyUserQuota : public ICachePolicyUserQuota + { + public: +- void setQuotaForUser(const String & /*user_name*/, size_t /*max_size_in_bytes*/, size_t /*max_entries*/) override {} +- void increaseActual(const String & /*user_name*/, size_t /*entry_size_in_bytes*/) override {} +- void decreaseActual(const String & /*user_name*/, size_t /*entry_size_in_bytes*/) override {} +- bool approveWrite(const String & /*user_name*/, size_t /*entry_size_in_bytes*/) const override { return true; } ++ void setQuotaForUser(const UUID & /*user_id*/, size_t /*max_size_in_bytes*/, size_t /*max_entries*/) override {} ++ void increaseActual(const UUID & /*user_id*/, size_t /*entry_size_in_bytes*/) override {} ++ void decreaseActual(const UUID & /*user_id*/, size_t /*entry_size_in_bytes*/) override {} ++ bool approveWrite(const UUID & /*user_id*/, size_t /*entry_size_in_bytes*/) const override { return true; } + }; + + +diff --git a/src/Common/TTLCachePolicy.h b/src/Common/TTLCachePolicy.h +index 98708c653c..338cc54338 100644 +--- a/src/Common/TTLCachePolicy.h ++++ b/src/Common/TTLCachePolicy.h +@@ -1,6 +1,7 @@ + #pragma once + + #include <Common/ICachePolicy.h> ++#include <base/UUID.h> + + #include <limits> + #include <unordered_map> +@@ -11,37 +12,37 @@ namespace DB + class PerUserTTLCachePolicyUserQuota : public ICachePolicyUserQuota + { + public: +- void setQuotaForUser(const String & user_name, size_t max_size_in_bytes, size_t max_entries) override ++ void setQuotaForUser(const UUID & user_id, size_t max_size_in_bytes, size_t max_entries) override + { +- quotas[user_name] = {max_size_in_bytes, max_entries}; ++ quotas[user_id] = {max_size_in_bytes, max_entries}; + } + +- void increaseActual(const String & user_name, size_t entry_size_in_bytes) override ++ void increaseActual(const UUID & user_id, size_t entry_size_in_bytes) override + { +- auto & actual_for_user = actual[user_name]; ++ auto & actual_for_user = actual[user_id]; + actual_for_user.size_in_bytes += entry_size_in_bytes; + actual_for_user.num_items += 1; + } + +- void decreaseActual(const String & user_name, size_t entry_size_in_bytes) override ++ void decreaseActual(const UUID & user_id, size_t entry_size_in_bytes) override + { +- chassert(actual.contains(user_name)); ++ chassert(actual.contains(user_id)); + +- chassert(actual[user_name].size_in_bytes >= entry_size_in_bytes); +- actual[user_name].size_in_bytes -= entry_size_in_bytes; ++ chassert(actual[user_id].size_in_bytes >= entry_size_in_bytes); ++ actual[user_id].size_in_bytes -= entry_size_in_bytes; + +- chassert(actual[user_name].num_items >= 1); +- actual[user_name].num_items -= 1; ++ chassert(actual[user_id].num_items >= 1); ++ actual[user_id].num_items -= 1; + } + +- bool approveWrite(const String & user_name, size_t entry_size_in_bytes) const override ++ bool approveWrite(const UUID & user_id, size_t entry_size_in_bytes) const override + { +- auto it_actual = actual.find(user_name); ++ auto it_actual = actual.find(user_id); + Resources actual_for_user{.size_in_bytes = 0, .num_items = 0}; /// assume zero actual resource consumption is user isn't found + if (it_actual != actual.end()) + actual_for_user = it_actual->second; + +- auto it_quota = quotas.find(user_name); ++ auto it_quota = quotas.find(user_id); + Resources quota_for_user{.size_in_bytes = std::numeric_limits<size_t>::max(), .num_items = std::numeric_limits<size_t>::max()}; /// assume no threshold if no quota is found + if (it_quota != quotas.end()) + quota_for_user = it_quota->second; +@@ -69,10 +70,10 @@ public: + size_t num_items = 0; + }; + +- /// user name --> cache size quota (in bytes) / number of items quota +- std::map<String, Resources> quotas; +- /// user name --> actual cache usage (in bytes) / number of items +- std::map<String, Resources> actual; ++ /// user id --> cache size quota (in bytes) / number of items quota ++ std::map<UUID, Resources> quotas; ++ /// user id --> actual cache usage (in bytes) / number of items ++ std::map<UUID, Resources> actual; + }; + + +@@ -132,7 +133,8 @@ public: + if (it == cache.end()) + return; + size_t sz = weight_function(*it->second); +- Base::user_quotas->decreaseActual(it->first.user_name, sz); ++ if (it->first.user_id.has_value()) ++ Base::user_quotas->decreaseActual(*it->first.user_id, sz); + cache.erase(it); + size_in_bytes -= sz; + } +@@ -169,7 +171,9 @@ public: + /// Checks against per-user limits + auto sufficient_space_in_cache_for_user = [&]() + { +- return Base::user_quotas->approveWrite(key.user_name, entry_size_in_bytes); ++ if (key.user_id.has_value()) ++ return Base::user_quotas->approveWrite(*key.user_id, entry_size_in_bytes); ++ return true; + }; + + if (!sufficient_space_in_cache() || !sufficient_space_in_cache_for_user()) +@@ -179,7 +183,8 @@ public: + if (is_stale_function(it->first)) + { + size_t sz = weight_function(*it->second); +- Base::user_quotas->decreaseActual(it->first.user_name, sz); ++ if (it->first.user_id.has_value()) ++ Base::user_quotas->decreaseActual(*it->first.user_id, sz); + it = cache.erase(it); + size_in_bytes -= sz; + } +@@ -193,14 +198,16 @@ public: + if (auto it = cache.find(key); it != cache.end()) + { + size_t sz = weight_function(*it->second); +- Base::user_quotas->decreaseActual(it->first.user_name, sz); ++ if (it->first.user_id.has_value()) ++ Base::user_quotas->decreaseActual(*it->first.user_id, sz); + cache.erase(it); // stupid bug: (*) doesn't replace existing entries (likely due to custom hash function), need to erase explicitly + size_in_bytes -= sz; + } + + cache[key] = std::move(mapped); // (*) + size_in_bytes += entry_size_in_bytes; +- Base::user_quotas->increaseActual(key.user_name, entry_size_in_bytes); ++ if (key.user_id.has_value()) ++ Base::user_quotas->increaseActual(*key.user_id, entry_size_in_bytes); + } + } + +diff --git a/src/Interpreters/Cache/QueryCache.cpp b/src/Interpreters/Cache/QueryCache.cpp +index 33cb124f3b..0d60761a5a 100644 +--- a/src/Interpreters/Cache/QueryCache.cpp ++++ b/src/Interpreters/Cache/QueryCache.cpp +@@ -129,12 +129,14 @@ String queryStringFromAST(ASTPtr ast) + QueryCache::Key::Key( + ASTPtr ast_, + Block header_, +- const String & user_name_, bool is_shared_, ++ std::optional<UUID> user_id_, const std::vector<UUID> & current_user_roles_, ++ bool is_shared_, + std::chrono::time_point<std::chrono::system_clock> expires_at_, + bool is_compressed_) + : ast(removeQueryCacheSettings(ast_)) + , header(header_) +- , user_name(user_name_) ++ , user_id(user_id_) ++ , current_user_roles(current_user_roles_) + , is_shared(is_shared_) + , expires_at(expires_at_) + , is_compressed(is_compressed_) +@@ -142,8 +144,8 @@ QueryCache::Key::Key( + { + } + +-QueryCache::Key::Key(ASTPtr ast_, const String & user_name_) +- : QueryCache::Key(ast_, {}, user_name_, false, std::chrono::system_clock::from_time_t(1), false) /// dummy values for everything != AST or user name ++QueryCache::Key::Key(ASTPtr ast_, std::optional<UUID> user_id_, const std::vector<UUID> & current_user_roles_) ++ : QueryCache::Key(ast_, {}, user_id_, current_user_roles_, false, std::chrono::system_clock::from_time_t(1), false) /// dummy values for everything != AST or user name + { + } + +@@ -400,7 +402,9 @@ QueryCache::Reader::Reader(Cache & cache_, const Key & key, const std::lock_guar + const auto & entry_key = entry->key; + const auto & entry_mapped = entry->mapped; + +- if (!entry_key.is_shared && entry_key.user_name != key.user_name) ++ const bool is_same_user_id = ((!entry_key.user_id.has_value() && !key.user_id.has_value()) || (entry_key.user_id.has_value() && key.user_id.has_value() && *entry_key.user_id == *key.user_id)); ++ const bool is_same_current_user_roles = (entry_key.current_user_roles == key.current_user_roles); ++ if (!entry_key.is_shared && (!is_same_user_id || !is_same_current_user_roles)) + { + LOG_TRACE(logger, "Inaccessible query result found for query {}", doubleQuoteString(key.query_string)); + return; +@@ -502,7 +506,9 @@ QueryCache::Writer QueryCache::createWriter(const Key & key, std::chrono::millis + /// Update the per-user cache quotas with the values stored in the query context. This happens per query which writes into the query + /// cache. Obviously, this is overkill but I could find the good place to hook into which is called when the settings profiles in + /// users.xml change. +- cache.setQuotaForUser(key.user_name, max_query_cache_size_in_bytes_quota, max_query_cache_entries_quota); ++ /// user_id == std::nullopt is the internal user for which no quota can be configured ++ if (key.user_id.has_value()) ++ cache.setQuotaForUser(*key.user_id, max_query_cache_size_in_bytes_quota, max_query_cache_entries_quota); + + std::lock_guard lock(mutex); + return Writer(cache, key, max_entry_size_in_bytes, max_entry_size_in_rows, min_query_runtime, squash_partial_results, max_block_size); +diff --git a/src/Interpreters/Cache/QueryCache.h b/src/Interpreters/Cache/QueryCache.h +index d3c98dbd97..2dd4887dd2 100644 +--- a/src/Interpreters/Cache/QueryCache.h ++++ b/src/Interpreters/Cache/QueryCache.h +@@ -4,9 +4,12 @@ + #include <Common/logger_useful.h> + #include <Core/Block.h> + #include <Parsers/IAST_fwd.h> +-#include <Processors/Sources/SourceFromChunks.h> + #include <Processors/Chunk.h> ++#include <Processors/Sources/SourceFromChunks.h> + #include <QueryPipeline/Pipe.h> ++#include <base/UUID.h> ++ ++#include <optional> + + namespace DB + { +@@ -51,8 +54,15 @@ public: + /// Result metadata for constructing the pipe. + const Block header; + +- /// The user who executed the query. +- const String user_name; ++ /// The id and current roles of the user who executed the query. ++ /// These members are necessary to ensure that a (non-shared, see below) entry can only be written and read by the same user with ++ /// the same roles. Example attack scenarios: ++ /// - after DROP USER, it must not be possible to create a new user with with the dropped user name and access the dropped user's ++ /// query cache entries ++ /// - different roles of the same user may be tied to different row-level policies. It must not be possible to switch role and ++ /// access another role's cache entries ++ std::optional<UUID> user_id; ++ std::vector<UUID> current_user_roles; + + /// If the associated entry can be read by other users. In general, sharing is a bad idea: First, it is unlikely that different + /// users pose the same queries. Second, sharing potentially breaches security. E.g. User A should not be able to bypass row +@@ -74,12 +84,13 @@ public: + /// Ctor to construct a Key for writing into query cache. + Key(ASTPtr ast_, + Block header_, +- const String & user_name_, bool is_shared_, ++ std::optional<UUID> user_id_, const std::vector<UUID> & current_user_roles_, ++ bool is_shared_, + std::chrono::time_point<std::chrono::system_clock> expires_at_, + bool is_compressed); + + /// Ctor to construct a Key for reading from query cache (this operation only needs the AST + user name). +- Key(ASTPtr ast_, const String & user_name_); ++ Key(ASTPtr ast_, std::optional<UUID> user_id_, const std::vector<UUID> & current_user_roles_); + + bool operator==(const Key & other) const; + }; +diff --git a/src/Interpreters/executeQuery.cpp b/src/Interpreters/executeQuery.cpp +index 8cd3c8ab84..518c322059 100644 +--- a/src/Interpreters/executeQuery.cpp ++++ b/src/Interpreters/executeQuery.cpp +@@ -1005,7 +1005,7 @@ static std::tuple<ASTPtr, BlockIO> executeQueryImpl( + { + if (can_use_query_cache && settings.enable_reads_from_query_cache) + { +- QueryCache::Key key(ast, context->getUserName()); ++ QueryCache::Key key(ast, context->getUserID(), context->getCurrentRoles()); + QueryCache::Reader reader = query_cache->createReader(key); + if (reader.hasCacheEntryForKey()) + { +@@ -1112,7 +1112,8 @@ static std::tuple<ASTPtr, BlockIO> executeQueryImpl( + + QueryCache::Key key( + ast, res.pipeline.getHeader(), +- context->getUserName(), settings.query_cache_share_between_users, ++ context->getUserID(), context->getCurrentRoles(), ++ settings.query_cache_share_between_users, + std::chrono::system_clock::now() + std::chrono::seconds(settings.query_cache_ttl), + settings.query_cache_compress_entries); + +diff --git a/src/Storages/System/StorageSystemQueryCache.cpp b/src/Storages/System/StorageSystemQueryCache.cpp +index 03757101dd..4edac9dc62 100644 +--- a/src/Storages/System/StorageSystemQueryCache.cpp ++++ b/src/Storages/System/StorageSystemQueryCache.cpp +@@ -37,11 +37,15 @@ void StorageSystemQueryCache::fillData(MutableColumns & res_columns, ContextPtr + std::vector<QueryCache::Cache::KeyMapped> content = query_cache->dump(); + + const String & user_name = context->getUserName(); ++ std::optional<UUID> user_id = context->getUserID(); ++ std::vector<UUID> current_user_roles = context->getCurrentRoles(); + + for (const auto & [key, query_result] : content) + { + /// Showing other user's queries is considered a security risk +- if (!key.is_shared && key.user_name != user_name) ++ const bool is_same_user_id = ((!key.user_id.has_value() && !user_id.has_value()) || (key.user_id.has_value() && user_id.has_value() && *key.user_id == *user_id)); ++ const bool is_same_current_user_roles = (key.current_user_roles == current_user_roles); ++ if (!key.is_shared && (!is_same_user_id || !is_same_current_user_roles)) + continue; + + res_columns[0]->insert(key.query_string); /// approximates the original query string +diff --git a/tests/queries/0_stateless/02494_query_cache_user_isolation.reference b/tests/queries/0_stateless/02494_query_cache_user_isolation.reference +new file mode 100644 +index 0000000000..f8c4b31b22 +--- /dev/null ++++ b/tests/queries/0_stateless/02494_query_cache_user_isolation.reference +@@ -0,0 +1,28 @@ ++Attack 1 ++0 ++system.query_cache with old user 1 ++0 ++0 1 ++1 0 ++system.query_cache with new user 0 ++0 ++0 1 ++1 0 ++0 1 ++Attack 2 ++-- policy_1 test ++1 1 ++3 1 ++6 1 ++-- policy_2 test ++2 2 ++5 2 ++8 2 ++-- policy_1 with query cache test ++1 1 ++3 1 ++6 1 ++-- policy_2 with query cache test ++2 2 ++5 2 ++8 2 +diff --git a/tests/queries/0_stateless/02494_query_cache_user_isolation.sh b/tests/queries/0_stateless/02494_query_cache_user_isolation.sh +new file mode 100755 +index 0000000000..d55e246061 +--- /dev/null ++++ b/tests/queries/0_stateless/02494_query_cache_user_isolation.sh +@@ -0,0 +1,110 @@ ++#!/usr/bin/env bash ++# Tags: no-parallel, no-fasttest, long ++# Tag no-parallel: Messes with internal cache ++# no-fasttest: Produces wrong results in fasttest, unclear why, didn't reproduce locally. ++# long: Sloooow ... ++ ++CURDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) ++# shellcheck source=../shell_config.sh ++. "$CURDIR"/../shell_config.sh ++ ++# -- Attack 1: ++# - create a user, ++# - run a query whose result is stored in the query cache, ++# - drop the user, recreate it with the same name ++# - test that the cache entry is inaccessible ++ ++echo "Attack 1" ++ ++rnd=`tr -dc 1-9 </dev/urandom | head -c 5` # disambiguates the specific query in system.query_log below ++# echo $rnd ++ ++# Start with empty query cache (QC). ++${CLICKHOUSE_CLIENT} --query "SYSTEM DROP QUERY CACHE" ++ ++${CLICKHOUSE_CLIENT} --query "DROP USER IF EXISTS admin" ++${CLICKHOUSE_CLIENT} --query "CREATE USER admin" ++${CLICKHOUSE_CLIENT} --query "GRANT CURRENT GRANTS ON *.* TO admin WITH GRANT OPTION" ++ ++# Insert cache entry ++${CLICKHOUSE_CLIENT} --user "admin" --query "SELECT 0 == $rnd SETTINGS use_query_cache = 1" ++ ++# Check that the system view knows the new cache entry ++${CLICKHOUSE_CLIENT} --user "admin" --query "SELECT 'system.query_cache with old user', count(*) FROM system.query_cache" ++ ++# Run query again. The 1st run must be a cache miss, the 2nd run a cache hit ++${CLICKHOUSE_CLIENT} --user "admin" --query "SELECT 0 == $rnd SETTINGS use_query_cache = 1" ++${CLICKHOUSE_CLIENT} --user "admin" --query "SYSTEM FLUSH LOGS" ++${CLICKHOUSE_CLIENT} --user "admin" --query "SELECT ProfileEvents['QueryCacheHits'], ProfileEvents['QueryCacheMisses'] FROM system.query_log WHERE type = 'QueryFinish' AND current_database = currentDatabase() AND query = 'SELECT 0 == $rnd SETTINGS use_query_cache = 1' order by event_time_microseconds" ++ ++${CLICKHOUSE_CLIENT} --query "DROP USER IF EXISTS admin" ++${CLICKHOUSE_CLIENT} --query "CREATE USER admin" ++${CLICKHOUSE_CLIENT} --query "GRANT CURRENT GRANTS ON *.* TO admin WITH GRANT OPTION" ++ ++# Check that the system view reports the cache as empty ++${CLICKHOUSE_CLIENT} --user "admin" --query "SELECT 'system.query_cache with new user', count(*) FROM system.query_cache" ++ ++# Run same query as old user. Expect a cache miss. ++${CLICKHOUSE_CLIENT} --user "admin" --query "SELECT 0 == $rnd SETTINGS use_query_cache = 1" ++${CLICKHOUSE_CLIENT} --user "admin" --query "SYSTEM FLUSH LOGS" ++${CLICKHOUSE_CLIENT} --user "admin" --query "SELECT ProfileEvents['QueryCacheHits'], ProfileEvents['QueryCacheMisses'] FROM system.query_log WHERE type = 'QueryFinish' AND current_database = currentDatabase() AND query = 'SELECT 0 == $rnd SETTINGS use_query_cache = 1' order by event_time_microseconds" ++ ++# Cleanup ++${CLICKHOUSE_CLIENT} --query "DROP USER admin" ++${CLICKHOUSE_CLIENT} --query "SYSTEM DROP QUERY CACHE" ++ ++# -- Attack 2: (scenario from issue #58054) ++# - create a user, ++# - create two roles, each with different row policies ++# - cached query result in the context of the 1st role must must not be visible in the context of the 2nd role ++ ++echo "Attack 2" ++ ++# Start with empty query cache (QC). ++${CLICKHOUSE_CLIENT} --query "SYSTEM DROP QUERY CACHE" ++ ++${CLICKHOUSE_CLIENT} --query "DROP USER IF EXISTS admin" ++${CLICKHOUSE_CLIENT} --query "CREATE USER admin" ++${CLICKHOUSE_CLIENT} --query "GRANT CURRENT GRANTS ON *.* TO admin WITH GRANT OPTION" ++ ++# Create table ++${CLICKHOUSE_CLIENT} --user "admin" --query "DROP TABLE IF EXISTS user_data" ++${CLICKHOUSE_CLIENT} --user "admin" --query "CREATE TABLE user_data (ID UInt32, userID UInt32) ENGINE = MergeTree ORDER BY userID" ++ ++# Create roles with row-level security ++ ++${CLICKHOUSE_CLIENT} --user "admin" --query "DROP ROLE IF EXISTS user_role_1" ++# ${CLICKHOUSE_CLIENT} --user "admin" --query "DROP ROLE POLICY IF EXISTS user_policy_1" ++${CLICKHOUSE_CLIENT} --user "admin" --query "CREATE ROLE user_role_1" ++${CLICKHOUSE_CLIENT} --user "admin" --query "GRANT SELECT ON user_data TO user_role_1" ++${CLICKHOUSE_CLIENT} --user "admin" --query "CREATE ROW POLICY user_policy_1 ON user_data FOR SELECT USING userID = 1 TO user_role_1" ++ ++${CLICKHOUSE_CLIENT} --user "admin" --query "DROP ROLE IF EXISTS user_role_2" ++# ${CLICKHOUSE_CLIENT} --user "admin" --query "DROP ROLE POLICY IF EXISTS user_policy_2" ++${CLICKHOUSE_CLIENT} --user "admin" --query "CREATE ROLE user_role_2" ++${CLICKHOUSE_CLIENT} --user "admin" --query "GRANT SELECT ON user_data TO user_role_2" ++${CLICKHOUSE_CLIENT} --user "admin" --query "CREATE ROW POLICY user_policy_2 ON user_data FOR SELECT USING userID = 2 TO user_role_2" ++ ++# Grant roles to admin ++${CLICKHOUSE_CLIENT} --user "admin" --query "GRANT user_role_1, user_role_2 TO admin" ++${CLICKHOUSE_CLIENT} --user "admin" --query "INSERT INTO user_data (ID, userID) VALUES (1, 1), (2, 2), (3, 1), (4, 3), (5, 2), (6, 1), (7, 4), (8, 2)" ++ ++# Test... ++${CLICKHOUSE_CLIENT} --user "admin" --query "SELECT '-- policy_1 test'" ++${CLICKHOUSE_CLIENT} --user "admin" --multiquery "SET ROLE user_role_1; SELECT * FROM user_data" # should only return rows with userID = 1 ++ ++${CLICKHOUSE_CLIENT} --user "admin" --query "SELECT '-- policy_2 test'" ++${CLICKHOUSE_CLIENT} --user "admin" --multiquery "SET ROLE user_role_2; SELECT * FROM user_data" # should only return rows with userID = 2 ++ ++${CLICKHOUSE_CLIENT} --user "admin" --query "SELECT '-- policy_1 with query cache test'" ++${CLICKHOUSE_CLIENT} --user "admin" --multiquery "SET ROLE user_role_1; SELECT * FROM user_data SETTINGS use_query_cache = 1" # should only return rows with userID = 1 ++ ++${CLICKHOUSE_CLIENT} --user "admin" --query "SELECT '-- policy_2 with query cache test'" ++${CLICKHOUSE_CLIENT} --user "admin" --multiquery "SET ROLE user_role_2; SELECT * FROM user_data SETTINGS use_query_cache = 1" # should only return rows with userID = 2 (not userID = 1!) ++ ++# Cleanup ++${CLICKHOUSE_CLIENT} --user "admin" --query "DROP ROLE user_role_1" ++${CLICKHOUSE_CLIENT} --user "admin" --query "DROP ROLE user_role_2" ++${CLICKHOUSE_CLIENT} --user "admin" --query "DROP TABLE user_data" ++${CLICKHOUSE_CLIENT} --query "DROP USER admin" ++${CLICKHOUSE_CLIENT} --query "SYSTEM DROP QUERY CACHE" diff --git a/pkgs/servers/clickhouse/default.nix b/pkgs/servers/clickhouse/default.nix index a378862854d58..2b35d8bfd4255 100644 --- a/pkgs/servers/clickhouse/default.nix +++ b/pkgs/servers/clickhouse/default.nix @@ -124,6 +124,10 @@ in mkDerivation rec { popd ''; + patches = [ + ./23.10-CVE-2024-22412.patch + ]; + postPatch = '' patchShebangs src/ diff --git a/pkgs/servers/invidious/default.nix b/pkgs/servers/invidious/default.nix index 0b1cea5fd689a..69eae0a697fbe 100644 --- a/pkgs/servers/invidious/default.nix +++ b/pkgs/servers/invidious/default.nix @@ -23,7 +23,7 @@ crystal.buildCrystalPackage rec { owner = "iv-org"; repo = pname; fetchSubmodules = true; - inherit (versions.invidious) rev sha256; + inherit (versions.invidious) rev hash; }; postPatch = diff --git a/pkgs/servers/invidious/versions.json b/pkgs/servers/invidious/versions.json index 2168d604c191d..1c63255886354 100644 --- a/pkgs/servers/invidious/versions.json +++ b/pkgs/servers/invidious/versions.json @@ -4,9 +4,9 @@ "sha256": "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A=" }, "invidious": { - "rev": "c5b87e3b5e5cc7f7f5c8baa7732bd6d81d8f910a", - "sha256": "sha256-aYxVgktwUBVfvUxgQUDUmDAKp1sr0+ZJcyGqcmBB4e0=", - "version": "unstable-2023-11-08" + "rev": "08390acd0c17875fddb84cabba54197a5b5740e4", + "hash": "sha256-75C/ImX/PYikVdSO4rZM/aYyEgx6pU90BHNeRFfcsDM=", + "version": "0.20.1-unstable-2024-03-31" }, "lsquic": { "sha256": "sha256-hG8cUvhbCNeMOsKkaJlgGpzUrIx47E/WhmPIdI5F3qM=", diff --git a/pkgs/servers/matrix-synapse/tools/synadm.nix b/pkgs/servers/matrix-synapse/tools/synadm.nix index 6a297acff610f..8805e2a0bd439 100644 --- a/pkgs/servers/matrix-synapse/tools/synadm.nix +++ b/pkgs/servers/matrix-synapse/tools/synadm.nix @@ -6,12 +6,12 @@ python3.pkgs.buildPythonApplication rec { pname = "synadm"; - version = "0.44"; + version = "0.46"; format = "setuptools"; src = fetchPypi { inherit pname version; - hash = "sha256-BNmdyEITSZJb+wwyLU+zZi70kmfuYOqVDhKi8xFCf2E="; + hash = "sha256-Wz5ZpaDJIb7k5ZpvIUd/YGrLJwjDwRaS8Tb3FTd2kZU="; }; propagatedBuildInputs = with python3.pkgs; [ diff --git a/pkgs/tools/networking/mozillavpn/default.nix b/pkgs/tools/networking/mozillavpn/default.nix index 2f6fb0ff4b781..ca0ae8c4448d9 100644 --- a/pkgs/tools/networking/mozillavpn/default.nix +++ b/pkgs/tools/networking/mozillavpn/default.nix @@ -27,13 +27,13 @@ let pname = "mozillavpn"; - version = "2.20.0"; + version = "2.21.0"; src = fetchFromGitHub { owner = "mozilla-mobile"; repo = "mozilla-vpn-client"; rev = "v${version}"; fetchSubmodules = true; - hash = "sha256-pPc7++m21DO349VJsaJZRk3xY+qqzgv6Jj5cwYQI3NI="; + hash = "sha256-XBvKSgMuWgMuV+is2G028UNQ4hID7tKiHFuMdPOZcsI="; }; patches = [ ]; @@ -47,19 +47,19 @@ let inherit src patches; name = "${pname}-${version}-extension-bridge"; preBuild = "cd extension/bridge"; - hash = "sha256-wXr9+eyHBQcwEHy/DLixLZ/0DnFHhtiqrbl5q/7qx0U="; + hash = "sha256-1BXlp9AC9oQo/UzCtgNWVv8Er2ERoDLKdlTYXLzodMQ="; }; signatureDeps = rustPlatform.fetchCargoTarball { inherit src patches; name = "${pname}-${version}-signature"; preBuild = "cd signature"; - hash = "sha256-7Gz4T5wF/xpbNJZqudEaEs67q1Y6NMUuXe6u34FWqIA="; + hash = "sha256-GtkDkeFdPsLuTpZh5UqIhFMpzW3HMkbz7npryOQkkGw="; }; qtgleanDeps = rustPlatform.fetchCargoTarball { inherit src patches; name = "${pname}-${version}-qtglean"; preBuild = "cd qtglean"; - hash = "sha256-CTubwS4O3az8AHGa5YQgvjXQfh1j9w6jFmiX37aYjOw="; + hash = "sha256-HFmRcfxCcc83IPPIovbf3jNftp0olKQ6RzV8vPpCYAM="; }; in diff --git a/pkgs/tools/typesetting/tex/texlive/bin.nix b/pkgs/tools/typesetting/tex/texlive/bin.nix index bb9a4d4a4a897..007e28f50cf8a 100644 --- a/pkgs/tools/typesetting/tex/texlive/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive/bin.nix @@ -145,6 +145,12 @@ core = stdenv.mkDerivation rec { # Fix implicit `int` on `main`, which results in an error when building with clang 16. # This is fixed upstream and can be dropped with the 2023 release. ./fix-implicit-int.patch + (fetchpatch { + name = "ttfdump-CVE-2024-25262.patch"; + url = "https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/libttf/hdmx.c?r1=57915&r2=69520&view=patch"; + stripLen = 2; + hash = "sha256-WH2kioqFAs3jaFmu4DdEUdrTf6eiymtiWTZi3vWwU7k="; + }) ]; hardeningDisable = [ "format" ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index bfbdf3d8ac9c7..fbc95685b80a3 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -17000,7 +17000,7 @@ with pkgs; cargo-all-features = callPackage ../development/tools/rust/cargo-all-features { }; cargo-apk = callPackage ../development/tools/rust/cargo-apk { }; cargo-audit = callPackage ../development/tools/rust/cargo-audit { - inherit (darwin.apple_sdk.frameworks) Security; + inherit (darwin.apple_sdk.frameworks) Security SystemConfiguration; }; cargo-benchcmp = callPackage ../development/tools/rust/cargo-benchcmp { }; cargo-binstall = callPackage ../development/tools/rust/cargo-binstall { }; |