diff options
45 files changed, 553 insertions, 136 deletions
diff --git a/lib/fileset/internal.nix b/lib/fileset/internal.nix index 4059d2e244260..f4fcc83e10124 100644 --- a/lib/fileset/internal.nix +++ b/lib/fileset/internal.nix @@ -5,6 +5,7 @@ let isAttrs isPath isString + nixVersion pathExists readDir split @@ -17,6 +18,7 @@ let attrNames attrValues mapAttrs + optionalAttrs zipAttrsWith ; @@ -56,6 +58,7 @@ let substring stringLength hasSuffix + versionAtLeast ; inherit (lib.trivial) @@ -840,6 +843,10 @@ rec { # https://github.com/NixOS/nix/commit/55cefd41d63368d4286568e2956afd535cb44018 _fetchGitSubmodulesMinver = "2.4"; + # Support for `builtins.fetchGit` with `shallow = true` was introduced in 2.4 + # https://github.com/NixOS/nix/commit/d1165d8791f559352ff6aa7348e1293b2873db1c + _fetchGitShallowMinver = "2.4"; + # Mirrors the contents of a Nix store path relative to a local path as a file set. # Some notes: # - The store path is read at evaluation time. @@ -894,7 +901,17 @@ rec { # However a simpler alternative still would be [a builtins.gitLsFiles](https://github.com/NixOS/nix/issues/2944). fetchResult = fetchGit ({ url = path; - } // extraFetchGitAttrs); + } + # In older Nix versions, repositories were always assumed to be deep clones, which made `fetchGit` fail for shallow clones + # For newer versions this was fixed, but the `shallow` flag is required. + # The only behavioral difference is that for shallow clones, `fetchGit` doesn't return a `revCount`, + # which we don't need here, so it's fine to always pass it. + + # Unfortunately this means older Nix versions get a poor error message for shallow repositories, and there's no good way to improve that. + # Checking for `.git/shallow` doesn't seem worth it, especially since that's more of an implementation detail, + # and would also require more code to handle worktrees where `.git` is a file. + // optionalAttrs (versionAtLeast nixVersion _fetchGitShallowMinver) { shallow = true; } + // extraFetchGitAttrs); in # We can identify local working directories by checking for .git, # see https://git-scm.com/docs/gitrepository-layout#_description. diff --git a/lib/fileset/tests.sh b/lib/fileset/tests.sh index e809aef6935a5..af8338eb7855f 100755 --- a/lib/fileset/tests.sh +++ b/lib/fileset/tests.sh @@ -1439,6 +1439,19 @@ if [[ -n "$fetchGitSupportsSubmodules" ]]; then fi rm -rf -- * +# shallow = true is not supported on all Nix versions +# and older versions don't support shallow clones at all +if [[ "$(nix-instantiate --eval --expr "$prefixExpression (versionAtLeast builtins.nixVersion _fetchGitShallowMinver)")" == true ]]; then + createGitRepo full + # Extra commit such that there's a commit that won't be in the shallow clone + git -C full commit --allow-empty -q -m extra + git clone -q --depth 1 "file://${PWD}/full" shallow + cd shallow + checkGitTracked + cd .. + rm -rf -- * +fi + # Go through all stages of Git files # See https://www.git-scm.com/book/en/v2/Git-Basics-Recording-Changes-to-the-Repository diff --git a/nixos/modules/security/wrappers/wrapper.c b/nixos/modules/security/wrappers/wrapper.c index 3277e7ef6f799..3e126875c6872 100644 --- a/nixos/modules/security/wrappers/wrapper.c +++ b/nixos/modules/security/wrappers/wrapper.c @@ -172,6 +172,13 @@ static int make_caps_ambient(const char *self_path) { int main(int argc, char **argv) { ASSERT(argc >= 1); + // argv[0] goes into a lot of places, to a far greater degree than other elements + // of argv. glibc has had buffer overflows relating to argv[0], eg CVE-2023-6246. + // Since we expect the wrappers to be invoked from either $PATH or /run/wrappers/bin, + // there should be no reason to pass any particularly large values here, so we can + // be strict for strictness' sake. + ASSERT(strlen(argv[0]) < 512); + int debug = getenv(wrapper_debug) != NULL; // Drop insecure environment variables explicitly diff --git a/nixos/modules/services/networking/strongswan-swanctl/module.nix b/nixos/modules/services/networking/strongswan-swanctl/module.nix index bfea89969728f..f64fb2fceb40a 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/module.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix @@ -5,6 +5,9 @@ with (import ./param-lib.nix lib); let cfg = config.services.strongswan-swanctl; + configFile = pkgs.writeText "swanctl.conf" + ( (paramsToConf cfg.swanctl swanctlParams) + + (concatMapStrings (i: "\ninclude ${i}") cfg.includes)); swanctlParams = import ./swanctl-params.nix lib; in { options.services.strongswan-swanctl = { @@ -28,6 +31,13 @@ in { }; swanctl = paramsToOptions swanctlParams; + includes = mkOption { + type = types.listOf types.path; + default = []; + description = '' + Extra configuration files to include in the swanctl configuration. This can be used to provide secret values from outside the nix store. + ''; + }; }; config = mkIf cfg.enable { @@ -38,8 +48,7 @@ in { } ]; - environment.etc."swanctl/swanctl.conf".text = - paramsToConf cfg.swanctl swanctlParams; + environment.etc."swanctl/swanctl.conf".source = configFile; # The swanctl command complains when the following directories don't exist: # See: https://wiki.strongswan.org/projects/strongswan/wiki/Swanctldirectory diff --git a/pkgs/applications/editors/emacs/sources.nix b/pkgs/applications/editors/emacs/sources.nix index 37bab4923bfc3..aa73fa29b0d19 100644 --- a/pkgs/applications/editors/emacs/sources.nix +++ b/pkgs/applications/editors/emacs/sources.nix @@ -77,10 +77,10 @@ in emacs29 = import ./make-emacs.nix (mkArgs { pname = "emacs"; - version = "29.1"; + version = "29.2"; variant = "mainline"; - rev = "29.1"; - hash = "sha256-3HDCwtOKvkXwSULf3W7YgTz4GV8zvYnh2RrL28qzGKg="; + rev = "29.2"; + hash = "sha256-qSQmQzVyEGSr4GAI6rqnEwBvhl09D2D8MNasHqZQPL8="; }); emacs28-macport = import ./make-emacs.nix (mkArgs { diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix index 8ac0496488895..b2d5dacb20fc4 100644 --- a/pkgs/applications/graphics/ImageMagick/default.nix +++ b/pkgs/applications/graphics/ImageMagick/default.nix @@ -49,13 +49,13 @@ in stdenv.mkDerivation (finalAttrs: { pname = "imagemagick"; - version = "7.1.1-25"; + version = "7.1.1-26"; src = fetchFromGitHub { owner = "ImageMagick"; repo = "ImageMagick"; rev = finalAttrs.version; - hash = "sha256-HKDeeh8DNj0y7wS4DqctXhmNaOqZ02JeBXRFrEpH0M4="; + hash = "sha256-diJhCRDT0SbAYZdBPoxZJWlrUW2Nz4/d7H0Nnybw0Yw="; }; outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big diff --git a/pkgs/applications/networking/browsers/microsoft-edge/default.nix b/pkgs/applications/networking/browsers/microsoft-edge/default.nix index ae312d92368c5..3836453ee6458 100644 --- a/pkgs/applications/networking/browsers/microsoft-edge/default.nix +++ b/pkgs/applications/networking/browsers/microsoft-edge/default.nix @@ -1,20 +1,20 @@ { stable = import ./browser.nix { channel = "stable"; - version = "120.0.2210.144"; + version = "121.0.2277.83"; revision = "1"; - hash = "sha256-O/7LdopcMfSYx8cg9BNDU6KxbPfnF9rYXD7Q6jugBLU="; + hash = "sha256-WuDu44elNlkYZEtol+TZNpcRAkAq8HHATYCc9Or/bvU="; }; beta = import ./browser.nix { channel = "beta"; - version = "121.0.2277.71"; + version = "121.0.2277.83"; revision = "1"; - hash = "sha256-PsfUZJ5ftHxSFGaXjzFMEff7Czfq88yL31mqNkFilNM="; + hash = "sha256-eW8Bpcjw1aY5lMqsGCJ3hORVLhzW8Fmaio+kpSOzPeU="; }; dev = import ./browser.nix { channel = "dev"; - version = "122.0.2348.0"; + version = "122.0.2353.0"; revision = "1"; - hash = "sha256-Vsnrc43d70fLDncMeQeYhZJhnYex2LsIV1U2KPlkP9U="; + hash = "sha256-llLaq13SU4ZpqhOYK0hy6ZD6amAqijStk8TIHX3gydQ="; }; } diff --git a/pkgs/applications/networking/instant-messengers/armcord/default.nix b/pkgs/applications/networking/instant-messengers/armcord/default.nix index 9b16c05241c84..71593897787e7 100644 --- a/pkgs/applications/networking/instant-messengers/armcord/default.nix +++ b/pkgs/applications/networking/instant-messengers/armcord/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation rec { pname = "armcord"; - version = "3.2.5"; + version = "3.2.6"; src = let @@ -47,11 +47,11 @@ stdenv.mkDerivation rec { { x86_64-linux = fetchurl { url = "${base}/v${version}/ArmCord_${version}_amd64.deb"; - hash = "sha256-6zlYm4xuYpG+Bgsq5S+B/Zt9TRB2GZnueKAg2ywYLE4="; + hash = "sha256-9AcxqCxhLAjYclaw6lri06R0PgQQeRHTbLJLEdhDCWU="; }; aarch64-linux = fetchurl { url = "${base}/v${version}/ArmCord_${version}_arm64.deb"; - hash = "sha256-HJu1lRa3zOTohsPMe23puHxg1VMWNR2aOjDQJqc4TqE="; + hash = "sha256-/uk2slpNF1sSTW6z319Yg9yx/s45fJPvJQJpY11ULVw="; }; }.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}"); diff --git a/pkgs/applications/networking/instant-messengers/element/pin.nix b/pkgs/applications/networking/instant-messengers/element/pin.nix index 830c7080925ae..9a10c2eddba8b 100644 --- a/pkgs/applications/networking/instant-messengers/element/pin.nix +++ b/pkgs/applications/networking/instant-messengers/element/pin.nix @@ -1,9 +1,9 @@ { - "version" = "1.11.55"; + "version" = "1.11.57"; "hashes" = { - "desktopSrcHash" = "sha256-Gk6RjhU0vJymz2KmaNJgnuGcSVyJo53iWR3naOx49X4="; - "desktopYarnHash" = "0v3j54a2ixik424za0iwj4sf60g934480jyp5lblhg7z8y5xqks8"; - "webSrcHash" = "sha256-dAfPYw3qqj+xY3ZaACsT/Vtp57mag6PJtquxqXZ6F1Q="; - "webYarnHash" = "1aqhdk9mgz5hq7iawjclzfd78wi64kygkklwg6sp6qfv1ayi6b51"; + "desktopSrcHash" = "sha256-U1Koq+YrTQnbJAQmMuBioU6lxtw3oH9U3W3iMIDbibY="; + "desktopYarnHash" = "03kx7g1fhm4qn6iq450156fgw1x6bf0sngmqhd2hrhp699mjxs5s"; + "webSrcHash" = "sha256-ZoB6ALNUDYh8nYUYsPNeiCaXn3qvg3NRJzDRJaHT4oU="; + "webYarnHash" = "0vznx306p3racnq5xv27ywvlrdxql9x8i3fl77i5vlc8g7crpc3m"; }; } diff --git a/pkgs/applications/video/frigate/CVE-2023-45670.patch b/pkgs/applications/video/frigate/CVE-2023-45670.patch new file mode 100644 index 0000000000000..7616c72f040e0 --- /dev/null +++ b/pkgs/applications/video/frigate/CVE-2023-45670.patch @@ -0,0 +1,182 @@ +diff --git a/frigate/http.py b/frigate/http.py +index d3a059a7..b36bda57 100644 +--- a/frigate/http.py ++++ b/frigate/http.py +@@ -61,6 +61,13 @@ def create_app( + ): + app = Flask(__name__) + ++ @app.before_request ++ def check_csrf(): ++ if request.method in ["GET", "HEAD", "OPTIONS", "TRACE"]: ++ pass ++ if "origin" in request.headers and "x-csrf-token" not in request.headers: ++ return jsonify({"success": False, "message": "Missing CSRF header"}), 401 ++ + @app.before_request + def _db_connect(): + if database.is_closed(): +diff --git a/web/src/api/baseUrl.js b/web/src/api/baseUrl.js +index 132f170c..1167789d 100644 +--- a/web/src/api/baseUrl.js ++++ b/web/src/api/baseUrl.js +@@ -1,2 +1 @@ +-import { API_HOST } from '../env'; +-export const baseUrl = API_HOST || `${window.location.protocol}//${window.location.host}${window.baseUrl || '/'}`; ++export const baseUrl = `${window.location.protocol}//${window.location.host}${window.baseUrl || '/'}`; +diff --git a/web/src/api/index.jsx b/web/src/api/index.jsx +index 9f256dbb..9e4e63b4 100644 +--- a/web/src/api/index.jsx ++++ b/web/src/api/index.jsx +@@ -5,6 +5,9 @@ import { WsProvider } from './ws'; + import axios from 'axios'; + + axios.defaults.baseURL = `${baseUrl}api/`; ++axios.defaults.headers.common = { ++ 'X-CSRF-TOKEN': 1, ++}; + + export function ApiProvider({ children, options }) { + return ( +diff --git a/web/src/components/CameraImage.jsx b/web/src/components/CameraImage.jsx +index 98754e50..c747558c 100644 +--- a/web/src/components/CameraImage.jsx ++++ b/web/src/components/CameraImage.jsx +@@ -53,7 +53,7 @@ export default function CameraImage({ camera, onload, searchParams = '', stretch + if (!config || scaledHeight === 0 || !canvasRef.current) { + return; + } +- img.src = `${apiHost}/api/${name}/latest.jpg?h=${scaledHeight}${searchParams ? `&${searchParams}` : ''}`; ++ img.src = `${apiHost}api/${name}/latest.jpg?h=${scaledHeight}${searchParams ? `&${searchParams}` : ''}`; + }, [apiHost, canvasRef, name, img, searchParams, scaledHeight, config]); + + return ( +diff --git a/web/src/components/HistoryViewer/HistoryVideo.tsx b/web/src/components/HistoryViewer/HistoryVideo.tsx +index 32ed7e6c..1544d1e1 100644 +--- a/web/src/components/HistoryViewer/HistoryVideo.tsx ++++ b/web/src/components/HistoryViewer/HistoryVideo.tsx +@@ -57,10 +57,10 @@ export const HistoryVideo = ({ + } + + video.src({ +- src: `${apiHost}/vod/event/${id}/master.m3u8`, ++ src: `${apiHost}vod/event/${id}/master.m3u8`, + type: 'application/vnd.apple.mpegurl', + }); +- video.poster(`${apiHost}/api/events/${id}/snapshot.jpg`); ++ video.poster(`${apiHost}api/events/${id}/snapshot.jpg`); + if (videoIsPlaying) { + video.play(); + } +diff --git a/web/src/components/RecordingPlaylist.jsx b/web/src/components/RecordingPlaylist.jsx +index 4d6f9384..a162aa34 100644 +--- a/web/src/components/RecordingPlaylist.jsx ++++ b/web/src/components/RecordingPlaylist.jsx +@@ -153,7 +153,7 @@ export function EventCard({ camera, event }) { + <Link className="" href={`/recording/${camera}/${format(start, 'yyyy-MM-dd/HH/mm/ss')}`}> + <div className="flex flex-row mb-2"> + <div className="w-28 mr-4"> +- <img className="antialiased" loading="lazy" src={`${apiHost}/api/events/${event.id}/thumbnail.jpg`} /> ++ <img className="antialiased" loading="lazy" src={`${apiHost}api/events/${event.id}/thumbnail.jpg`} /> + </div> + <div className="flex flex-row w-full border-b"> + <div className="w-full text-gray-700 font-semibold relative pt-0"> +diff --git a/web/src/routes/Camera.jsx b/web/src/routes/Camera.jsx +index 7a50d530..63cbf130 100644 +--- a/web/src/routes/Camera.jsx ++++ b/web/src/routes/Camera.jsx +@@ -197,7 +197,7 @@ export default function Camera({ camera }) { + key={objectType} + header={objectType} + href={`/events?cameras=${camera}&labels=${encodeURIComponent(objectType)}`} +- media={<img src={`${apiHost}/api/${camera}/${encodeURIComponent(objectType)}/thumbnail.jpg`} />} ++ media={<img src={`${apiHost}api/${camera}/${encodeURIComponent(objectType)}/thumbnail.jpg`} />} + /> + ))} + </div> +diff --git a/web/src/routes/CameraMap.jsx b/web/src/routes/CameraMap.jsx +index ca77ec56..9f3124dc 100644 +--- a/web/src/routes/CameraMap.jsx ++++ b/web/src/routes/CameraMap.jsx +@@ -226,7 +226,7 @@ ${Object.keys(objectMaskPoints) + + <div className="space-y-4"> + <div className="relative"> +- <img ref={imageRef} src={`${apiHost}/api/${camera}/latest.jpg`} /> ++ <img ref={imageRef} src={`${apiHost}api/${camera}/latest.jpg`} /> + <EditableMask + onChange={handleUpdateEditable} + points={'subkey' in editing ? editing.set[editing.key][editing.subkey] : editing.set[editing.key]} +diff --git a/web/src/routes/Config.jsx b/web/src/routes/Config.jsx +index e043bbf2..c24a2860 100644 +--- a/web/src/routes/Config.jsx ++++ b/web/src/routes/Config.jsx +@@ -71,7 +71,7 @@ export default function Config() { + format: true, + schemas: [ + { +- uri: `${apiHost}/api/config/schema.json`, ++ uri: `${apiHost}api/config/schema.json`, + fileMatch: [String(modelUri)], + }, + ], +diff --git a/web/src/routes/Events.jsx b/web/src/routes/Events.jsx +index ec50ca78..bec15c23 100644 +--- a/web/src/routes/Events.jsx ++++ b/web/src/routes/Events.jsx +@@ -352,7 +352,7 @@ export default function Events({ path, ...props }) { + icon={Snapshot} + label="Download Snapshot" + value="snapshot" +- href={`${apiHost}/api/events/${downloadEvent.id}/snapshot.jpg?download=true`} ++ href={`${apiHost}api/events/${downloadEvent.id}/snapshot.jpg?download=true`} + download + /> + )} +@@ -361,7 +361,7 @@ export default function Events({ path, ...props }) { + icon={Clip} + label="Download Clip" + value="clip" +- href={`${apiHost}/api/events/${downloadEvent.id}/clip.mp4?download=true`} ++ href={`${apiHost}api/events/${downloadEvent.id}/clip.mp4?download=true`} + download + /> + )} +@@ -483,7 +483,7 @@ export default function Events({ path, ...props }) { + <div + className="relative rounded-l flex-initial min-w-[125px] h-[125px] bg-contain bg-no-repeat bg-center" + style={{ +- 'background-image': `url(${apiHost}/api/events/${event.id}/thumbnail.jpg)`, ++ 'background-image': `url(${apiHost}api/events/${event.id}/thumbnail.jpg)`, + }} + > + <StarRecording +@@ -595,8 +595,8 @@ export default function Events({ path, ...props }) { + className="flex-grow-0" + src={ + event.has_snapshot +- ? `${apiHost}/api/events/${event.id}/snapshot.jpg` +- : `${apiHost}/api/events/${event.id}/thumbnail.jpg` ++ ? `${apiHost}api/events/${event.id}/snapshot.jpg` ++ : `${apiHost}api/events/${event.id}/thumbnail.jpg` + } + alt={`${event.label} at ${(event.top_score * 100).toFixed(0)}% confidence`} + /> +diff --git a/web/vite.config.ts b/web/vite.config.ts +index 6b02c932..0f57d920 100644 +--- a/web/vite.config.ts ++++ b/web/vite.config.ts +@@ -9,6 +9,13 @@ export default defineConfig({ + define: { + 'import.meta.vitest': 'undefined', + }, ++ server: { ++ proxy: { ++ '/api': { ++ target: 'http://localhost:5000' ++ } ++ } ++ }, + plugins: [ + preact(), + monacoEditorPlugin.default({ diff --git a/pkgs/applications/video/frigate/CVE-2023-45671.patch b/pkgs/applications/video/frigate/CVE-2023-45671.patch new file mode 100644 index 0000000000000..efc4fe14091d4 --- /dev/null +++ b/pkgs/applications/video/frigate/CVE-2023-45671.patch @@ -0,0 +1,13 @@ +diff --git a/frigate/http.py b/frigate/http.py +index d3a059a7..33519b7a 100644 +--- a/frigate/http.py ++++ b/frigate/http.py +@@ -1119,7 +1119,7 @@ def recording_clip(camera_name, start_ts, end_ts): + + if p.returncode != 0: + logger.error(p.stderr) +- return f"Could not create clip from recordings for {camera_name}.", 500 ++ return "Could not create clip from recordings.", 500 + else: + logger.debug( + f"Ignoring subsequent request for {path} as it already exists in the cache." diff --git a/pkgs/applications/video/frigate/CVE-2023-45672.patch b/pkgs/applications/video/frigate/CVE-2023-45672.patch new file mode 100644 index 0000000000000..1661c32a4d85f --- /dev/null +++ b/pkgs/applications/video/frigate/CVE-2023-45672.patch @@ -0,0 +1,14 @@ +diff --git a/frigate/util.py b/frigate/util.py +index a6fe4b29..510d5992 100755 +--- a/frigate/util.py ++++ b/frigate/util.py +@@ -55,7 +55,8 @@ def load_config_with_no_duplicates(raw_config) -> dict: + """Get config ensuring duplicate keys are not allowed.""" + + # https://stackoverflow.com/a/71751051 +- class PreserveDuplicatesLoader(yaml.loader.Loader): ++ # important to use SafeLoader here to avoid RCE ++ class PreserveDuplicatesLoader(yaml.loader.SafeLoader): + pass + + def map_constructor(loader, node, deep=False): diff --git a/pkgs/applications/video/frigate/default.nix b/pkgs/applications/video/frigate/default.nix index 5414193640f0e..89f476996670a 100644 --- a/pkgs/applications/video/frigate/default.nix +++ b/pkgs/applications/video/frigate/default.nix @@ -59,6 +59,15 @@ python.pkgs.buildPythonApplication rec { url = "https://github.com/blakeblackshear/frigate/commit/cb73d0cd392990448811c7212bc5f09be411fc69.patch"; hash = "sha256-Spt7eRosmTN8zyJ2uVme5HPVy2TKgBtvbQ6tp6PaNac="; }) + + # https://github.com/blakeblackshear/frigate/security/advisories/GHSA-xq49-hv88-jr6h + ./CVE-2023-45670.patch + + # https://github.com/blakeblackshear/frigate/security/advisories/GHSA-jjxc-m35j-p56f + ./CVE-2023-45671.patch + + # https://github.com/blakeblackshear/frigate/security/advisories/GHSA-qp3h-4q62-p428 + ./CVE-2023-45672.patch ]; postPatch = '' diff --git a/pkgs/build-support/setup-hooks/auto-patchelf.sh b/pkgs/build-support/setup-hooks/auto-patchelf.sh index 371389df427bc..9f6366b3feaed 100644 --- a/pkgs/build-support/setup-hooks/auto-patchelf.sh +++ b/pkgs/build-support/setup-hooks/auto-patchelf.sh @@ -53,17 +53,30 @@ autoPatchelf() { esac done - readarray -td' ' ignoreMissingDepsArray < <(echo -n "$autoPatchelfIgnoreMissingDeps") - if [ "$autoPatchelfIgnoreMissingDeps" == "1" ]; then - echo "autoPatchelf: WARNING: setting 'autoPatchelfIgnoreMissingDeps" \ - "= true;' is deprecated and will be removed in a future release." \ - "Use 'autoPatchelfIgnoreMissingDeps = [ \"*\" ];' instead." >&2 - ignoreMissingDepsArray=( "*" ) + if [ -n "$__structuredAttrs" ]; then + local ignoreMissingDepsArray=( "${autoPatchelfIgnoreMissingDeps[@]}" ) + local appendRunpathsArray=( "${appendRunpaths[@]}" ) + local runtimeDependenciesArray=( "${runtimeDependencies[@]}" ) + local patchelfFlagsArray=( "${patchelfFlags[@]}" ) + else + readarray -td' ' ignoreMissingDepsArray < <(echo -n "$autoPatchelfIgnoreMissingDeps") + local appendRunpathsArray=($appendRunpaths) + local runtimeDependenciesArray=($runtimeDependencies) + local patchelfFlagsArray=($patchelfFlags) fi - local appendRunpathsArray=($appendRunpaths) - local runtimeDependenciesArray=($runtimeDependencies) - local patchelfFlagsArray=($patchelfFlags) + # Check if ignoreMissingDepsArray contains "1" and if so, replace it with + # "*", printing a deprecation warning. + for dep in "${ignoreMissingDepsArray[@]}"; do + if [ "$dep" == "1" ]; then + echo "autoPatchelf: WARNING: setting 'autoPatchelfIgnoreMissingDeps" \ + "= true;' is deprecated and will be removed in a future release." \ + "Use 'autoPatchelfIgnoreMissingDeps = [ \"*\" ];' instead." >&2 + ignoreMissingDepsArray=( "*" ) + break + fi + done + @pythonInterpreter@ @autoPatchelfScript@ \ ${norecurse:+--no-recurse} \ --ignore-missing "${ignoreMissingDepsArray[@]}" \ diff --git a/pkgs/by-name/al/alsa-ucm-conf/package.nix b/pkgs/by-name/al/alsa-ucm-conf/package.nix index b7203a7376387..cb3bf00a00380 100644 --- a/pkgs/by-name/al/alsa-ucm-conf/package.nix +++ b/pkgs/by-name/al/alsa-ucm-conf/package.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl }: +{ lib, stdenv, fetchurl, fetchpatch }: stdenv.mkDerivation rec { pname = "alsa-ucm-conf"; @@ -9,6 +9,16 @@ stdenv.mkDerivation rec { hash = "sha256-nCHj8B/wC6p1jfF+hnzTbiTrtBpr7ElzfpkQXhbyrpc="; }; + patches = [ + (fetchpatch { + # ToDo: Remove this patch in the next package upgrade + # Fixes SplitPCM to make some audio devices work with alsa-ucm-conf v1.2.10 again + name = "alsa-ucm-conf-splitpcm-device-argument-fix.patch"; + url = "https://github.com/alsa-project/alsa-ucm-conf/commit/b68aa52acdd2763fedad5eec0f435fbf43e5ccc6.patch"; + hash = "sha256-8WE4+uhi4W7cCSZYmL7uFpcHJ9muX09UkGXyZIpEd9I="; + }) + ]; + dontBuild = true; installPhase = '' diff --git a/pkgs/by-name/ek/eksctl/package.nix b/pkgs/by-name/ek/eksctl/package.nix index 28ebab5239a64..bef986b3e04e4 100644 --- a/pkgs/by-name/ek/eksctl/package.nix +++ b/pkgs/by-name/ek/eksctl/package.nix @@ -6,16 +6,16 @@ buildGoModule rec { pname = "eksctl"; - version = "0.164.0"; + version = "0.169.0"; src = fetchFromGitHub { owner = "weaveworks"; repo = pname; rev = version; - hash = "sha256-ENlMcwk4bMbIzV353vt+EG776+/ajrg5la3JeA81QS4="; + hash = "sha256-WVYEjmuSTIe6LVeXJD7fu1TCrZfH4Cs1T/jfqKNJhM4="; }; - vendorHash = "sha256-NOhssVWEkvoXpmnsCVVT7Li0ePGWDSGIlB2MyFtMnpI="; + vendorHash = "sha256-cuLzn0OZ5VC+RWGsJ8DCdJN8wm0DrsjH55K/cnyuqB8="; doCheck = false; diff --git a/pkgs/data/misc/shared-mime-info/default.nix b/pkgs/data/misc/shared-mime-info/default.nix index 8de13f2eaf368..6bad73e683927 100644 --- a/pkgs/data/misc/shared-mime-info/default.nix +++ b/pkgs/data/misc/shared-mime-info/default.nix @@ -1,7 +1,6 @@ { stdenv , lib , fetchFromGitLab -, fetchpatch , meson , ninja , pkg-config @@ -14,7 +13,7 @@ stdenv.mkDerivation rec { pname = "shared-mime-info"; - version = "2.3"; + version = "2.4"; outputs = [ "out" "dev" ]; @@ -23,15 +22,9 @@ stdenv.mkDerivation rec { owner = "xdg"; repo = pname; rev = version; - sha256 = "sha256-cEfknRVtOJykEO9Iqlb0UoiayYtu+ugvmmZqAD5cGnE="; + hash = "sha256-5eyMkfSBUOD7p8woIYTgz5C/L8uQMXyr0fhL0l23VMA="; }; - patches = [ - # Submitted upstream at - # https://gitlab.freedesktop.org/xdg/shared-mime-info/-/issues/211 - ./fix-clang-warnings.patch - ]; - nativeBuildInputs = [ meson ninja diff --git a/pkgs/data/misc/shared-mime-info/fix-clang-warnings.patch b/pkgs/data/misc/shared-mime-info/fix-clang-warnings.patch deleted file mode 100644 index 2d185549c4e6b..0000000000000 --- a/pkgs/data/misc/shared-mime-info/fix-clang-warnings.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/meson.build b/meson.build -index 1780c44..7998a51 100644 ---- a/meson.build -+++ b/meson.build -@@ -49,12 +49,7 @@ endif - ############################################################################### - # Dependencies - --check_functions = [ -- 'fdatasync', --] --foreach function : check_functions -- config.set('HAVE_'+function.to_upper(), cc.has_function(function)) --endforeach -+config.set('HAVE_FDATASYNC', cc.has_function('fdatasync', prefix: '#include <unistd.h>')) - - - if get_option('build-translations') -diff --git a/src/update-mime-database.cpp b/src/update-mime-database.cpp -index 733ba06..4ca6d06 100644 ---- a/src/update-mime-database.cpp -+++ b/src/update-mime-database.cpp -@@ -2158,7 +2158,7 @@ static void check_in_path_xdg_data(const char *mime_path) - - env = getenv("XDG_DATA_DIRS"); - if (!env) -- env = "/usr/local/share/"PATH_SEPARATOR"/usr/share/"; -+ env = "/usr/local/share/" PATH_SEPARATOR "/usr/share/"; - dirs = g_strsplit(env, PATH_SEPARATOR, 0); - g_return_if_fail(dirs != NULL); - for (n = 0; dirs[n]; n++) diff --git a/pkgs/development/compilers/llvm/15/libcxx/default.nix b/pkgs/development/compilers/llvm/15/libcxx/default.nix index ed5f48e8c38fe..be56770039d80 100644 --- a/pkgs/development/compilers/llvm/15/libcxx/default.nix +++ b/pkgs/development/compilers/llvm/15/libcxx/default.nix @@ -56,6 +56,14 @@ stdenv.mkDerivation rec { hash = "sha256-AaM9A6tQ4YAw7uDqCIV4VaiUyLZv+unwcOqbakwW9/k="; relative = "libcxx"; }) + # fix for https://github.com/NixOS/nixpkgs/issues/269548 + # https://github.com/llvm/llvm-project/pull/77218 + (fetchpatch { + name = "darwin-system-libcxxabi-link-flags.patch"; + url = "https://github.com/llvm/llvm-project/commit/c5b89b29ee6e3c444a355fd1cf733ce7ab2e316a.patch"; + hash = "sha256-LNoPg1KCoP8RWxU/AzHR52f4Dww24I9BGQJedMhFxyQ="; + relative = "libcxx"; + }) ] ++ lib.optionals stdenv.hostPlatform.isMusl [ ../../libcxx-0001-musl-hacks.patch ]; diff --git a/pkgs/development/compilers/llvm/16/libcxx/default.nix b/pkgs/development/compilers/llvm/16/libcxx/default.nix index 78cd632024cda..d6c8c57c17437 100644 --- a/pkgs/development/compilers/llvm/16/libcxx/default.nix +++ b/pkgs/development/compilers/llvm/16/libcxx/default.nix @@ -1,5 +1,5 @@ { lib, stdenv, llvm_meta -, monorepoSrc, runCommand +, monorepoSrc, runCommand, fetchpatch , cmake, ninja, python3, fixDarwinDylibNames, version , cxxabi ? if stdenv.hostPlatform.isFreeBSD then libcxxrt else libcxxabi , libcxxabi, libcxxrt, libunwind @@ -47,6 +47,14 @@ stdenv.mkDerivation rec { patches = [ ./gnu-install-dirs.patch + # fix for https://github.com/NixOS/nixpkgs/issues/269548 + # https://github.com/llvm/llvm-project/pull/77218 + (fetchpatch { + name = "darwin-system-libcxxabi-link-flags.patch"; + url = "https://github.com/llvm/llvm-project/commit/c5b89b29ee6e3c444a355fd1cf733ce7ab2e316a.patch"; + hash = "sha256-LNoPg1KCoP8RWxU/AzHR52f4Dww24I9BGQJedMhFxyQ="; + relative = "libcxx"; + }) ]; postPatch = '' diff --git a/pkgs/development/compilers/llvm/17/libcxx/default.nix b/pkgs/development/compilers/llvm/17/libcxx/default.nix index 7b99966416638..8a5272ea07af0 100644 --- a/pkgs/development/compilers/llvm/17/libcxx/default.nix +++ b/pkgs/development/compilers/llvm/17/libcxx/default.nix @@ -1,5 +1,5 @@ { lib, stdenv, llvm_meta -, monorepoSrc, runCommand +, monorepoSrc, runCommand, fetchpatch , cmake, ninja, python3, fixDarwinDylibNames, version , cxxabi ? if stdenv.hostPlatform.isFreeBSD then libcxxrt else libcxxabi , libcxxabi, libcxxrt, libunwind @@ -45,6 +45,17 @@ stdenv.mkDerivation rec { chmod -R u+w . ''; + patches = [ + # fix for https://github.com/NixOS/nixpkgs/issues/269548 + # https://github.com/llvm/llvm-project/pull/77218 + (fetchpatch { + name = "darwin-system-libcxxabi-link-flags.patch"; + url = "https://github.com/llvm/llvm-project/commit/c5b89b29ee6e3c444a355fd1cf733ce7ab2e316a.patch"; + hash = "sha256-LNoPg1KCoP8RWxU/AzHR52f4Dww24I9BGQJedMhFxyQ="; + relative = "libcxx"; + }) + ]; + postPatch = '' cd ../runtimes ''; diff --git a/pkgs/development/compilers/llvm/git/libcxx/default.nix b/pkgs/development/compilers/llvm/git/libcxx/default.nix index 7b99966416638..8a5272ea07af0 100644 --- a/pkgs/development/compilers/llvm/git/libcxx/default.nix +++ b/pkgs/development/compilers/llvm/git/libcxx/default.nix @@ -1,5 +1,5 @@ { lib, stdenv, llvm_meta -, monorepoSrc, runCommand +, monorepoSrc, runCommand, fetchpatch , cmake, ninja, python3, fixDarwinDylibNames, version , cxxabi ? if stdenv.hostPlatform.isFreeBSD then libcxxrt else libcxxabi , libcxxabi, libcxxrt, libunwind @@ -45,6 +45,17 @@ stdenv.mkDerivation rec { chmod -R u+w . ''; + patches = [ + # fix for https://github.com/NixOS/nixpkgs/issues/269548 + # https://github.com/llvm/llvm-project/pull/77218 + (fetchpatch { + name = "darwin-system-libcxxabi-link-flags.patch"; + url = "https://github.com/llvm/llvm-project/commit/c5b89b29ee6e3c444a355fd1cf733ce7ab2e316a.patch"; + hash = "sha256-LNoPg1KCoP8RWxU/AzHR52f4Dww24I9BGQJedMhFxyQ="; + relative = "libcxx"; + }) + ]; + postPatch = '' cd ../runtimes ''; diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix index bbbdf19a19095..b8c95653e366b 100644 --- a/pkgs/development/libraries/gnutls/default.nix +++ b/pkgs/development/libraries/gnutls/default.nix @@ -35,11 +35,11 @@ in stdenv.mkDerivation rec { pname = "gnutls"; - version = "3.8.2"; + version = "3.8.3"; src = fetchurl { url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz"; - hash = "sha256-52XlAW/6m53SQ+NjoEYNV3B0RE7iSRJn2y6WycKt73c="; + hash = "sha256-90/FlUsn1Oxt+7Ed6ph4iLWxJCiaNwOvytoO5SD0Fz4="; }; outputs = [ "bin" "dev" "out" "man" "devdoc" ]; diff --git a/pkgs/development/libraries/gtk/3.x.nix b/pkgs/development/libraries/gtk/3.x.nix index 27afba7833e8a..c244414c55087 100644 --- a/pkgs/development/libraries/gtk/3.x.nix +++ b/pkgs/development/libraries/gtk/3.x.nix @@ -64,7 +64,7 @@ in stdenv.mkDerivation (finalAttrs: { pname = "gtk+3"; - version = "3.24.38"; + version = "3.24.39"; outputs = [ "out" "dev" ] ++ lib.optional withIntrospection "devdoc"; outputBin = "dev"; @@ -78,7 +78,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) version; in fetchurl { url = "mirror://gnome/sources/gtk+/${lib.versions.majorMinor version}/gtk+-${version}.tar.xz"; - sha256 = "sha256-zhHezwGLJb3YUFVEpPhyQoVOyIvgVNmt5fOiBETdjuc="; + sha256 = "sha256-HKw+VmubLzZTpFjAjC3N/cqfkIA3rAPJ2FZLQpV3jXk="; }; patches = [ diff --git a/pkgs/development/libraries/libdrm/default.nix b/pkgs/development/libraries/libdrm/default.nix index 63a8522bd073c..a7ead8f227472 100644 --- a/pkgs/development/libraries/libdrm/default.nix +++ b/pkgs/development/libraries/libdrm/default.nix @@ -6,11 +6,11 @@ stdenv.mkDerivation rec { pname = "libdrm"; - version = "2.4.117"; + version = "2.4.118"; src = fetchurl { url = "https://dri.freedesktop.org/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-ooiNaePrHIp3rcCKdaYPuuAfDSCNJvA00aEuNiNhJCs="; + hash = "sha256-p3e9hfK1/JxX+IbIIFgwBXgxfK/bx30Kdp1+mpVnq4g="; }; outputs = [ "out" "dev" "bin" ]; diff --git a/pkgs/development/libraries/libzip/default.nix b/pkgs/development/libraries/libzip/default.nix index 14e2f44808242..b343184760330 100644 --- a/pkgs/development/libraries/libzip/default.nix +++ b/pkgs/development/libraries/libzip/default.nix @@ -1,5 +1,6 @@ { lib, stdenv , cmake +, fetchpatch2 , fetchurl , perl , zlib @@ -24,6 +25,15 @@ stdenv.mkDerivation (finalAttrs: { sha256 = "sha256-lmmuXf46xbOJdTbchGaodMjPLA47H90I11snOIQpk2M="; }; + patches = [ + # https://github.com/nih-at/libzip/issues/404 + (fetchpatch2 { + name = "Check-for-zstd_TARGET-before-using-it-in-a-regex.patch"; + url = "https://github.com/nih-at/libzip/commit/c719428916b4d19e838f873b1a177b126a080d61.patch"; + hash = "sha256-4ksbXEM8kNvs3wtbIaXLEQNSKaxl0es/sIg0EINaTHE="; + }) + ]; + outputs = [ "out" "dev" "man" ]; nativeBuildInputs = [ cmake perl groff ]; diff --git a/pkgs/development/libraries/pipewire/default.nix b/pkgs/development/libraries/pipewire/default.nix index fa5cb97b214fa..0d1e3b03a09a8 100644 --- a/pkgs/development/libraries/pipewire/default.nix +++ b/pkgs/development/libraries/pipewire/default.nix @@ -81,7 +81,7 @@ let self = stdenv.mkDerivation rec { pname = "pipewire"; - version = "1.0.0"; + version = "1.0.1"; outputs = [ "out" @@ -97,7 +97,7 @@ let owner = "pipewire"; repo = "pipewire"; rev = version; - sha256 = "sha256-mfnMluxJAxDbB6JlIM6HJ0zg7e1q3ia3uFbht6zeHCk="; + sha256 = "sha256-rvf0sZRgDDLcqroLg7hcMUqXD/4JT+3lBRX6/m+3Ry8="; }; patches = [ diff --git a/pkgs/development/libraries/readline/8.2.nix b/pkgs/development/libraries/readline/8.2.nix index 274938145ccd8..72e3370576e72 100644 --- a/pkgs/development/libraries/readline/8.2.nix +++ b/pkgs/development/libraries/readline/8.2.nix @@ -54,9 +54,9 @@ stdenv.mkDerivation rec { }) (fetchpatch { name = "0003-fd_set.patch"; - url = "https://github.com/msys2/MINGW-packages/raw/90e7536e3b9c3af55c336d929cfcc32468b2f135/mingw-w64-readline/0003-fd_set.patch"; + url = "https://github.com/msys2/MINGW-packages/raw/35830ab27e5ed35c2a8d486961ab607109f5af50/mingw-w64-readline/0003-fd_set.patch"; stripLen = 1; - hash = "sha256-MlsX5JYp1PHD25uuVnDKJWEquegUN3dkj9fhjQX51/M="; + hash = "sha256-UiaXZRPjKecpSaflBMCphI2kqOlcz1JkymlCrtpMng4="; }) (fetchpatch { name = "0004-locale.patch"; diff --git a/pkgs/development/libraries/readline/readline-8.2-patches.nix b/pkgs/development/libraries/readline/readline-8.2-patches.nix index 48d2bd14badb0..bc075df237c7b 100644 --- a/pkgs/development/libraries/readline/readline-8.2-patches.nix +++ b/pkgs/development/libraries/readline/readline-8.2-patches.nix @@ -2,4 +2,10 @@ patch: [ (patch "001" "1xxgfgr6hn3ads8m8xsrdi1kbx1f3s69k0danpd9x4haqhg7zydv") +(patch "002" "0ly0siy6qy3l7hv12847adpfa34yq1w4qz9qkw6vrxv25j106rg0") +(patch "003" "1c5cwvvkx9mfmpaapymq9cavmzh4fnagkjlchsqx4vml8sx8gx94") +(patch "004" "1b15sndx9v5vj3x1f3h73099nlagknx4rbfpd5ldrbw2xgm2wmvr") +(patch "005" "16ac25jz1a1mgkpfp1sydqf6qpsfh0s0dcmrnjpqbhg5va3s6av2") +(patch "006" "18gmh6y3klh0vv28cyqz4is3rlb32pl7f1kf5r482kfjq3w5zd67") +(patch "007" "1xmnpahs983n4w0gn3j0wr8nh1dpva33yj7fvfmhm46ph2wsa4ar") ] diff --git a/pkgs/development/python-modules/fonttools/default.nix b/pkgs/development/python-modules/fonttools/default.nix index 3c167debba37c..07f60371d96b9 100644 --- a/pkgs/development/python-modules/fonttools/default.nix +++ b/pkgs/development/python-modules/fonttools/default.nix @@ -4,6 +4,7 @@ , pythonOlder , isPyPy , fetchFromGitHub +, fetchpatch , setuptools-scm , fs , lxml @@ -36,6 +37,14 @@ buildPythonPackage rec { hash = "sha256-fcFFJi9Hr0m74LwFIhhhm/bMfxepAvg4/ymU53MmsPg="; }; + patches = [ + (fetchpatch { + name = "CVE-2023-45139.patch"; + url = "https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c.patch"; + hash = "sha256-29OB21B8S4hGZlvNJnOTYTFAmEii+z5oK6tycoK3PXc="; + }) + ]; + nativeBuildInputs = [ setuptools-scm ]; passthru.optional-dependencies = let diff --git a/pkgs/development/python-modules/jinja2/default.nix b/pkgs/development/python-modules/jinja2/default.nix index 1fb7b26db5b3b..e3328c7d766fb 100644 --- a/pkgs/development/python-modules/jinja2/default.nix +++ b/pkgs/development/python-modules/jinja2/default.nix @@ -15,14 +15,14 @@ buildPythonPackage rec { pname = "Jinja2"; - version = "3.1.2"; + version = "3.1.3"; outputs = [ "out" ] ++ lib.optional enableDocumentation "doc"; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - hash = "sha256-MTUacCpAip51laj8YVD8P0O7a/fjGXcMvA2535Q36FI="; + hash = "sha256-rIvWVE1Lssl5K/OhWegLuo/afwfoG8Ou1WVDLVklupA="; }; patches = lib.optionals enableDocumentation [ ./patches/import-order.patch ]; diff --git a/pkgs/development/python-modules/jq/default.nix b/pkgs/development/python-modules/jq/default.nix index d7dc37b068528..5b369d513cb13 100644 --- a/pkgs/development/python-modules/jq/default.nix +++ b/pkgs/development/python-modules/jq/default.nix @@ -2,15 +2,15 @@ , buildPythonPackage , cython , fetchFromGitHub -, fetchpatch , jq +, oniguruma , pytestCheckHook , pythonOlder }: buildPythonPackage rec { pname = "jq"; - version = "1.5.0"; + version = "1.6.0"; format = "setuptools"; disabled = pythonOlder "3.7"; @@ -19,18 +19,10 @@ buildPythonPackage rec { owner = "mwilliamson"; repo = "jq.py"; rev = "refs/tags/${version}"; - hash = "sha256-mITk5y2AdUc9kZ/WrsnHxS1GRRmO4FDbPRgTtV2gIXI="; + hash = "sha256-c6tJI/mPlBGIYTk5ObIQ1CUTq73HouQ2quMZVWG8FFg="; }; - patches = [ - # Removes vendoring - ./jq-py-setup.patch - (fetchpatch { - url = "https://github.com/mwilliamson/jq.py/commit/805705dde4beb9db9a1743663d415198fb02eb1a.patch"; - includes = [ "tests/*" ]; - hash = "sha256-AgdpwmtOTeJ4nSbM6IknKaIVqqtWkpxTTtblXjlbWeA="; - }) - ]; + env.JQPY_USE_SYSTEM_LIBS = 1; nativeBuildInputs = [ cython @@ -38,6 +30,7 @@ buildPythonPackage rec { buildInputs = [ jq + oniguruma ]; preBuild = '' @@ -48,6 +41,11 @@ buildPythonPackage rec { pytestCheckHook ]; + disabledTests = [ + # intentional behavior change in jq 1.7.1 not reflected upstream + "test_given_json_text_then_strings_containing_null_characters_are_preserved" + ]; + pythonImportsCheck = [ "jq" ]; diff --git a/pkgs/development/tools/misc/strace/default.nix b/pkgs/development/tools/misc/strace/default.nix index 591eaeaa1ae2e..d851aa217b5f8 100644 --- a/pkgs/development/tools/misc/strace/default.nix +++ b/pkgs/development/tools/misc/strace/default.nix @@ -1,12 +1,12 @@ -{ lib, stdenv, fetchurl, perl, libunwind, buildPackages, gitUpdater }: +{ lib, stdenv, fetchurl, perl, libunwind, buildPackages, gitUpdater, elfutils }: stdenv.mkDerivation rec { pname = "strace"; - version = "6.6"; + version = "6.7"; src = fetchurl { url = "https://strace.io/files/${version}/${pname}-${version}.tar.xz"; - sha256 = "sha256-QhtBhsBrcFFj5k3IXycevc9nZgr4ZnKDFH1ehZ/IqWw="; + sha256 = "sha256-IJAgHho/8yhG9P5CHBFjsV9EC7OOMTVdCfgtOUmSKvc="; }; depsBuildBuild = [ buildPackages.stdenv.cc ]; @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { # On RISC-V platforms, LLVM's libunwind implementation is unsupported by strace. # The build will silently fall back and -k will not work on RISC-V. - buildInputs = [ libunwind ]; # support -k + buildInputs = [ libunwind elfutils ]; # support -k and -kk configureFlags = [ "--enable-mpers=check" ]; diff --git a/pkgs/os-specific/linux/bluez/default.nix b/pkgs/os-specific/linux/bluez/default.nix index af3e4391f75db..d864f30096d7c 100644 --- a/pkgs/os-specific/linux/bluez/default.nix +++ b/pkgs/os-specific/linux/bluez/default.nix @@ -36,6 +36,12 @@ in stdenv.mkDerivation rec { url = "https://git.alpinelinux.org/aports/plain/main/bluez/max-input.patch?id=32b31b484cb13009bd8081c4106e4cf064ec2f1f"; sha256 = "sha256-SczbXtsxBkCO+izH8XOBcrJEO2f7MdtYVT3+2fCV8wU="; }) + # Fix device pairing regression + # FIXME: remove in next release + (fetchpatch { + url = "https://github.com/bluez/bluez/commit/3a9c637010f8dc1ba3e8382abe01065761d4f5bb.patch"; + hash = "sha256-UUmYMHnxYrw663nEEC2mv3zj5e0omkLNejmmPUtgS3c="; + }) # CVE-2023-45866 / https://github.com/skysafe/reblog/tree/main/cve-2023-45866 (fetchpatch { name = "CVE-2023-45866.patch"; diff --git a/pkgs/os-specific/linux/kernel/kernels-org.json b/pkgs/os-specific/linux/kernel/kernels-org.json index e7b7317442dc2..4df17a1a0e3e6 100644 --- a/pkgs/os-specific/linux/kernel/kernels-org.json +++ b/pkgs/os-specific/linux/kernel/kernels-org.json @@ -8,8 +8,8 @@ "hash": "sha256:1dfbbydmayfj9npx3z0g38p574pmcx3qgs49dv0npigl48wd9yvq" }, "6.1": { - "version": "6.1.75", - "hash": "sha256:0mis14ll6xmhw71vfpw1aahi5z207qysha7x316fq4qc6c899lbc" + "version": "6.1.76", + "hash": "sha256:1zdi4xbk7zyiab7x8z12xqg72zaw3j61slvrbwjfx6pzh47cr005" }, "5.15": { "version": "5.15.148", @@ -28,11 +28,11 @@ "hash": "sha256:06dy270xw4frnrc9p2qjh8chgp02fr5ll5g2b0lx9xqzlq7y86xr" }, "6.6": { - "version": "6.6.14", - "hash": "sha256:110mz8fjlg1j9wnhhq2ik5alayhf61adajd8jqmcsqprncnnpsgv" + "version": "6.6.15", + "hash": "sha256:1ajzby6isqji1xlp660m4qj2i2xs003vsjp1jspziwl7hrzhqadb" }, "6.7": { - "version": "6.7.2", - "hash": "sha256:0wd6pxh7wy9bzjzwd0rdsdnghpr53qbs722fhg07bi19m8dy8kf3" + "version": "6.7.3", + "hash": "sha256:0i1bfkawyp917d9v3qa5nqzspzr3ixx7scbfl8x4lms74xjqrw5p" } } diff --git a/pkgs/os-specific/linux/kernel/linux-libre.nix b/pkgs/os-specific/linux/kernel/linux-libre.nix index aba6462451a9e..e4716dfa6d96f 100644 --- a/pkgs/os-specific/linux/kernel/linux-libre.nix +++ b/pkgs/os-specific/linux/kernel/linux-libre.nix @@ -1,8 +1,8 @@ { stdenv, lib, fetchsvn, linux , scripts ? fetchsvn { url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/"; - rev = "19482"; - sha256 = "0y9w9jwlhxv88mjr67g64wgypjf3ikc6c5gr8wrvxiawi24kdhca"; + rev = "19489"; + sha256 = "1adnk4710iyq87bj48bfxzmzhv5hk0x3fmyz6ydk5af364fl87mk"; } , ... }: diff --git a/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix b/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix index 9b70c577b4e60..bf8148c35c11c 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "6.1.73-rt22"; # updated by ./update-rt.sh + version = "6.1.75-rt23"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -18,14 +18,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v6.x/linux-${kversion}.tar.xz"; - sha256 = "11vyblm4nkjncdi3akcyizw7jkyxsqn2mjixc51f7kgiddq4ibbc"; + sha256 = "0mis14ll6xmhw71vfpw1aahi5z207qysha7x316fq4qc6c899lbc"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "1hl7y2sab21l81nl165b77jhfjhpcc1gvz64fs2yjjp4q2qih4b0"; + sha256 = "0y88g4acq9vcxb169zficcih1dgq7ssl6v3f9740jr6r4l9ycv1x"; }; }; in [ rt-patch ] ++ kernelPatches; diff --git a/pkgs/servers/nextcloud/default.nix b/pkgs/servers/nextcloud/default.nix index bdf166399007d..dc5ce1cee348b 100644 --- a/pkgs/servers/nextcloud/default.nix +++ b/pkgs/servers/nextcloud/default.nix @@ -67,8 +67,8 @@ in { }; nextcloud28 = generic { - version = "28.0.1"; - hash = "sha256-L4BzW0Qwgicv5qO14yE3lX8fxEjHU0K5S1IAspcl86Q="; + version = "28.0.2"; + hash = "sha256-3jTWuvPszqz90TjoVSDNheHSzmeY2f+keKwX6x76HQg="; packages = nextcloud28Packages; }; diff --git a/pkgs/servers/nosql/aerospike/default.nix b/pkgs/servers/nosql/aerospike/default.nix index 9c0d034d7b3af..301cb7de1aac8 100644 --- a/pkgs/servers/nosql/aerospike/default.nix +++ b/pkgs/servers/nosql/aerospike/default.nix @@ -1,32 +1,30 @@ -{ lib, stdenv, fetchFromGitHub, autoconf, automake, libtool, openssl, zlib }: +{ lib, stdenv, fetchFromGitHub, autoconf, automake, cmake, libtool, openssl, zlib }: stdenv.mkDerivation rec { pname = "aerospike-server"; - version = "4.2.0.4"; + version = "7.0.0.3"; src = fetchFromGitHub { owner = "aerospike"; repo = "aerospike-server"; rev = version; - sha256 = "1vqi3xir4l57v62q1ns3713vajxffs6crss8fpvbcs57p7ygx3s7"; + hash = "sha256-qyVfoOnWIUY1np58HtpVrKNsgiXlvdgffyMGjk+G5qI="; fetchSubmodules = true; }; - nativeBuildInputs = [ autoconf automake libtool ]; + nativeBuildInputs = [ autoconf automake cmake libtool ]; buildInputs = [ openssl zlib ]; + dontUseCmakeConfigure = true; + preBuild = '' patchShebangs build/gen_version substituteInPlace build/gen_version --replace 'git describe' 'echo ${version}' - - # drop blanket -Werror - substituteInPlace make_in/Makefile.in --replace '-Werror' "" ''; installPhase = '' - mkdir -p $out/bin $out/share/udf - cp target/Linux-x86_64/bin/asd $out/bin/asd - cp -dpR modules/lua-core/src $out/share/udf/lua + mkdir -p $out/bin + cp target/Linux-x86_64/bin/asd $out/bin/asd ''; meta = with lib; { @@ -35,6 +33,5 @@ stdenv.mkDerivation rec { license = licenses.agpl3; platforms = [ "x86_64-linux" ]; maintainers = with maintainers; [ kalbasit ]; - knownVulnerabilities = [ "CVE-2020-13151" ]; }; } diff --git a/pkgs/servers/nosql/redis/default.nix b/pkgs/servers/nosql/redis/default.nix index c3ac0ebbf969b..8fd23ae186c48 100644 --- a/pkgs/servers/nosql/redis/default.nix +++ b/pkgs/servers/nosql/redis/default.nix @@ -12,11 +12,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "redis"; - version = "7.2.3"; + version = "7.2.4"; src = fetchurl { url = "https://download.redis.io/releases/redis-${finalAttrs.version}.tar.gz"; - hash = "sha256-PisZbW603bnnQwiL/CkVzLtC1A9aij7djLaccW7DS+c="; + hash = "sha256-jRBMJqFUsp/WfWVotPN1ISISrUHgwsqj1mSA5429O1k="; }; patches = lib.optionals useSystemJemalloc [ diff --git a/pkgs/test/auto-patchelf-hook/default.nix b/pkgs/test/auto-patchelf-hook/default.nix new file mode 100644 index 0000000000000..6e05e729fba84 --- /dev/null +++ b/pkgs/test/auto-patchelf-hook/default.nix @@ -0,0 +1,6 @@ +{ lib, callPackage }: + +lib.recurseIntoAttrs { + withStructuredAttrs = callPackage ./package.nix { __structuredAttrs = true; }; + withoutStructuredAttrs = callPackage ./package.nix { __structuredAttrs = false; }; +} diff --git a/pkgs/test/auto-patchelf-hook/package.nix b/pkgs/test/auto-patchelf-hook/package.nix new file mode 100644 index 0000000000000..be03ee68c0391 --- /dev/null +++ b/pkgs/test/auto-patchelf-hook/package.nix @@ -0,0 +1,96 @@ +# This is a test for autoPatchelfHook. To test it, we just need a simple binary +# which uses the hook. We took the derivation from tonelib-jam, which sounds +# like a good candidate with a small closure, and trimmed it down. + +{ stdenv +, lib +, fetchurl +, autoPatchelfHook +, dpkg +, freetype +, curl +# This test checks that the behavior of autoPatchelfHook is correct whether +# __structuredAttrs +# (https://nixos.org/manual/nix/stable/language/advanced-attributes#adv-attr-structuredAttrs) +# is set or not. Hence __structuredAttrs is provided as a parameter. +, __structuredAttrs +}: + +let runtimeDependencies = [ + (lib.getLib curl) + "/some/dep" + "/some/other/dep" +] +# A dependency with space only works with __structuredAttrs set to true. +++ lib.lists.optional __structuredAttrs "/some/dep with space"; +in + +stdenv.mkDerivation { + name = "auto-patchelf-test"; + + src = fetchurl { + url = "https://tonelib.net/download/221222/ToneLib-Jam-amd64.deb"; + sha256 = "sha256-c6At2lRPngQPpE7O+VY/Hsfw+QfIb3COIuHfbqqIEuM="; + }; + + unpackCmd = '' + dpkg -x $curSrc source + ''; + + nativeBuildInputs = [ + dpkg + autoPatchelfHook + ]; + + installPhase = '' + mv usr $out + ''; + + buildInputs = [ + freetype + ]; + + autoPatchelfIgnoreMissingDeps = [ + "libGL.so.1" + "libasound.so.2" + ]; + + inherit runtimeDependencies; + + # Additional phase performing the actual test. + installCheckPhase = + let allDeps = runtimeDependencies ++ [ (lib.getLib freetype) ]; + in + '' + local binary="$out/bin/ToneLib-Jam" + local interpreter=$(patchelf --print-interpreter $binary) + local runpath=$(patchelf --print-rpath $binary) + local glibcStorePath="${stdenv.cc.libc}" + + # Check that the glibc path is a prefix of the interpreter. If + # autoPatchelfHook ran correctly, the binary should have set the interpreter + # to point to the store. + echo "[auto-patchelf-hook-test]: Check that the interpreter is in the store" + test "''${interpreter#$glibcStorePath}" != "$interpreter" + + readarray -td':' runpathArray < <(echo -n "$runpath") + + echo "[auto-patchelf-hook-test]: Check that the runpath has the right number of entries" + test "''${#runpathArray[@]}" -eq ${builtins.toString (builtins.length allDeps)} + + echo "[auto-patchelf-hook-test]: Check that the runpath contains the expected runtime deps" + '' + + lib.strings.concatStringsSep "\n" + (lib.lists.imap0 + (i: path: + let iAsStr = builtins.toString i; in + '' + echo "[auto-patchelf-hook-test]: Check that entry ${iAsStr} is ${path}" + test "''${paths[${iAsStr}]}" = "$path" + '') + allDeps + ); + + doInstallCheck = true; + inherit __structuredAttrs; +} diff --git a/pkgs/test/default.nix b/pkgs/test/default.nix index 097749e218b4e..741cc562763e9 100644 --- a/pkgs/test/default.nix +++ b/pkgs/test/default.nix @@ -173,4 +173,6 @@ with pkgs; pkgs-lib = recurseIntoAttrs (import ../pkgs-lib/tests { inherit pkgs; }); nixpkgs-check-by-name = callPackage ./nixpkgs-check-by-name { }; + + auto-patchelf-hook = callPackage ./auto-patchelf-hook { }; } diff --git a/pkgs/tools/networking/sniffglue/default.nix b/pkgs/tools/networking/sniffglue/default.nix index fdedff083b1bc..be6a95f4e9286 100644 --- a/pkgs/tools/networking/sniffglue/default.nix +++ b/pkgs/tools/networking/sniffglue/default.nix @@ -2,16 +2,16 @@ rustPlatform.buildRustPackage rec { pname = "sniffglue"; - version = "0.15.0"; + version = "0.16.0"; src = fetchFromGitHub { owner = "kpcyrd"; repo = pname; rev = "v${version}"; - sha256 = "sha256-8SkwdPaKHf0ZE/MeM4yOe2CpQvZzIHf5d06iM7KPAT8="; + sha256 = "sha256-MOw0WBdpo6dYXsjbUrqoIJl/sjQ4wSAcm4dPxDgTYgY="; }; - cargoSha256 = "sha256-UGvFLW48sakNuV3eXBpCxaHOrveQPXkynOayMK6qs4g="; + cargoHash = "sha256-vnfviiXJ4L/j5M3N+LegOIvLuD6vYJB1QeBgZJVfDnI="; nativeBuildInputs = [ pkg-config ]; diff --git a/pkgs/tools/package-management/nix/common.nix b/pkgs/tools/package-management/nix/common.nix index 7aa7b1cc1a1da..11fb90ee1a9f2 100644 --- a/pkgs/tools/package-management/nix/common.nix +++ b/pkgs/tools/package-management/nix/common.nix @@ -216,7 +216,7 @@ self = stdenv.mkDerivation { # Prevent crashes in libcurl due to invoking Objective-C `+initialize` methods after `fork`. # See http://sealiesoftware.com/blog/archive/2017/6/5/Objective-C_and_fork_in_macOS_1013.html. + lib.optionalString stdenv.isDarwin '' - export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=yes + export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES '' # See https://github.com/NixOS/nix/issues/5687 + lib.optionalString (atLeast25 && stdenv.isDarwin) '' |