diff options
-rw-r--r-- | nixos/modules/services/desktops/flatpak.nix | 1 | ||||
-rw-r--r-- | nixos/tests/installed-tests/flatpak.nix | 1 | ||||
-rw-r--r-- | pkgs/applications/virtualization/qemu/default.nix | 71 | ||||
-rw-r--r-- | pkgs/development/libraries/flatpak/default.nix | 4 | ||||
-rw-r--r-- | pkgs/development/libraries/flatpak/fix-test-paths.patch | 12 | ||||
-rw-r--r-- | pkgs/development/libraries/flatpak/unset-env-vars.patch | 8 | ||||
-rw-r--r-- | pkgs/development/libraries/xdg-desktop-portal/default.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/iwd/default.nix | 19 | ||||
-rw-r--r-- | pkgs/tools/security/tpm2-tools/default.nix | 12 | ||||
-rw-r--r-- | pkgs/top-level/ruby-packages.nix | 4 |
10 files changed, 113 insertions, 23 deletions
diff --git a/nixos/modules/services/desktops/flatpak.nix b/nixos/modules/services/desktops/flatpak.nix index d99faf381e019..4c26e6874023a 100644 --- a/nixos/modules/services/desktops/flatpak.nix +++ b/nixos/modules/services/desktops/flatpak.nix @@ -35,6 +35,7 @@ in { services.dbus.packages = [ pkgs.flatpak ]; systemd.packages = [ pkgs.flatpak ]; + systemd.tmpfiles.packages = [ pkgs.flatpak ]; environment.profiles = [ "$HOME/.local/share/flatpak/exports" diff --git a/nixos/tests/installed-tests/flatpak.nix b/nixos/tests/installed-tests/flatpak.nix index 9524d890c4025..fa191202f52d4 100644 --- a/nixos/tests/installed-tests/flatpak.nix +++ b/nixos/tests/installed-tests/flatpak.nix @@ -7,6 +7,7 @@ makeInstalledTest { testConfig = { xdg.portal.enable = true; xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ]; + xdg.portal.config.common.default = "gtk"; services.flatpak.enable = true; environment.systemPackages = with pkgs; [ gnupg ostree python3 ]; virtualisation.memorySize = 2047; diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix index 7645527b8d23c..90af7ec2d47f6 100644 --- a/pkgs/applications/virtualization/qemu/default.nix +++ b/pkgs/applications/virtualization/qemu/default.nix @@ -111,6 +111,77 @@ stdenv.mkDerivation (finalAttrs: { separateDebugInfo = !(stdenv.isAarch64 && stdenv.isLinux); patches = [ + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-1.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/eb546a3f49f45e6870ec91d792cd09f8a662c16e.patch"; + hash = "sha256-YJCyTH/dtE3j1UnFkXB3COCKLhyeZlnHI+NCYC++urM="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-2.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/1b2a52712b249e14d246cd9c7db126088e6e64db.patch"; + hash = "sha256-N7rvrYZEAXL/f5LhKrPYhzoV6dLdUMolNMvmJTdkTVk="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-3.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/fbeb0a160cbcc067c0e1f0d380cea4a31de213e3.patch"; + hash = "sha256-fgB7tS0+303mHPpvNzvZT7xib6yCcVzvnGccFJnCTaY="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-4.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/4f01537ced3e787bd985b8f8de5869b92657160a.patch"; + hash = "sha256-ssp/MefVQMfHh2q2m/MRzyu57D3q/cCiabOtUT/BQ0k="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-5.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/5d53ff200b5b0e02473b4f38bb6ea74e781115d9.patch"; + hash = "sha256-UzPONq9AcmdXK+c40eftJA7JRiNiprM4U9Na78fFp+8="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-6.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/15b41461ea7386005194d79d0736f1975c6301d7.patch"; + hash = "sha256-dXBbWh0ep6+oEXE/i51m6r0iX19qISpmLy2Uw/rtR0I="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-7.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/ab995895adcf30d0be416da281a0bcf3dd3f93a5.patch"; + hash = "sha256-74xgr+mZ/EPdv/919G/useydya58mHczca8AZkobg5Q="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-8.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/6e7e387b7931d8f6451128ed06f8bca8ffa64fda.patch"; + hash = "sha256-nj12/4EzZnLfL6NjX2X0dnXa42ESmqVuk8NcU7gZtTQ="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-9.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/1c5005c450928c77056621a561568cdea2ee24db.patch"; + hash = "sha256-sAaQwv/JY8IWhNQcvFMl0w4c1AqiVGuZJ/a0OLhFx2s="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-10.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/516bdbc2341892fb3b3173ec393c6dfc9515608f.patch"; + hash = "sha256-VTD8QlqPUs+QZMBU9qisilpClYMvSJY9J0dsUFods5M="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-11.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/4e6240e184cd6303b7275118c7d574c973a3be35.patch"; + hash = "sha256-NlgzWoWmik4aDGuYiZlvn28HL2ZhBcjv7TgC5Wo+Vrk="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-12.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/9666bd2b7967182d7891e83187f41f0ae3c3cb05.patch"; + hash = "sha256-w+ZSXkME6wtsYlDE9ELHl6CjvkLjRtTuxqF15u5mQWU="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-13.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/35a67d2aa8caf8eb0bee7d38515924c95417047e.patch"; + hash = "sha256-3kL8HMjTe3mbvb7K07zJOHbp676oBsynLi24k2N1iBY="; + }) + (fetchpatch { + name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-14.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/1cfe45956e03070f894e91b304e233b4d5b99719.patch"; + hash = "sha256-jnZ/kvKugCc5EjETuyXQ8v3zlpkay1J9BaopmlRIRgE="; + }) + ./fix-qemu-ga.patch # QEMU upstream does not demand compatibility to pre-10.13, so 9p-darwin diff --git a/pkgs/development/libraries/flatpak/default.nix b/pkgs/development/libraries/flatpak/default.nix index 0c44b99db8d9b..1d12d2fd835a7 100644 --- a/pkgs/development/libraries/flatpak/default.nix +++ b/pkgs/development/libraries/flatpak/default.nix @@ -54,14 +54,14 @@ stdenv.mkDerivation (finalAttrs: { pname = "flatpak"; - version = "1.14.4"; + version = "1.14.6"; # TODO: split out lib once we figure out what to do with triggerdir outputs = [ "out" "dev" "man" "doc" "devdoc" "installedTests" ]; src = fetchurl { url = "https://github.com/flatpak/flatpak/releases/download/${finalAttrs.version}/flatpak-${finalAttrs.version}.tar.xz"; - sha256 = "sha256-ijTb0LZ8Q051mLmOxpCVPQRvDbJuSArq+0bXKuxxZ5k="; # Taken from https://github.com/flatpak/flatpak/releases/ + sha256 = "sha256-U482ssb4xw7v0S0TrVsa2DCCAQaovTqfa45NnegeSUY="; # Taken from https://github.com/flatpak/flatpak/releases/ }; patches = [ diff --git a/pkgs/development/libraries/flatpak/fix-test-paths.patch b/pkgs/development/libraries/flatpak/fix-test-paths.patch index da14750090099..ebbcbde5e951f 100644 --- a/pkgs/development/libraries/flatpak/fix-test-paths.patch +++ b/pkgs/development/libraries/flatpak/fix-test-paths.patch @@ -63,7 +63,7 @@ index afa11a6b..5b12055f 100755 flatpak build-finish ${DIR} >&2 mkdir -p repos diff --git a/tests/make-test-runtime.sh b/tests/make-test-runtime.sh -index 4ba950df..fd50fab3 100755 +index 6345ff58..fd50fab3 100755 --- a/tests/make-test-runtime.sh +++ b/tests/make-test-runtime.sh @@ -28,9 +28,10 @@ EOF @@ -78,7 +78,7 @@ index 4ba950df..fd50fab3 100755 mkdir -p ${DIR}/usr/bin mkdir -p ${DIR}/usr/lib ln -s ../lib ${DIR}/usr/lib64 -@@ -40,40 +41,17 @@ if test -f /sbin/ldconfig.real; then +@@ -40,46 +41,17 @@ if test -f /sbin/ldconfig.real; then else cp "$(type -P ldconfig)" "${DIR}/usr/bin" fi @@ -89,6 +89,12 @@ index 4ba950df..fd50fab3 100755 - local f=$1 - shift - +- # Check if the program is installed +- if ! command -v "${f}" &> /dev/null; then +- echo "${f} not found" +- exit 1 +- fi +- - if grep -qFe "${f}" $BINS; then - # Already handled - return 0 @@ -129,7 +135,7 @@ index 4ba950df..fd50fab3 100755 done ln -s bash ${DIR}/usr/bin/sh -@@ -84,11 +62,13 @@ echo "Hello world, from a runtime$EXTRA" +@@ -90,11 +62,13 @@ echo "Hello world, from a runtime$EXTRA" EOF chmod a+x ${DIR}/usr/bin/runtime_hello.sh diff --git a/pkgs/development/libraries/flatpak/unset-env-vars.patch b/pkgs/development/libraries/flatpak/unset-env-vars.patch index fec0573ed9509..2a88d24f49166 100644 --- a/pkgs/development/libraries/flatpak/unset-env-vars.patch +++ b/pkgs/development/libraries/flatpak/unset-env-vars.patch @@ -1,11 +1,11 @@ diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 8fa8c0e0..e1cdeba0 100644 +index 6f54a9d0..102d9b90 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c -@@ -1900,6 +1900,7 @@ static const ExportData default_exports[] = { - {"XKB_CONFIG_ROOT", NULL}, - {"GIO_EXTRA_MODULES", NULL}, +@@ -1902,6 +1902,7 @@ static const ExportData default_exports[] = { {"GDK_BACKEND", NULL}, + {"VK_DRIVER_FILES", NULL}, + {"VK_ICD_FILENAMES", NULL}, + {"GDK_PIXBUF_MODULE_FILE", NULL}, }; diff --git a/pkgs/development/libraries/xdg-desktop-portal/default.nix b/pkgs/development/libraries/xdg-desktop-portal/default.nix index 1c31a6daaac9b..1dc53d03bd04c 100644 --- a/pkgs/development/libraries/xdg-desktop-portal/default.nix +++ b/pkgs/development/libraries/xdg-desktop-portal/default.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "xdg-desktop-portal"; - version = "1.18.1"; + version = "1.18.4"; outputs = [ "out" "installedTests" ]; @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "flatpak"; repo = "xdg-desktop-portal"; rev = finalAttrs.version; - sha256 = "sha256-S4I578gX1ONbixWGcQLY3WqzACoVfAtLuOFBhh36hFY="; + hash = "sha256-o+aO7uGewDPrtgOgmp/CE2uiqiBLyo07pVCFrtlORFQ="; }; patches = [ diff --git a/pkgs/os-specific/linux/iwd/default.nix b/pkgs/os-specific/linux/iwd/default.nix index 1b983bb90e1e7..9394105efe652 100644 --- a/pkgs/os-specific/linux/iwd/default.nix +++ b/pkgs/os-specific/linux/iwd/default.nix @@ -1,5 +1,6 @@ { lib, stdenv , fetchgit +, fetchpatch , autoreconfHook , pkg-config , ell @@ -20,6 +21,24 @@ stdenv.mkDerivation rec { sha256 = "sha256-i+2R8smgLXooApj0Z5e03FybhYgw1X/kIsJkrDzW8y4="; }; + patches = [ + (fetchpatch { + name = "CVE-2023-52161.patch"; + url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git/patch/?id=6415420f1c92012f64063c131480ffcef58e60ca"; + hash = "sha256-bN5mxdWDyKEC2IyyG2vlzTEAL57C4uC7GAJA3jSXJHg="; + }) + (fetchpatch { + name = "netdev-buffer-overflow-32-byte-ssid.patch"; + url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git/patch/?id=8d68b33e763aced6d419df9f6534760d2c890279"; + hash = "sha256-BSduzwVUTEcqjVwD88qJYgItApcQZwU43u9gbNMDs8I="; + }) + (fetchpatch { + name = "erp-buffer-overflow-32-byte-ssid.patch"; + url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git/patch/?id=bdaae53cf828a1f6ea7a7b57d7d6ebcc7b70ac43"; + hash = "sha256-K/Ib0azlZ0UlFqcqs+8dSfj0hh0j0dZYpfB9f6tEqc8="; + }) + ]; + outputs = [ "out" "man" "doc" ] ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "test"; diff --git a/pkgs/tools/security/tpm2-tools/default.nix b/pkgs/tools/security/tpm2-tools/default.nix index d622ab5b93da6..18eedfb98f983 100644 --- a/pkgs/tools/security/tpm2-tools/default.nix +++ b/pkgs/tools/security/tpm2-tools/default.nix @@ -4,21 +4,13 @@ stdenv.mkDerivation rec { pname = "tpm2-tools"; - version = "5.6"; + version = "5.7"; src = fetchurl { url = "https://github.com/tpm2-software/${pname}/releases/download/${version}/${pname}-${version}.tar.gz"; - sha256 = "sha256-Usi8uq3KCCq/5et+5JZ9LWMthLFndnXy8HG20uwizsM="; + sha256 = "sha256-OBDTa1B5JW9PL3zlUuIiE9Q7EDHBMVON+KLbw8VwmDo="; }; - patches = [ - # https://github.com/tpm2-software/tpm2-tools/pull/3271 - (fetchpatch { - url = "https://github.com/tpm2-software/tpm2-tools/commit/b98be08f6f88b0cca9e0667760c4e1e5eb417fbd.patch"; - sha256 = "sha256-2sEam9i4gwscJhLwraX2EAjVM8Dh1vmNnG3zYsOF0fc="; - }) - ]; - nativeBuildInputs = [ pandoc pkg-config makeWrapper ]; buildInputs = [ curl openssl tpm2-tss libuuid diff --git a/pkgs/top-level/ruby-packages.nix b/pkgs/top-level/ruby-packages.nix index 54e70b1936de7..28e508b03005a 100644 --- a/pkgs/top-level/ruby-packages.nix +++ b/pkgs/top-level/ruby-packages.nix @@ -3987,10 +3987,10 @@ platforms = []; source = { remotes = ["https://rubygems.org"]; - sha256 = "013yrnwx1zhzhn1fnc19zck22a1qgimsaglp2iwgf5bz9l8h93js"; + sha256 = "1r0b8w58p7gy06wph1qdjv2p087hfnmhd9jk23vjdj803dn761am"; type = "gem"; }; - version = "0.9.34"; + version = "0.9.36"; }; zeitwerk = { groups = ["default"]; |