about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--nixos/modules/services/desktops/flatpak.nix1
-rw-r--r--nixos/tests/installed-tests/flatpak.nix1
-rw-r--r--pkgs/applications/virtualization/qemu/default.nix71
-rw-r--r--pkgs/development/libraries/flatpak/default.nix4
-rw-r--r--pkgs/development/libraries/flatpak/fix-test-paths.patch12
-rw-r--r--pkgs/development/libraries/flatpak/unset-env-vars.patch8
-rw-r--r--pkgs/development/libraries/xdg-desktop-portal/default.nix4
-rw-r--r--pkgs/os-specific/linux/iwd/default.nix19
-rw-r--r--pkgs/tools/security/tpm2-tools/default.nix12
-rw-r--r--pkgs/top-level/ruby-packages.nix4
10 files changed, 113 insertions, 23 deletions
diff --git a/nixos/modules/services/desktops/flatpak.nix b/nixos/modules/services/desktops/flatpak.nix
index d99faf381e019..4c26e6874023a 100644
--- a/nixos/modules/services/desktops/flatpak.nix
+++ b/nixos/modules/services/desktops/flatpak.nix
@@ -35,6 +35,7 @@ in {
     services.dbus.packages = [ pkgs.flatpak ];
 
     systemd.packages = [ pkgs.flatpak ];
+    systemd.tmpfiles.packages = [ pkgs.flatpak ];
 
     environment.profiles = [
       "$HOME/.local/share/flatpak/exports"
diff --git a/nixos/tests/installed-tests/flatpak.nix b/nixos/tests/installed-tests/flatpak.nix
index 9524d890c4025..fa191202f52d4 100644
--- a/nixos/tests/installed-tests/flatpak.nix
+++ b/nixos/tests/installed-tests/flatpak.nix
@@ -7,6 +7,7 @@ makeInstalledTest {
   testConfig = {
     xdg.portal.enable = true;
     xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
+    xdg.portal.config.common.default = "gtk";
     services.flatpak.enable = true;
     environment.systemPackages = with pkgs; [ gnupg ostree python3 ];
     virtualisation.memorySize = 2047;
diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index 7645527b8d23c..90af7ec2d47f6 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -111,6 +111,77 @@ stdenv.mkDerivation (finalAttrs: {
   separateDebugInfo = !(stdenv.isAarch64 && stdenv.isLinux);
 
   patches = [
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-1.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/eb546a3f49f45e6870ec91d792cd09f8a662c16e.patch";
+      hash = "sha256-YJCyTH/dtE3j1UnFkXB3COCKLhyeZlnHI+NCYC++urM=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-2.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/1b2a52712b249e14d246cd9c7db126088e6e64db.patch";
+      hash = "sha256-N7rvrYZEAXL/f5LhKrPYhzoV6dLdUMolNMvmJTdkTVk=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-3.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/fbeb0a160cbcc067c0e1f0d380cea4a31de213e3.patch";
+      hash = "sha256-fgB7tS0+303mHPpvNzvZT7xib6yCcVzvnGccFJnCTaY=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-4.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/4f01537ced3e787bd985b8f8de5869b92657160a.patch";
+      hash = "sha256-ssp/MefVQMfHh2q2m/MRzyu57D3q/cCiabOtUT/BQ0k=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-5.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/5d53ff200b5b0e02473b4f38bb6ea74e781115d9.patch";
+      hash = "sha256-UzPONq9AcmdXK+c40eftJA7JRiNiprM4U9Na78fFp+8=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-6.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/15b41461ea7386005194d79d0736f1975c6301d7.patch";
+      hash = "sha256-dXBbWh0ep6+oEXE/i51m6r0iX19qISpmLy2Uw/rtR0I=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-7.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/ab995895adcf30d0be416da281a0bcf3dd3f93a5.patch";
+      hash = "sha256-74xgr+mZ/EPdv/919G/useydya58mHczca8AZkobg5Q=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-8.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/6e7e387b7931d8f6451128ed06f8bca8ffa64fda.patch";
+      hash = "sha256-nj12/4EzZnLfL6NjX2X0dnXa42ESmqVuk8NcU7gZtTQ=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-9.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/1c5005c450928c77056621a561568cdea2ee24db.patch";
+      hash = "sha256-sAaQwv/JY8IWhNQcvFMl0w4c1AqiVGuZJ/a0OLhFx2s=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-10.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/516bdbc2341892fb3b3173ec393c6dfc9515608f.patch";
+      hash = "sha256-VTD8QlqPUs+QZMBU9qisilpClYMvSJY9J0dsUFods5M=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-11.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/4e6240e184cd6303b7275118c7d574c973a3be35.patch";
+      hash = "sha256-NlgzWoWmik4aDGuYiZlvn28HL2ZhBcjv7TgC5Wo+Vrk=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-12.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/9666bd2b7967182d7891e83187f41f0ae3c3cb05.patch";
+      hash = "sha256-w+ZSXkME6wtsYlDE9ELHl6CjvkLjRtTuxqF15u5mQWU=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-13.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/35a67d2aa8caf8eb0bee7d38515924c95417047e.patch";
+      hash = "sha256-3kL8HMjTe3mbvb7K07zJOHbp676oBsynLi24k2N1iBY=";
+    })
+    (fetchpatch {
+      name = "CVE-2024-3446.CVE-2024-3447.CVE-2024-3567.part-14.patch";
+      url = "https://gitlab.com/qemu-project/qemu/-/commit/1cfe45956e03070f894e91b304e233b4d5b99719.patch";
+      hash = "sha256-jnZ/kvKugCc5EjETuyXQ8v3zlpkay1J9BaopmlRIRgE=";
+    })
+
     ./fix-qemu-ga.patch
 
     # QEMU upstream does not demand compatibility to pre-10.13, so 9p-darwin
diff --git a/pkgs/development/libraries/flatpak/default.nix b/pkgs/development/libraries/flatpak/default.nix
index 0c44b99db8d9b..1d12d2fd835a7 100644
--- a/pkgs/development/libraries/flatpak/default.nix
+++ b/pkgs/development/libraries/flatpak/default.nix
@@ -54,14 +54,14 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "flatpak";
-  version = "1.14.4";
+  version = "1.14.6";
 
   # TODO: split out lib once we figure out what to do with triggerdir
   outputs = [ "out" "dev" "man" "doc" "devdoc" "installedTests" ];
 
   src = fetchurl {
     url = "https://github.com/flatpak/flatpak/releases/download/${finalAttrs.version}/flatpak-${finalAttrs.version}.tar.xz";
-    sha256 = "sha256-ijTb0LZ8Q051mLmOxpCVPQRvDbJuSArq+0bXKuxxZ5k="; # Taken from https://github.com/flatpak/flatpak/releases/
+    sha256 = "sha256-U482ssb4xw7v0S0TrVsa2DCCAQaovTqfa45NnegeSUY="; # Taken from https://github.com/flatpak/flatpak/releases/
   };
 
   patches = [
diff --git a/pkgs/development/libraries/flatpak/fix-test-paths.patch b/pkgs/development/libraries/flatpak/fix-test-paths.patch
index da14750090099..ebbcbde5e951f 100644
--- a/pkgs/development/libraries/flatpak/fix-test-paths.patch
+++ b/pkgs/development/libraries/flatpak/fix-test-paths.patch
@@ -63,7 +63,7 @@ index afa11a6b..5b12055f 100755
  flatpak build-finish ${DIR} >&2
  mkdir -p repos
 diff --git a/tests/make-test-runtime.sh b/tests/make-test-runtime.sh
-index 4ba950df..fd50fab3 100755
+index 6345ff58..fd50fab3 100755
 --- a/tests/make-test-runtime.sh
 +++ b/tests/make-test-runtime.sh
 @@ -28,9 +28,10 @@ EOF
@@ -78,7 +78,7 @@ index 4ba950df..fd50fab3 100755
  mkdir -p ${DIR}/usr/bin
  mkdir -p ${DIR}/usr/lib
  ln -s ../lib ${DIR}/usr/lib64
-@@ -40,40 +41,17 @@ if test -f /sbin/ldconfig.real; then
+@@ -40,46 +41,17 @@ if test -f /sbin/ldconfig.real; then
  else
      cp "$(type -P ldconfig)" "${DIR}/usr/bin"
  fi
@@ -89,6 +89,12 @@ index 4ba950df..fd50fab3 100755
 -    local f=$1
 -    shift
 -
+-    # Check if the program is installed
+-    if ! command -v "${f}" &> /dev/null; then
+-        echo "${f} not found"
+-        exit 1
+-    fi
+-
 -    if grep -qFe "${f}" $BINS; then
 -        # Already handled
 -        return 0
@@ -129,7 +135,7 @@ index 4ba950df..fd50fab3 100755
  done
  ln -s bash ${DIR}/usr/bin/sh
  
-@@ -84,11 +62,13 @@ echo "Hello world, from a runtime$EXTRA"
+@@ -90,11 +62,13 @@ echo "Hello world, from a runtime$EXTRA"
  EOF
  chmod a+x ${DIR}/usr/bin/runtime_hello.sh
  
diff --git a/pkgs/development/libraries/flatpak/unset-env-vars.patch b/pkgs/development/libraries/flatpak/unset-env-vars.patch
index fec0573ed9509..2a88d24f49166 100644
--- a/pkgs/development/libraries/flatpak/unset-env-vars.patch
+++ b/pkgs/development/libraries/flatpak/unset-env-vars.patch
@@ -1,11 +1,11 @@
 diff --git a/common/flatpak-run.c b/common/flatpak-run.c
-index 8fa8c0e0..e1cdeba0 100644
+index 6f54a9d0..102d9b90 100644
 --- a/common/flatpak-run.c
 +++ b/common/flatpak-run.c
-@@ -1900,6 +1900,7 @@ static const ExportData default_exports[] = {
-   {"XKB_CONFIG_ROOT", NULL},
-   {"GIO_EXTRA_MODULES", NULL},
+@@ -1902,6 +1902,7 @@ static const ExportData default_exports[] = {
    {"GDK_BACKEND", NULL},
+   {"VK_DRIVER_FILES", NULL},
+   {"VK_ICD_FILENAMES", NULL},
 +  {"GDK_PIXBUF_MODULE_FILE", NULL},
  };
  
diff --git a/pkgs/development/libraries/xdg-desktop-portal/default.nix b/pkgs/development/libraries/xdg-desktop-portal/default.nix
index 1c31a6daaac9b..1dc53d03bd04c 100644
--- a/pkgs/development/libraries/xdg-desktop-portal/default.nix
+++ b/pkgs/development/libraries/xdg-desktop-portal/default.nix
@@ -31,7 +31,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "xdg-desktop-portal";
-  version = "1.18.1";
+  version = "1.18.4";
 
   outputs = [ "out" "installedTests" ];
 
@@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "flatpak";
     repo = "xdg-desktop-portal";
     rev = finalAttrs.version;
-    sha256 = "sha256-S4I578gX1ONbixWGcQLY3WqzACoVfAtLuOFBhh36hFY=";
+    hash = "sha256-o+aO7uGewDPrtgOgmp/CE2uiqiBLyo07pVCFrtlORFQ=";
   };
 
   patches = [
diff --git a/pkgs/os-specific/linux/iwd/default.nix b/pkgs/os-specific/linux/iwd/default.nix
index 1b983bb90e1e7..9394105efe652 100644
--- a/pkgs/os-specific/linux/iwd/default.nix
+++ b/pkgs/os-specific/linux/iwd/default.nix
@@ -1,5 +1,6 @@
 { lib, stdenv
 , fetchgit
+, fetchpatch
 , autoreconfHook
 , pkg-config
 , ell
@@ -20,6 +21,24 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-i+2R8smgLXooApj0Z5e03FybhYgw1X/kIsJkrDzW8y4=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2023-52161.patch";
+      url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git/patch/?id=6415420f1c92012f64063c131480ffcef58e60ca";
+      hash = "sha256-bN5mxdWDyKEC2IyyG2vlzTEAL57C4uC7GAJA3jSXJHg=";
+    })
+    (fetchpatch {
+      name = "netdev-buffer-overflow-32-byte-ssid.patch";
+      url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git/patch/?id=8d68b33e763aced6d419df9f6534760d2c890279";
+      hash = "sha256-BSduzwVUTEcqjVwD88qJYgItApcQZwU43u9gbNMDs8I=";
+    })
+    (fetchpatch {
+      name = "erp-buffer-overflow-32-byte-ssid.patch";
+      url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git/patch/?id=bdaae53cf828a1f6ea7a7b57d7d6ebcc7b70ac43";
+      hash = "sha256-K/Ib0azlZ0UlFqcqs+8dSfj0hh0j0dZYpfB9f6tEqc8=";
+    })
+  ];
+
   outputs = [ "out" "man" "doc" ]
     ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "test";
 
diff --git a/pkgs/tools/security/tpm2-tools/default.nix b/pkgs/tools/security/tpm2-tools/default.nix
index d622ab5b93da6..18eedfb98f983 100644
--- a/pkgs/tools/security/tpm2-tools/default.nix
+++ b/pkgs/tools/security/tpm2-tools/default.nix
@@ -4,21 +4,13 @@
 
 stdenv.mkDerivation rec {
   pname = "tpm2-tools";
-  version = "5.6";
+  version = "5.7";
 
   src = fetchurl {
     url = "https://github.com/tpm2-software/${pname}/releases/download/${version}/${pname}-${version}.tar.gz";
-    sha256 = "sha256-Usi8uq3KCCq/5et+5JZ9LWMthLFndnXy8HG20uwizsM=";
+    sha256 = "sha256-OBDTa1B5JW9PL3zlUuIiE9Q7EDHBMVON+KLbw8VwmDo=";
   };
 
-  patches = [
-    # https://github.com/tpm2-software/tpm2-tools/pull/3271
-    (fetchpatch {
-      url = "https://github.com/tpm2-software/tpm2-tools/commit/b98be08f6f88b0cca9e0667760c4e1e5eb417fbd.patch";
-      sha256 = "sha256-2sEam9i4gwscJhLwraX2EAjVM8Dh1vmNnG3zYsOF0fc=";
-    })
-  ];
-
   nativeBuildInputs = [ pandoc pkg-config makeWrapper ];
   buildInputs = [
     curl openssl tpm2-tss libuuid
diff --git a/pkgs/top-level/ruby-packages.nix b/pkgs/top-level/ruby-packages.nix
index 54e70b1936de7..28e508b03005a 100644
--- a/pkgs/top-level/ruby-packages.nix
+++ b/pkgs/top-level/ruby-packages.nix
@@ -3987,10 +3987,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "013yrnwx1zhzhn1fnc19zck22a1qgimsaglp2iwgf5bz9l8h93js";
+      sha256 = "1r0b8w58p7gy06wph1qdjv2p087hfnmhd9jk23vjdj803dn761am";
       type = "gem";
     };
-    version = "0.9.34";
+    version = "0.9.36";
   };
   zeitwerk = {
     groups = ["default"];
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-17 00:14:40 +0000