diff options
-rw-r--r-- | pkgs/build-support/setup-hooks/strip.sh | 16 | ||||
-rw-r--r-- | pkgs/data/misc/cacert/default.nix | 4 | ||||
-rw-r--r-- | pkgs/development/compilers/go/1.21.nix | 4 | ||||
-rw-r--r-- | pkgs/development/python-modules/torch/default.nix | 18 | ||||
-rw-r--r-- | pkgs/misc/ghostscript/default.nix | 21 |
5 files changed, 52 insertions, 11 deletions
diff --git a/pkgs/build-support/setup-hooks/strip.sh b/pkgs/build-support/setup-hooks/strip.sh index ce41e6ea0562a..49a350af1fa5c 100644 --- a/pkgs/build-support/setup-hooks/strip.sh +++ b/pkgs/build-support/setup-hooks/strip.sh @@ -74,13 +74,17 @@ stripDirs() { echo "stripping (with command $cmd and flags $stripFlags) in $paths" local striperr striperr="$(mktemp --tmpdir="$TMPDIR" 'striperr.XXXXXX')" - # Do not strip lib/debug. This is a directory used by setup-hooks/separate-debug-info.sh. - find $paths -type f "${excludeFlags[@]}" -a '!' -path "$prefix/lib/debug/*" -print0 | - # Make sure we process files under symlinks only once. Otherwise - # 'strip` can corrupt files when writes to them in parallel: - # https://github.com/NixOS/nixpkgs/issues/246147#issuecomment-1657072039 - xargs -r -0 -n1 -- realpath -z | sort -u -z | + # Make sure we process files only once. `strip`ping the same file through different + # links in parallel can corrupt it: + # https://github.com/NixOS/nixpkgs/issues/246147#issuecomment-1657072039 + # Do not strip lib/debug. This is a directory used by setup-hooks/separate-debug-info.sh. + # Print out each file's device and inode (which will be the same if two files are hardlinked + # or are the same file found through different symlinks), followed by its path... + find $paths -type f "${excludeFlags[@]}" -a '!' -path "$prefix/lib/debug/*" -printf '%D-%i,%p\0' | + # ... sort/uniq by device/inode, then cut them out and keep the path, ... + sort -t, -k1,1 -u -z | cut -d, -f2- -z | + # and finally strip each unique path in parallel. xargs -r -0 -n1 -P "$NIX_BUILD_CORES" -- $cmd $stripFlags 2>"$striperr" || exit_code=$? # xargs exits with status code 123 if some but not all of the # processes fail. We don't care if some of the files couldn't diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 4b103f7f32898..517e1d87273b5 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -20,7 +20,7 @@ let blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); - srcVersion = "3.98"; + srcVersion = "3.101"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; @@ -37,7 +37,7 @@ let owner = "nss-dev"; repo = "nss"; rev = "NSS_${lib.replaceStrings ["."] ["_"] version}_RTM"; - hash = "sha256-0p1HzspxyzhzX46O7ax8tmYiaFEBeqEqEvman4NIiQc="; + hash = "sha256-lO+81zYBBFwqcjh4cd/fpiznHZ9rTJpfDW/yF8phYts="; }; dontBuild = true; diff --git a/pkgs/development/compilers/go/1.21.nix b/pkgs/development/compilers/go/1.21.nix index 55ce65ba1a7c5..38a169758ab6f 100644 --- a/pkgs/development/compilers/go/1.21.nix +++ b/pkgs/development/compilers/go/1.21.nix @@ -46,11 +46,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "go"; - version = "1.21.10"; + version = "1.21.11"; src = fetchurl { url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; - hash = "sha256-kA4K/okAwe5lqKjE8MWjygLc+FwdHLE6ZSviLCE5k5Q="; + hash = "sha256-Qq7pvytpVsdaetaqPwpRtYIf/qxX9aLnM6LW6uHm2dI="; }; strictDeps = true; diff --git a/pkgs/development/python-modules/torch/default.nix b/pkgs/development/python-modules/torch/default.nix index 70b71c8cdf880..36b1ada5ae30d 100644 --- a/pkgs/development/python-modules/torch/default.nix +++ b/pkgs/development/python-modules/torch/default.nix @@ -145,7 +145,23 @@ in buildPythonPackage rec { hash = "sha256-xUj77yKz3IQ3gd/G32pI4OhL3LoN1zS7eFg0/0nZp5I="; }; - patches = lib.optionals (stdenv.isDarwin && stdenv.isx86_64) [ + patches = [ + (fetchpatch { + name = "CVE-2024-31580.patch"; + url = "https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81.patch"; + hash = "sha256-UR9PesE+t7ekVh4cJlrCgFULLFgqZjWhgr3jFP+vuEQ="; + }) + (fetchpatch { + name = "CVE-2024-31583.patch"; + url = "https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2.patch"; + hash = "sha256-TtiB9d8VQ5dXXOHyq4N45uFW5csmxHsF6naPH4IrKlc="; + }) + (fetchpatch { + name = "CVE-2024-31584.patch"; + url = "https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6.patch"; + hash = "sha256-4IsdRfL0B+Rown4xqra8taqqOXf8NKCtSN9sPrOPQV8="; + }) + ] ++ lib.optionals (stdenv.isDarwin && stdenv.isx86_64) [ # pthreadpool added support for Grand Central Dispatch in April # 2020. However, this relies on functionality (DISPATCH_APPLY_AUTO) # that is available starting with macOS 10.13. However, our current diff --git a/pkgs/misc/ghostscript/default.nix b/pkgs/misc/ghostscript/default.nix index daf7758b11843..a561dbfe53103 100644 --- a/pkgs/misc/ghostscript/default.nix +++ b/pkgs/misc/ghostscript/default.nix @@ -2,6 +2,7 @@ , stdenv , lib , fetchurl +, fetchpatch , pkg-config , zlib , expat @@ -71,6 +72,26 @@ stdenv.mkDerivation rec { patches = [ ./urw-font-files.patch ./doc-no-ref.diff + (fetchpatch { + name = "CVE-2024-33870.patch"; + url = "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=79aef19c685984dc3da2dc090450407d9fbcff80"; + hash = "sha256-EZOtKbAkNujqAPoD1yWTggXYTdLPPR9uC898JByQwVs="; + }) + (fetchpatch { + name = "CVE-2024-33869.part-1.patch"; + url = "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43"; + hash = "sha256-ob2c4aawUxJcsLdhHX9/7CDNnnxO8k1LTqfar5Bgdo8="; + }) + (fetchpatch { + name = "CVE-2024-33869.part-2.patch"; + url = "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4"; + hash = "sha256-2Kx57WJvALpEjR8+uTbF3CBvO/9Ujl652L4Kf+mNRWo="; + }) + (fetchpatch { + name = "CVE-2024-33871.patch"; + url = "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/patch/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908"; + hash = "sha256-a5+WY63lmu++cc8BGREWlIY4S1LEvWqeqTTfBnEY+YM="; + }) ]; outputs = [ "out" "man" "doc" ]; |