9 files changed, 70 insertions, 23 deletions
diff --git a/pkgs/applications/networking/browsers/firefox-bin/default.nix b/pkgs/applications/networking/browsers/firefox-bin/default.nix
index 8130f9f775849..56d21187ebb2e 100644
--- a/pkgs/applications/networking/browsers/firefox-bin/default.nix
+++ b/pkgs/applications/networking/browsers/firefox-bin/default.nix
@@ -20,7 +20,6 @@
 , runtimeShell
 , systemLocale ? config.i18n.defaultLocale or "en_US"
 , patchelfUnstable  # have to use patchelfUnstable to support --no-clobber-old-sections
-, makeWrapper
 }:
 
 let
@@ -58,20 +57,6 @@ let
   source = lib.findFirst (sourceMatches mozLocale) defaultSource sources;
 
   pname = "firefox-${channel}-bin-unwrapped";
-
-  # FIXME: workaround for not being able to pass flags to patchelf
-  # Remove after https://github.com/NixOS/nixpkgs/pull/256525
-  wrappedPatchelf = stdenv.mkDerivation {
-    pname = "patchelf-wrapped";
-    inherit (patchelfUnstable) version;
-
-    nativeBuildInputs = [ makeWrapper ];
-
-    buildCommand = ''
-      mkdir -p $out/bin
-      makeWrapper ${patchelfUnstable}/bin/patchelf $out/bin/patchelf --append-flags "--no-clobber-old-sections"
-    '';
-  };
 in
 
 stdenv.mkDerivation {
@@ -79,7 +64,7 @@ stdenv.mkDerivation {
 
   src = fetchurl { inherit (source) url sha256; };
 
-  nativeBuildInputs = [ wrapGAppsHook autoPatchelfHook wrappedPatchelf ];
+  nativeBuildInputs = [ wrapGAppsHook autoPatchelfHook patchelfUnstable ];
   buildInputs = [
     gtk3
     adwaita-icon-theme
@@ -93,8 +78,10 @@ stdenv.mkDerivation {
     pciutils
   ];
   appendRunpaths = [
-    "${pipewire.lib}/lib"
+    "${pipewire}/lib"
   ];
+  # Firefox uses "relrhack" to manually process relocations from a fixed offset
+  patchelfFlags = [ "--no-clobber-old-sections" ];
 
   installPhase =
     ''
diff --git a/pkgs/applications/networking/browsers/webmacs/default.nix b/pkgs/applications/networking/browsers/webmacs/default.nix
index de3c1cfdcdba8..2f63670128bb1 100644
--- a/pkgs/applications/networking/browsers/webmacs/default.nix
+++ b/pkgs/applications/networking/browsers/webmacs/default.nix
@@ -1,4 +1,5 @@
 { lib
+, stdenv
 , mkDerivationWith
 , fetchFromGitHub
 , python3Packages
@@ -6,6 +7,8 @@
 }:
 
 mkDerivationWith python3Packages.buildPythonApplication rec {
+  inherit stdenv;
+
   pname = "webmacs";
   version = "0.8";
 
diff --git a/pkgs/applications/networking/instant-messengers/ricochet/default.nix b/pkgs/applications/networking/instant-messengers/ricochet/default.nix
index f612ec524a7b1..99c7cbbc7d8ee 100644
--- a/pkgs/applications/networking/instant-messengers/ricochet/default.nix
+++ b/pkgs/applications/networking/instant-messengers/ricochet/default.nix
@@ -6,7 +6,6 @@
 , qtbase
 , qttools
 , qtmultimedia
-, qtquick1
 , qtquickcontrols
 , openssl
 , protobuf
@@ -38,7 +37,6 @@ mkDerivation rec {
     qtbase
     qttools
     qtmultimedia
-    qtquick1
     qtquickcontrols
     openssl
     protobuf
diff --git a/pkgs/applications/networking/localproxy/default.nix b/pkgs/applications/networking/localproxy/default.nix
index 019da46951241..719b730817b41 100644
--- a/pkgs/applications/networking/localproxy/default.nix
+++ b/pkgs/applications/networking/localproxy/default.nix
@@ -3,14 +3,14 @@
 , fetchFromGitHub
 , cmake
 , openssl
-, protobuf3_21
+, protobuf_21
 , catch2
 , boost181
 , icu
 }:
 let
   boost = boost181.override { enableStatic = true; };
-  protobuf = protobuf3_21.override { enableShared = false; };
+  protobuf = protobuf_21.override { enableShared = false; };
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "localproxy";
diff --git a/pkgs/applications/networking/mailreaders/neomutt/default.nix b/pkgs/applications/networking/mailreaders/neomutt/default.nix
index 9ac8c83dc5e70..8d0bc45c4a029 100644
--- a/pkgs/applications/networking/mailreaders/neomutt/default.nix
+++ b/pkgs/applications/networking/mailreaders/neomutt/default.nix
@@ -20,8 +20,9 @@ stdenv.mkDerivation rec {
     # https://github.com/neomutt/neomutt/issues/3773#issuecomment-1493295144
     ./fix-open-very-large-mailbox.patch
     (fetchpatch {
+      # https://github.com/neomutt/neomutt/pull/3933
       name = "disable-incorrect-tests.patch";
-      url = "https://github.com/neomutt/neomutt/pull/3933.patch";
+      url = "https://github.com/neomutt/neomutt/compare/f624551b86cdb53224b5b48304a808ca2815111e...a9a1d99e6c0fdf367188125451300fa89d3e801a.patch";
       hash = "sha256-Plei063T8XyXF4/7/nAb6/4OyXz72vBAXHwls9WL1vM=";
       excludes = [".github/workflows/macos.yml"];
     })
diff --git a/pkgs/applications/networking/p2p/freenet/default.nix b/pkgs/applications/networking/p2p/freenet/default.nix
index 8a46b5a476c1e..3ca23647251a1 100644
--- a/pkgs/applications/networking/p2p/freenet/default.nix
+++ b/pkgs/applications/networking/p2p/freenet/default.nix
@@ -16,8 +16,9 @@ let
 
   patches = [
     # gradle 7 support
+    # https://github.com/freenet/fred/pull/827
     (fetchpatch {
-      url = "https://github.com/freenet/fred/pull/827.patch";
+      url = "https://github.com/freenet/fred/commit/8991303493f2c0d9933f645337f0a7a5a979e70a.patch";
       sha256 = "sha256-T1zymxRTADVhhwp2TyB+BC/J4gZsT/CUuMrT4COlpTY=";
     })
   ];
diff --git a/pkgs/applications/networking/remote/freerdp/default.nix b/pkgs/applications/networking/remote/freerdp/default.nix
index 931b788156d38..b159bd0a996ac 100644
--- a/pkgs/applications/networking/remote/freerdp/default.nix
+++ b/pkgs/applications/networking/remote/freerdp/default.nix
@@ -190,6 +190,8 @@ stdenv.mkDerivation rec {
     "-DTARGET_OS_IPHONE=0"
     "-DTARGET_OS_WATCH=0"
     "-include AudioToolbox/AudioToolbox.h"
+  ] ++ lib.optionals stdenv.cc.isClang [
+    "-Wno-error=incompatible-function-pointer-types"
   ]);
 
   NIX_LDFLAGS = lib.optionals stdenv.isDarwin [
diff --git a/pkgs/applications/networking/sync/rsync/default.nix b/pkgs/applications/networking/sync/rsync/default.nix
index 9df26b6bb8453..1baf1c40eb14b 100644
--- a/pkgs/applications/networking/sync/rsync/default.nix
+++ b/pkgs/applications/networking/sync/rsync/default.nix
@@ -30,6 +30,12 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ perl ];
 
+  patches = [
+    # https://github.com/WayneD/rsync/issues/511#issuecomment-1774612577
+    # original source: https://build.opensuse.org/package/view_file/network/rsync/rsync-fortified-strlcpy-fix.patch?expand=1&rev=3f8dd2f4a404c96c0f69176e60893714
+    ./rsync-fortified-strlcpy-fix.patch
+  ];
+
   buildInputs = [ libiconv zlib popt ]
     ++ lib.optional enableACLs acl
     ++ lib.optional enableZstd zstd
diff --git a/pkgs/applications/networking/sync/rsync/rsync-fortified-strlcpy-fix.patch b/pkgs/applications/networking/sync/rsync/rsync-fortified-strlcpy-fix.patch
new file mode 100644
index 0000000000000..296445b4bb563
--- /dev/null
+++ b/pkgs/applications/networking/sync/rsync/rsync-fortified-strlcpy-fix.patch
@@ -0,0 +1,49 @@
+From 1f83963f59960150e8c46112daa8411324c1f209 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Fri, 18 Aug 2023 08:26:20 +0200
+Subject: [PATCH] exclude: fix crashes with fortified strlcpy()
+
+Fortified (-D_FORTIFY_SOURCE=2 for gcc) builds make strlcpy() crash when
+its third parameter (size) is larger than the buffer:
+  $ rsync -FFXHav '--filter=merge global-rsync-filter' Align-37-43/ xxx
+  sending incremental file list
+  *** buffer overflow detected ***: terminated
+
+It's in the exclude code in setup_merge_file():
+  strlcpy(y, save, MAXPATHLEN);
+
+Note the 'y' pointer was incremented, so it no longer points to memory
+with MAXPATHLEN "owned" bytes.
+
+Fix it by remembering the number of copied bytes into the 'save' buffer
+and use that instead of MAXPATHLEN which is clearly incorrect.
+
+Fixes #511.
+---
+ exclude.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/exclude.c b/exclude.c
+index ffe55b167..1a5de3b9e 100644
+--- a/exclude.c
++++ b/exclude.c
+@@ -720,7 +720,8 @@ static BOOL setup_merge_file(int mergelist_num, filter_rule *ex,
+ 	parent_dirscan = True;
+ 	while (*y) {
+ 		char save[MAXPATHLEN];
+-		strlcpy(save, y, MAXPATHLEN);
++		/* copylen is strlen(y) which is < MAXPATHLEN. +1 for \0 */
++		size_t copylen = strlcpy(save, y, MAXPATHLEN) + 1;
+ 		*y = '\0';
+ 		dirbuf_len = y - dirbuf;
+ 		strlcpy(x, ex->pattern, MAXPATHLEN - (x - buf));
+@@ -734,7 +735,7 @@ static BOOL setup_merge_file(int mergelist_num, filter_rule *ex,
+ 			lp->head = NULL;
+ 		}
+ 		lp->tail = NULL;
+-		strlcpy(y, save, MAXPATHLEN);
++		strlcpy(y, save, copylen);
+ 		while ((*x++ = *y++) != '/') {}
+ 	}
+ 	parent_dirscan = False;
+