From 05b1f8f34ff68d238a373fbc41a20a4071c3401c Mon Sep 17 00:00:00 2001
From: Robert Schütz <nix@dotlambda.de>
Date: Sun, 25 Feb 2024 17:05:55 -0800
Subject: imagemagick: 7.1.1-28 -> 7.1.1-29

Diff: https://github.com/ImageMagick/ImageMagick/compare/7.1.1-28...7.1.1-29

Changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md
(cherry picked from commit 00be2993bb1ffd06ddb6da94beacdabf37bd1f11)
---
 pkgs/applications/graphics/ImageMagick/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix
index 261df37e9aa9d..8fe391173d660 100644
--- a/pkgs/applications/graphics/ImageMagick/default.nix
+++ b/pkgs/applications/graphics/ImageMagick/default.nix
@@ -49,13 +49,13 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "imagemagick";
-  version = "7.1.1-28";
+  version = "7.1.1-29";
 
   src = fetchFromGitHub {
     owner = "ImageMagick";
     repo = "ImageMagick";
     rev = finalAttrs.version;
-    hash = "sha256-WT058DZzMrNKn9E56dH476iCgeOi7QQ3jNBxKAqT6h4=";
+    hash = "sha256-W9WbHzmTa0dA9+mOxXu88qmN1mO9ORaH0Nj6r2s1Q+E=";
   };
 
   outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big
-- 
cgit 1.4.1


From 6517af89008b6c46681ae8d32dba5be9404d048f Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Tue, 27 Feb 2024 22:02:44 +0000
Subject: fontforge: add patch for CVE-2024-25081 & CVE-2024-25082

(cherry picked from commit 3438e132dd64f8f81f7f716bd0f8e7b13e89462e)
---
 pkgs/tools/misc/fontforge/default.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/misc/fontforge/default.nix b/pkgs/tools/misc/fontforge/default.nix
index c6e939d5b505f..d7a083baaf77c 100644
--- a/pkgs/tools/misc/fontforge/default.nix
+++ b/pkgs/tools/misc/fontforge/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, lib
+{ stdenv, fetchFromGitHub, lib, fetchpatch
 , cmake, uthash, pkg-config
 , python, freetype, zlib, glib, giflib, libpng, libjpeg, libtiff, libxml2, cairo, pango
 , readline, woff2, zeromq
@@ -23,6 +23,14 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-/RYhvL+Z4n4hJ8dmm+jbA1Ful23ni2DbCRZC5A3+pP0=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2024-25081.CVE-2024-25082.patch";
+      url = "https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429.patch";
+      hash = "sha256-aRnir09FSQMT50keoB7z6AyhWAVBxjSQsTRvBzeBuHU=";
+    })
+  ];
+
   # use $SOURCE_DATE_EPOCH instead of non-deterministic timestamps
   postPatch = ''
     find . -type f -name '*.c' -exec sed -r -i 's#\btime\(&(.+)\)#if (getenv("SOURCE_DATE_EPOCH")) \1=atol(getenv("SOURCE_DATE_EPOCH")); else &#g' {} \;
-- 
cgit 1.4.1