staging-next-26.05 iteration 1 - 2026-06-06 (#528906)

This commit is contained in:
Martin Weinelt 2026-06-21 22:04:01 +00:00 committed by GitHub
commit 1f43886335
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
86 changed files with 1618 additions and 995 deletions

View file

@ -1,416 +0,0 @@
import functools
import hashlib
import json
import multiprocessing as mp
import re
import shutil
import subprocess
import sys
import tomllib
from os.path import islink, realpath
from pathlib import Path
from typing import Any, TypedDict, cast
from urllib.parse import unquote
import requests
import tomli_w
from requests.adapters import HTTPAdapter, Retry
eprint = functools.partial(print, file=sys.stderr)
def load_toml(path: Path) -> dict[str, Any]:
with open(path, "rb") as f:
return tomllib.load(f)
def get_lockfile_version(cargo_lock_toml: dict[str, Any]) -> int:
# lockfile v1 and v2 don't have the `version` key, so assume v2
version = cargo_lock_toml.get("version", 2)
# TODO: add logic for differentiating between v1 and v2
return version
def create_http_session() -> requests.Session:
retries = Retry(
total=5,
backoff_factor=0.5,
status_forcelist=[500, 502, 503, 504]
)
session = requests.Session()
session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)"
session.mount('http://', HTTPAdapter(max_retries=retries))
session.mount('https://', HTTPAdapter(max_retries=retries))
return session
def download_file_with_checksum(session: requests.Session, url: str, destination_path: Path) -> str:
sha256_hash = hashlib.sha256()
with session.get(url, stream=True) as response:
if not response.ok:
raise Exception(f"Failed to fetch file from {url}. Status code: {response.status_code}")
with open(destination_path, "wb") as file:
for chunk in response.iter_content(1024): # Download in chunks
if chunk: # Filter out keep-alive chunks
file.write(chunk)
sha256_hash.update(chunk)
# Compute the final checksum
checksum = sha256_hash.hexdigest()
return checksum
def get_download_url_for_tarball(pkg: dict[str, Any]) -> str:
# TODO: support other registries
# maybe fetch config.json from the registry root and get the dl key
# See: https://doc.rust-lang.org/cargo/reference/registry-index.html#index-configuration
if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index":
raise Exception("Only the default crates.io registry is supported.")
# Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec
# rate limit on the API servers.
return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download"
def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None:
url = get_download_url_for_tarball(pkg)
filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz"
# TODO: allow legacy checksum specification, see importCargoLock for example
# also, don't forget about the other usage of the checksum
expected_checksum = pkg["checksum"]
tarball_out_dir = out_dir / "tarballs" / filename
eprint(f"Fetching {url} -> tarballs/{filename}")
calculated_checksum = download_file_with_checksum(session, url, tarball_out_dir)
if calculated_checksum != expected_checksum:
raise Exception(f"Hash mismatch! File fetched from {url} had checksum {calculated_checksum}, expected {expected_checksum}.")
def download_git_tree(url: str, git_sha_rev: str, out_dir: Path) -> None:
tree_out_dir = out_dir / "git" / git_sha_rev
eprint(f"Fetching {url}#{git_sha_rev} -> git/{git_sha_rev}")
cmd = ["nix-prefetch-git", "--builder", "--quiet", "--fetch-submodules", "--url", url, "--rev", git_sha_rev, "--out", str(tree_out_dir)]
subprocess.check_output(cmd)
GIT_SOURCE_REGEX = re.compile("git\\+(?P<url>[^?]+)(\\?(?P<type>rev|tag|branch)=(?P<value>.*))?#(?P<git_sha_rev>.*)")
class GitSourceInfo(TypedDict):
url: str
type: str | None
value: str | None
git_sha_rev: str
def parse_git_source(source: str, lockfile_version: int) -> GitSourceInfo:
match = GIT_SOURCE_REGEX.match(source)
if match is None:
raise Exception(f"Unable to process git source: {source}.")
source_info = cast(GitSourceInfo, match.groupdict(default=None))
# the source URL is URL-encoded in lockfile_version >=4
# since we just used regex to parse it we have to manually decode the escaped branch/tag name
if lockfile_version >= 4 and source_info["value"] is not None:
source_info["value"] = unquote(source_info["value"])
return source_info
def create_vendor_staging(lockfile_path: Path, out_dir: Path) -> None:
cargo_lock_toml = load_toml(lockfile_path)
lockfile_version = get_lockfile_version(cargo_lock_toml)
git_packages: list[dict[str, Any]] = []
registry_packages: list[dict[str, Any]] = []
for pkg in cargo_lock_toml["package"]:
# ignore local dependenices
if "source" not in pkg.keys():
eprint(f"Skipping local dependency: {pkg["name"]}")
continue
source = pkg["source"]
if source.startswith("git+"):
git_packages.append(pkg)
elif source.startswith("registry+"):
registry_packages.append(pkg)
else:
raise Exception(f"Can't process source: {source}.")
git_sha_rev_to_url: dict[str, str] = {}
for pkg in git_packages:
source_info = parse_git_source(pkg["source"], lockfile_version)
git_sha_rev_to_url[source_info["git_sha_rev"]] = source_info["url"]
out_dir.mkdir(exist_ok=True)
shutil.copy(lockfile_path, out_dir / "Cargo.lock")
# fetch git trees sequentially, since fetching concurrently leads to flaky behaviour
if len(git_packages) != 0:
(out_dir / "git").mkdir()
for git_sha_rev, url in git_sha_rev_to_url.items():
download_git_tree(url, git_sha_rev, out_dir)
# run tarball download jobs in parallel, with at most 5 concurrent download jobs
with mp.Pool(min(5, mp.cpu_count())) as pool:
if len(registry_packages) != 0:
(out_dir / "tarballs").mkdir()
session = create_http_session()
tarball_args_gen = ((session, pkg, out_dir) for pkg in registry_packages)
pool.starmap(download_tarball, tarball_args_gen)
def get_manifest_metadata(manifest_path: Path) -> dict[str, Any]:
cmd = ["cargo", "metadata", "--format-version", "1", "--no-deps", "--manifest-path", str(manifest_path)]
output = subprocess.check_output(cmd)
return json.loads(output)
def try_get_crate_manifest_path_from_manifest_path(manifest_path: Path, crate_name: str) -> Path | None:
try:
metadata = get_manifest_metadata(manifest_path)
except subprocess.CalledProcessError:
eprint(f"Warning: cargo metadata failed for {manifest_path}, skipping")
return None
for pkg in metadata["packages"]:
if pkg["name"] == crate_name:
return Path(pkg["manifest_path"])
return None
def find_crate_manifest_in_tree(tree: Path, crate_name: str) -> Path:
# Scan all Cargo.toml files; sort by depth/path to make ordering deterministic
# and prefer less-nested manifests first.
manifest_paths = sorted(
tree.glob("**/Cargo.toml"),
key=lambda path: (len(path.parts), str(path)),
)
for manifest_path in manifest_paths:
res = try_get_crate_manifest_path_from_manifest_path(manifest_path, crate_name)
if res is not None:
return res
raise Exception(f"Couldn't find manifest for crate {crate_name} inside {tree}.")
def copy_and_patch_git_crate_subtree(git_tree: Path, crate_name: str, crate_out_dir: Path) -> None:
# This function will get called by copytree to decide which entries of a directory should be copied
# We'll copy everything except symlinks that are invalid
def ignore_func(dir_str: str, path_strs: list[str]) -> list[str]:
ignorelist: list[str] = []
dir = Path(realpath(dir_str, strict=True))
for path_str in path_strs:
path = dir / path_str
if not islink(path):
continue
# Filter out cyclic symlinks and symlinks pointing at nonexistant files
try:
target_path = Path(realpath(path, strict=True))
except OSError:
ignorelist.append(path_str)
eprint(f"Failed to resolve symlink, ignoring: {path}")
continue
# Filter out symlinks that point outside of the current crate's base git tree
# This can be useful if the nix build sandbox is turned off and there is a symlink to a common absolute path
if not target_path.is_relative_to(git_tree):
ignorelist.append(path_str)
eprint(f"Symlink points outside of the crate's base git tree, ignoring: {path} -> {target_path}")
continue
return ignorelist
crate_manifest_path = find_crate_manifest_in_tree(git_tree, crate_name)
crate_tree = crate_manifest_path.parent
eprint(f"Copying to {crate_out_dir}")
shutil.copytree(crate_tree, crate_out_dir, ignore=ignore_func)
crate_out_dir.chmod(0o755)
with open(crate_manifest_path, "r") as f:
manifest_data = f.read()
if "workspace" in manifest_data:
crate_manifest_metadata = get_manifest_metadata(crate_manifest_path)
workspace_root = Path(crate_manifest_metadata["workspace_root"])
root_manifest_path = workspace_root / "Cargo.toml"
manifest_path = crate_out_dir / "Cargo.toml"
manifest_path.chmod(0o644)
eprint(f"Patching {manifest_path}")
cmd = ["replace-workspace-values", str(manifest_path), str(root_manifest_path)]
subprocess.check_output(cmd)
def extract_crate_tarball_contents(tarball_path: Path, crate_out_dir: Path) -> None:
eprint(f"Unpacking to {crate_out_dir}")
crate_out_dir.mkdir()
cmd = ["tar", "xf", str(tarball_path), "-C", str(crate_out_dir), "--strip-components=1"]
subprocess.check_output(cmd)
def make_git_source_selector(source_info: GitSourceInfo) -> dict[str, str]:
selector = {}
selector["git"] = source_info["url"]
if source_info["type"] is not None:
selector[source_info["type"]] = source_info["value"]
return selector
def make_registry_source_selector(source: str) -> dict[str, str]:
registry = source[9:] if source.startswith("registry+") else source
selector = {}
selector["registry"] = registry
return selector
def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None:
lockfile_path = vendor_staging_dir / "Cargo.lock"
out_dir.mkdir(exist_ok=True)
shutil.copy(lockfile_path, out_dir / "Cargo.lock")
cargo_lock_toml = load_toml(lockfile_path)
lockfile_version = get_lockfile_version(cargo_lock_toml)
source_to_ind: dict[str, str] = {}
source_config = {}
next_registry_ind = 0
next_git_ind = 0
def add_source_replacement(
orig_key: str,
orig_selector: dict[str, str],
vendored_key: str,
vendored_dir: str
) -> None:
source_config[vendored_key] = {}
source_config[vendored_key]["directory"] = vendored_dir
source_config[orig_key] = orig_selector
source_config[orig_key]["replace-with"] = vendored_key
# we reserve registry index 0 for crates-io
source_to_ind["registry+https://github.com/rust-lang/crates.io-index"] = "registry-0"
source_to_ind["sparse+https://index.crates.io/"] = "registry-0"
add_source_replacement(
orig_key="crates-io",
orig_selector={}, # there is an internal selector defined for the `crates-io` source
vendored_key="vendored-source-registry-0",
vendored_dir="@vendor@/source-registry-0"
)
next_registry_ind += 1
for pkg in cargo_lock_toml["package"]:
# ignore local dependencies
if "source" not in pkg.keys():
continue
source: str = pkg["source"]
if source in source_to_ind:
continue
if source.startswith("git+"):
ind = f"git-{next_git_ind}"
next_git_ind += 1
source_info = parse_git_source(source, lockfile_version)
selector = make_git_source_selector(source_info)
elif source.startswith("registry+") or source.startswith("sparse+"):
ind = f"registry-{next_registry_ind}"
next_registry_ind += 1
selector = make_registry_source_selector(source)
else:
raise Exception(f"Can't process source: {source}.")
source_to_ind[source] = ind
add_source_replacement(
orig_key=f"original-source-{ind}",
orig_selector=selector,
vendored_key=f"vendored-source-{ind}",
vendored_dir=f"@vendor@/source-{ind}"
)
config_path = out_dir / ".cargo" / "config.toml"
config_path.parent.mkdir()
with open(config_path, "wb") as config_file:
tomli_w.dump({"source": source_config}, config_file)
for pkg in cargo_lock_toml["package"]:
# ignore local dependenices
if "source" not in pkg.keys():
continue
source: str = pkg["source"]
source_ind = source_to_ind[source]
crate_dir_name = f"{pkg["name"]}-{pkg["version"]}"
source_dir_name = f"source-{source_ind}"
crate_out_dir = out_dir / source_dir_name / crate_dir_name
crate_out_dir.parent.mkdir(exist_ok=True)
if source.startswith("git+"):
source_info = parse_git_source(source, lockfile_version)
git_sha_rev = source_info["git_sha_rev"]
git_tree = vendor_staging_dir / "git" / git_sha_rev
copy_and_patch_git_crate_subtree(git_tree, pkg["name"], crate_out_dir)
# git based crates allow having no checksum information
with open(crate_out_dir / ".cargo-checksum.json", "w") as f:
json.dump({"files": {}}, f)
elif source.startswith("registry+") or source.startswith("sparse+"):
filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz"
# TODO: change this when non-crates-io registries are supported
dir_name = "tarballs"
tarball_path = vendor_staging_dir / dir_name / filename
extract_crate_tarball_contents(tarball_path, crate_out_dir)
# non-git based crates need the package checksum at minimum
with open(crate_out_dir / ".cargo-checksum.json", "w") as f:
json.dump({"files": {}, "package": pkg["checksum"]}, f)
else:
raise Exception(f"Can't process source: {source}.")
def main() -> None:
subcommand = sys.argv[1]
subcommand_func_dict = {
"create-vendor-staging": lambda: create_vendor_staging(lockfile_path=Path(sys.argv[2]), out_dir=Path(sys.argv[3])),
"create-vendor": lambda: create_vendor(vendor_staging_dir=Path(sys.argv[2]), out_dir=Path(sys.argv[3]))
}
subcommand_func = subcommand_func_dict.get(subcommand)
if subcommand_func is None:
raise Exception(f"Unknown subcommand: '{subcommand}'. Must be one of {list(subcommand_func_dict.keys())}")
subcommand_func()
if __name__ == "__main__":
main()

View file

@ -40,6 +40,7 @@ def create_http_session() -> requests.Session:
status_forcelist=[500, 502, 503, 504]
)
session = requests.Session()
session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)"
session.mount('http://', HTTPAdapter(max_retries=retries))
session.mount('https://', HTTPAdapter(max_retries=retries))
return session
@ -68,7 +69,9 @@ def get_download_url_for_tarball(pkg: dict[str, Any]) -> str:
if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index":
raise Exception("Only the default crates.io registry is supported.")
return f"https://crates.io/api/v1/crates/{pkg["name"]}/{pkg["version"]}/download"
# Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec
# rate limit on the API servers.
return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download"
def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None:
@ -289,6 +292,7 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None:
lockfile_version = get_lockfile_version(cargo_lock_toml)
source_to_ind: dict[str, str] = {}
selector_to_ind: dict[tuple, str] = {}
source_config = {}
next_registry_ind = 0
next_git_ind = 0
@ -324,24 +328,35 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None:
continue
if source.startswith("git+"):
ind = f"git-{next_git_ind}"
next_git_ind += 1
source_info = parse_git_source(source, lockfile_version)
selector = make_git_source_selector(source_info)
selector_key = (source_info["url"], source_info["type"], source_info["value"])
if selector_key in selector_to_ind:
ind = selector_to_ind[selector_key]
else:
ind = f"git-{next_git_ind}"
next_git_ind += 1
selector_to_ind[selector_key] = ind
add_source_replacement(
orig_key=f"original-source-{ind}",
orig_selector=selector,
vendored_key=f"vendored-source-{ind}",
vendored_dir=f"@vendor@/source-{ind}"
)
elif source.startswith("registry+") or source.startswith("sparse+"):
ind = f"registry-{next_registry_ind}"
next_registry_ind += 1
selector = make_registry_source_selector(source)
add_source_replacement(
orig_key=f"original-source-{ind}",
orig_selector=selector,
vendored_key=f"vendored-source-{ind}",
vendored_dir=f"@vendor@/source-{ind}"
)
else:
raise Exception(f"Can't process source: {source}.")
source_to_ind[source] = ind
add_source_replacement(
orig_key=f"original-source-{ind}",
orig_selector=selector,
vendored_key=f"vendored-source-{ind}",
vendored_dir=f"@vendor@/source-{ind}"
)
config_path = out_dir / ".cargo" / "config.toml"
config_path.parent.mkdir()

View file

@ -37,29 +37,18 @@ let
"hash"
];
mkFetchCargoVendorUtil =
name: src:
writers.writePython3Bin name {
libraries =
with python3Packages;
[
requests
tomli-w
]
++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests
flakeIgnore = [
"E501"
];
} (builtins.readFile src);
# Separate util used only by the FOD `vendorStaging` stage below. Kept
# distinct from fetchCargoVendorUtil so that changes to the network-facing
# bits (User-Agent, download URL) don't invalidate the input-addressed
# `-vendor` stage and force a mass rebuild of every Rust package in nixpkgs.
# vendorStaging is an FOD, so swapping its util is free for consumers.
# TODO: unify with fetchCargoVendorUtil on the next `staging` cycle.
fetchCargoVendorUtilV2 = mkFetchCargoVendorUtil "fetch-cargo-vendor-util-v2" ./fetch-cargo-vendor-util-v2.py;
fetchCargoVendorUtil = mkFetchCargoVendorUtil "fetch-cargo-vendor-util" ./fetch-cargo-vendor-util.py;
fetchCargoVendorUtil = writers.writePython3Bin "fetch-cargo-vendor-util" {
libraries =
with python3Packages;
[
requests
tomli-w
]
++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests
flakeIgnore = [
"E501"
];
} (builtins.readFile ./fetch-cargo-vendor-util.py);
in
{
@ -79,7 +68,7 @@ let
impureEnvVars = lib.fetchers.proxyImpureEnvVars;
nativeBuildInputs = [
fetchCargoVendorUtilV2
fetchCargoVendorUtil
cacert
nix-prefetch-git'
]
@ -92,7 +81,7 @@ let
cd "$cargoRoot"
fi
fetch-cargo-vendor-util-v2 create-vendor-staging ./Cargo.lock "$out"
fetch-cargo-vendor-util create-vendor-staging ./Cargo.lock "$out"
runHook postBuild
'';

View file

@ -9,7 +9,7 @@
stdenv.mkDerivation (finalAttrs: {
pname = "assimp";
version = "6.0.4";
version = "6.0.5";
outputs = [
"out"
"lib"
@ -20,7 +20,7 @@ stdenv.mkDerivation (finalAttrs: {
owner = "assimp";
repo = "assimp";
tag = "v${finalAttrs.version}";
hash = "sha256-ryTgsN0z9BZBz7i9aUMKuneN5oqfxpduwJlb+Q0q3Mk=";
hash = "sha256-QWBi1pl5C76UtPhB6SmFipm9oEdnfhELMT3MqfV6oxg=";
};
postPatch = ''

View file

@ -29,7 +29,7 @@
stdenv.mkDerivation (finalAttrs: {
pname = "at-spi2-core";
version = "2.60.1";
version = "2.60.4";
outputs = [
"out"
@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: {
src = fetchurl {
url = "mirror://gnome/sources/at-spi2-core/${lib.versions.majorMinor finalAttrs.version}/at-spi2-core-${finalAttrs.version}.tar.xz";
hash = "sha256-+ZuH48FnT1+8QXzJwdniYcDymqsFUK1jaYBQMdEvaFI=";
hash = "sha256-Gh9bqYBZF/QfxqpoI9z4h6KR1gekJ+LVr7a136ZQcMc=";
};
nativeBuildInputs = [

View file

@ -30,13 +30,13 @@
}:
stdenv.mkDerivation (finalAttrs: {
pname = "audit";
version = "4.1.2-unstable-2025-09-06"; # fixes to non-static builds right after 4.1.2 release
version = "4.1.4";
src = fetchFromGitHub {
owner = "linux-audit";
repo = "audit-userspace";
rev = "cb13fe75ee2c36d5c525ed9de22aae10dbc8caf4";
hash = "sha256-NX0TWA+LtcZgbM9aQfokWv2rGNAAb3ksGqAH8URAkYM=";
tag = "v${finalAttrs.version}";
hash = "sha256-GdJ9nzlDAdOazOHH/YWuEoELrJh+G5ZJUKwIqAKAzpo=";
};
postPatch = ''
@ -132,10 +132,6 @@ stdenv.mkDerivation (finalAttrs: {
# Instead, we load audit rules in a dedicated module.
postFixup = ''
moveToOutput bin/augenrules $scripts
substituteInPlace $scripts/bin/augenrules \
--replace-fail "/sbin/auditctl -R" "$bin/bin/auditctl -R" \
--replace-fail "auditctl -s" "$bin/bin/auditctl -s" \
--replace-fail "/bin/ls" "ls"
wrapProgram $scripts/bin/augenrules \
--prefix PATH : ${
lib.makeBinPath [

View file

@ -0,0 +1,32 @@
From 2a2104f3cff44bb28bb570a093be52bbeeed8f23 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Mon, 11 May 2026 14:56:04 +0200
Subject: [PATCH] event: fix wakeup consumption
The events on a multi wakeup socketpair were only consumed via
curl_multi_poll()/curl_multi_wait() but not in event based processing on
a curl_multi_socket() call. That led to busy loops as reported in
Fixes #21547
Reported-by: Earnestly on github
Closes #21549
---
lib/multi.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/multi.c b/lib/multi.c
index be32740a7097..5e84133f13fd 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -2703,6 +2703,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
Curl_uint32_bset_remove(&multi->dirty, data->mid);
if(data == multi->admin) {
+#ifdef ENABLE_WAKEUP
+ /* Consume any pending wakeup signals before processing.
+ * This is necessary for event based processing. See #21547 */
+ (void)Curl_wakeup_consume(multi->wakeup_pair, TRUE);
+#endif
#ifdef USE_RESOLV_THREADED
Curl_async_thrdd_multi_process(multi);
#endif

View file

@ -96,6 +96,13 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-Y/4twUi6DOromSLvg49+XJRicsLni3xZ+rS3nTziuJY=";
};
patches = [
# https://github.com/curl/curl/commit/2a2104f3cff44bb28bb570a093be52bbeeed8f23
# According to <https://curl.se/mail/distros-2026-05/0000.html>, this fixes
# a performance regression, causing high CPU usage
./fix-wakeup-consumption.patch
];
# this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion
# necessary for FreeBSD code path in configure
postPatch = ''
@ -115,6 +122,7 @@ stdenv.mkDerivation (finalAttrs: {
enableParallelBuilding = true;
strictDeps = true;
__structuredAttrs = true;
env = {
CXX = "${stdenv.cc.targetPrefix}c++";

View file

@ -12,13 +12,13 @@
inherit hamlibSupport gpsdSupport extraScripts;
}).overrideAttrs
(oldAttrs: {
version = "1.8.1-unstable-2026-03-18";
version = "1.8.1-unstable-2026-05-27";
src = fetchFromGitHub {
owner = "wb2osz";
repo = "direwolf";
rev = "78d6559c67b94568b2f093fc9b4d4965749387ae";
hash = "sha256-sSXvDTnrOHplmg86kZ+ppPD0Y6JuhHBfrXZToK8EqmY=";
rev = "d6151874ecf202cbb401a671a90b15d0fab92fa9";
hash = "sha256-t19AjQzjkpteqwfRVI/tM5wCVNeFceWPHjq0UtdevXg=";
};
dontVersionCheck = true;

View file

@ -7,13 +7,13 @@
stdenv.mkDerivation (finalAttrs: {
pname = "doctest";
version = "2.5.0";
version = "2.5.2";
src = fetchFromGitHub {
owner = "doctest";
repo = "doctest";
tag = "v${finalAttrs.version}";
hash = "sha256-7t/eknv7VtHoBgcuJmI07x//HIyqzE9HUuH5u2y7X8A=";
hash = "sha256-4jW6xPFCFxk1l47EkSUVojhycrtluPhOc5Adf/25R7M=";
};
nativeBuildInputs = [ cmake ];
@ -27,6 +27,7 @@ stdenv.mkDerivation (finalAttrs: {
doCheck = true;
meta = {
changelog = "https://github.com/doctest/doctest/releases/tag/${finalAttrs.src.tag}";
homepage = "https://github.com/doctest/doctest";
description = "Fastest feature-rich C++11/14/17/20 single-header testing framework";
platforms = lib.platforms.all;

View file

@ -75,20 +75,17 @@ let
glib
];
pythonPath =
with python3.pkgs;
[
b2sdk
boto3
idna
pygobject3
fasteners
paramiko
pexpect
# Currently marked as broken.
# pydrive2
]
++ paramiko.optional-dependencies.invoke;
pythonPath = with python3.pkgs; [
b2sdk
boto3
idna
pygobject3
fasteners
paramiko
pexpect
# Currently marked as broken.
# pydrive2
];
nativeCheckInputs = [
gnupg # Add 'gpg' to PATH.

View file

@ -3,7 +3,6 @@
stdenv,
buildPackages,
fetchurl,
fetchpatch,
pkg-config,
libuuid,
gettext,
@ -20,25 +19,15 @@
stdenv.mkDerivation rec {
pname = "e2fsprogs";
version = "1.47.3";
version = "1.47.4";
__structuredAttrs = true;
src = fetchurl {
url = "mirror://kernel/linux/kernel/people/tytso/e2fsprogs/v${version}/e2fsprogs-${version}.tar.xz";
hash = "sha256-hX5u+AD+qiu0V4+8gQIUvl08iLBy6lPFOEczqWVzcyk=";
hash = "sha256-/VvziMvb4Aaj07MY2YOylIOCRArMhah/Hn0QhlPo2ws=";
};
patches = [
# Upstream patch that fixes musl build (and probably others).
# Should be included in next release after 1.47.3.
(fetchpatch {
name = "stdio-portability.patch";
url = "https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/patch/?id=f79abd8554e600eacc2a7c864a8332b670c9e262";
hash = "sha256-zZ7zmSMTwGyS3X3b/D/mVG0bV2ul5xtY5DJx9YUvQO8=";
})
];
# fuse2fs adds 14mb of dependencies
outputs = [
"bin"

View file

@ -18,7 +18,7 @@
# files.
let
version = "2.8.0";
version = "2.8.1";
tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}";
in
stdenv.mkDerivation (finalAttrs: {
@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: {
url =
with finalAttrs;
"https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz";
hash = "sha256-o3v64KqXdb2FIevYXcRW1Ibw/zETj2yR/ZAupzJiRUI=";
hash = "sha256-ELGV7ngWCpCDiBgKj+NgPU6aEvR1X79fOBayOp11DaA=";
};
strictDeps = true;

View file

@ -1,6 +1,5 @@
{
fetchurl,
fetchpatch,
stdenv,
lib,
gfortran,
@ -22,24 +21,16 @@ assert lib.elem precision [
stdenv.mkDerivation (finalAttrs: {
pname = "fftw-${precision}";
version = "3.3.10";
version = "3.3.11";
src = fetchurl {
urls = [
"https://fftw.org/fftw-${finalAttrs.version}.tar.gz"
"ftp://ftp.fftw.org/pub/fftw/fftw-${finalAttrs.version}.tar.gz"
];
hash = "sha256-VskyVJhSzdz6/as4ILAgDHdCZ1vpIXnlnmIVs0DiZGc=";
hash = "sha256-VjDCTN6zOxMWEvfrSxqZNCNHVPnziP+GF0WNC+byOaE=";
};
patches = [
(fetchpatch {
name = "remove_missing_FFTW3LibraryDepends.patch";
url = "https://github.com/FFTW/fftw3/pull/338/commits/f69fef7aa546d4477a2a3fd7f13fa8b2f6c54af7.patch";
hash = "sha256-lzX9kAHDMY4A3Td8necXwYLcN6j8Wcegi3A7OIECKeU=";
})
];
outputs = [
"out"
"dev"
@ -107,6 +98,7 @@ stdenv.mkDerivation (finalAttrs: {
__structuredAttrs = true;
meta = {
changelog = "https://github.com/FFTW/fftw3/blob/fftw-${finalAttrs.version}/NEWS";
description = "Fastest Fourier Transform in the West library";
homepage = "https://www.fftw.org/";
license = lib.licenses.gpl2Plus;

View file

@ -2,6 +2,7 @@
lib,
stdenv,
fetchurl,
fetchpatch,
buildPackages,
pkgsHostHost,
pkg-config,
@ -39,7 +40,7 @@
stdenv.mkDerivation (finalAttrs: {
pname = "freetype";
version = "2.14.2";
version = "2.14.3";
src =
let
@ -47,7 +48,7 @@ stdenv.mkDerivation (finalAttrs: {
in
fetchurl {
url = "mirror://savannah/freetype/freetype-${version}.tar.xz";
sha256 = "sha256-S2Lcq0ySChqGA2mTMiGBQ2LmmeJvVXklFtZx5v9VteE=";
sha256 = "sha256-NrxPHMQTM1No7mVsQq/KZcWjmH6HaMwozxG6d154Wl8=";
};
propagatedBuildInputs = [
@ -69,6 +70,53 @@ stdenv.mkDerivation (finalAttrs: {
patches = [
./enable-table-validation.patch
# https://project-zero.issues.chromium.org/issues/505355061
# https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1419
# https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1420
(fetchpatch {
name = "truetype-shz-limit-heap-buffer-overflow-part1.patch";
url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/1803559c4ee407d0bcbf2a67dbe96690cee869d2.patch";
hash = "sha256-zxtJ2pJz8pNofgYrJ6c8/eZqRvxTotanF2IdU9ckpM4=";
})
(fetchpatch {
name = "truetype-shz-limit-heap-buffer-overflow-part2.patch";
url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/7d600a022e1d813e85a8c94ffd395f6135872267.patch";
hash = "sha256-aHE11C9Cr23D2lqNmTVUDA5E07xxUm+AcYdWJG9zLFs=";
})
# https://project-zero.issues.chromium.org/issues/505357209
# https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1421
(fetchpatch {
name = "truetype-iup-integer-overflow.patch";
url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/7974be74d8b5a2fbf99aa88f0461d1f80af51cee.patch";
hash = "sha256-b5Px0ALsnC5K1+601YioAjCLkLVXNnvTIZ1aQtCeNoQ=";
})
# https://project-zero.issues.chromium.org/issues/506902245
# https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1423
# https://gitlab.freedesktop.org/freetype/freetype/-/merge_requests/428
(fetchpatch {
name = "truetype-variation-handling-signednes-mismatch.patch";
url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/0d45c7f1911bc6db0bf072eea0c8cdccd77bc6b3.patch";
hash = "sha256-bw/9O86sZQa+vwdgx2MTqxWi6vjMcRTyC42ba9CaZ3I=";
})
# prerequisite for the below to apply, since this changes formatting of
# affected code.
(fetchpatch {
name = "ftobjs-formatting.patch";
url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/590b77014bd920d0bdf64c039fddbce89a288b83.patch";
hash = "sha256-govOzLBzQMAjSKABVFryDnSn2by2f/W9BgGG3o+qSuE=";
})
# https://project-zero.issues.chromium.org/issues/507321912
# https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1425
(fetchpatch {
name = "sub-byte-bitmaps-heap-buffer-over-read.patch";
url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/cbe12767ea73d1006edc75fcd61c0b0d2a88f34e.patch";
hash = "sha256-jMeqY9uX7Ryfdd8icGDT4kEKl6aGRWafSN8GzOhGW7g=";
})
]
++ lib.optional useEncumberedCode ./enable-subpixel-rendering.patch;

View file

@ -67,13 +67,13 @@ let
in
stdenv.mkDerivation (finalAttrs: {
pname = "ghostscript${lib.optionalString x11Support "-with-X"}";
version = "10.07.0";
version = "10.07.1";
src = fetchurl {
url = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${
lib.replaceStrings [ "." ] [ "" ] finalAttrs.version
}/ghostscript-${finalAttrs.version}.tar.xz";
hash = "sha256-3azk4XIflnpVA5uv9WSEAiXguqHU9UMiR8oczRRzt8E=";
hash = "sha256-HNt2bejbjx5YnIF/CcWFXqX2XfyFQORlpprBTBhBYCU=";
};
patches = [
@ -233,6 +233,7 @@ stdenv.mkDerivation (finalAttrs: {
meta = {
homepage = "https://www.ghostscript.com/";
changelog = "https://ghostscript.readthedocs.io/en/gs${finalAttrs.version}/News.html";
description = "PostScript interpreter (mainline version)";
longDescription = ''
Ghostscript is the name of a set of tools that provides (i) an

View file

@ -34,6 +34,11 @@ stdenv.mkDerivation {
pname = "glfw${lib.optionalString withMinecraftPatch "-minecraft"}";
inherit version;
outputs = [
"out"
"dev"
];
src = fetchFromGitHub {
owner = "glfw";
repo = "GLFW";

View file

@ -48,8 +48,7 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-dOKBl5W2r/QxrqyYPWOpyJaO6roqLrp9+LpMe0Hnz9g=";
};
patches = lib.optionals stdenv.isLinux [
# TODO: apply everywhere on rebuild
patches = [
# This revert a upstream refactor in continuous rendering mode, but this
# causes a big performance regression for big manpages like
# `man 5 configuration.nix`.

View file

@ -95,11 +95,13 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-Ub2fYMfSOmZaVWxzZMIfsuTiglZrPn4JJFXo+RAzCJM=";
};
patches = lib.optional stdenv.hostPlatform.is32bit (fetchpatch {
name = "fix-32bit-VkImage-null.patch";
url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch";
hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ=";
});
patches = [
(fetchpatch {
name = "fix-32bit-VkImage-null.patch";
url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch";
hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ=";
})
];
depsBuildBuild = [
pkg-config

View file

@ -88,13 +88,13 @@ in
stdenv.mkDerivation (finalAttrs: {
pname = "imagemagick";
version = "7.1.2-23";
version = "7.1.2-24";
src = fetchFromGitHub {
owner = "ImageMagick";
repo = "ImageMagick";
tag = finalAttrs.version;
hash = "sha256-zYk75q+EyWq5g/AHFU6v8a7gye0aDAEe/ZZvjqR9ZTc=";
hash = "sha256-oSH0dsQ3cuFNYJIIr6LHbv82FbFxxcmkjQ5csTNsYCA=";
};
outputs = [

View file

@ -0,0 +1,61 @@
From acea6182e46fff3d1d64a3172cdff307b07ca441 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 8 Apr 2026 17:57:59 -0400
Subject: [PATCH] Fix two NegoEx parsing vulnerabilities
In parse_nego_message(), check the result of the second call to
vector_base() before dereferencing it. In parse_message(), check for
a short header_len to prevent an integer underflow when calculating
the remaining message length.
Reported by Cem Onat Karagun.
CVE-2026-40355:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a null pointer dereference, causing the process to terminate.
CVE-2026-40356:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a read overrun of up to 52 bytes, possibly causing the process
to terminate. Exfiltration of the bytes read does not appear
possible.
(cherry picked from commit 2e75f0d9362fb979f5fc92829431a590a130929f)
ticket: 9205
version_fixed: 1.22.3
---
lib/gssapi/spnego/negoex_util.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c
index edc5462e844..a65238e5730 100644
--- a/lib/gssapi/spnego/negoex_util.c
+++ b/lib/gssapi/spnego/negoex_util.c
@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in,
offset = k5_input_get_uint32_le(in);
count = k5_input_get_uint16_le(in);
p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len);
+ if (p == NULL) {
+ *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
for (i = 0; i < count; i++) {
extension_type = load_32_le(p + i * EXTENSION_LENGTH);
if (extension_type & EXTENSION_FLAG_CRITICAL) {
@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in,
msg_len = k5_input_get_uint32_le(in);
conv_id = k5_input_get_bytes(in, GUID_LENGTH);
- if (in->status || msg_len > token_remaining || header_len > msg_len) {
+ if (in->status || msg_len > token_remaining ||
+ header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) {
*minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
return GSS_S_DEFECTIVE_TOKEN;
}

View file

@ -34,16 +34,20 @@
stdenv.mkDerivation (finalAttrs: {
pname = "krb5";
version = "1.22.1";
version = "1.22.2";
__structuredAttrs = true;
src = fetchurl {
url = "https://kerberos.org/dist/krb5/${lib.versions.majorMinor finalAttrs.version}/krb5-${finalAttrs.version}.tar.gz";
hash = "sha256-GogyuMrZI+u/E5T2fi789B46SfRgKFpm41reyPoAU68=";
hash = "sha256-MkP/vI6k1Kwi3cfdKh3FTFeHTEBki2D/lwCXY1VOrxM=";
};
patches = lib.optionals stdenv.hostPlatform.isFreeBSD [
patches = [
# https://github.com/krb5/krb5/pull/1506
./CVE-2026-40355-and-CVE-2026-40356.patch
]
++ lib.optionals stdenv.hostPlatform.isFreeBSD [
(fetchpatch {
name = "fix-missing-ENODATA.patch";
url = "https://cgit.freebsd.org/ports/plain/security/krb5-122/files/patch-lib_krad_packet.c?id=0501f716c4aff7880fde56e42d641ef504593b7d";
@ -170,6 +174,7 @@ stdenv.mkDerivation (finalAttrs: {
];
meta = {
changelog = "https://web.mit.edu/Kerberos/krb5-${lib.versions.majorMinor finalAttrs.version}/";
description = "MIT Kerberos 5";
homepage = "http://web.mit.edu/kerberos/";
license = lib.licenses.mit;

View file

@ -23,7 +23,7 @@
stdenv.mkDerivation (finalAttrs: {
pname = "libadwaita";
version = "1.9.0";
version = "1.9.1";
outputs = [
"out"
@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: {
owner = "GNOME";
repo = "libadwaita";
tag = finalAttrs.version;
hash = "sha256-JAKP8CjLCKGZvHoB26ih/J3xAru4wiVf/ObG0L8r4pY=";
hash = "sha256-Oy3WcsymNbbmAacm5hEOrorI1wKXjSp063mh4jCJRAE=";
};
depsBuildBuild = [

View file

@ -7,13 +7,13 @@
stdenv.mkDerivation (finalAttrs: {
pname = "libaec";
version = "1.1.6";
version = "1.1.7";
src = fetchFromGitHub {
owner = "Deutsches-Klimarechenzentrum";
repo = "libaec";
tag = "v${finalAttrs.version}";
hash = "sha256-cxDP+JNwokxgzH9hO2zw+rIcz8XG7E8ujbAbWpgUEW8=";
hash = "sha256-aBm+CXCq7sdJb6Qq9sNuTzNj0nRwTJI20HsqUg1Qi/8=";
};
nativeBuildInputs = [

View file

@ -44,9 +44,7 @@ stdenv.mkDerivation (finalAttrs: {
fribidi
harfbuzz
]
++ lib.optional fontconfigSupport fontconfig
# TODO: remove dep after branchoff (in darwin stdenv)
++ lib.optional stdenv.hostPlatform.isDarwin libiconv.out;
++ lib.optional fontconfigSupport fontconfig;
meta = {
description = "Portable ASS/SSA subtitle renderer";

View file

@ -2,6 +2,7 @@
lib,
stdenv,
fetchFromGitHub,
fetchpatch,
autoreconfHook,
imlib2,
libxext,
@ -23,6 +24,14 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-N0Lfi0d4kjxirEbIjdeearYWvStkKMyV6lgeyNKXcVw=";
};
patches = [
(fetchpatch {
name = "CVE-2026-42046.patch";
url = "https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb01d53940da34fb10f20b156a23.patch";
hash = "sha256-AdpiE5Gw/CVET//7TTYZCb0glW5HY+T8xZkYs1XCBvY=";
})
];
nativeBuildInputs = [
autoreconfHook
pkg-config

View file

@ -15,14 +15,14 @@
}:
stdenv.mkDerivation (finalAttrs: {
version = "1.0.18";
version = "1.1.1";
pname = "libde265";
src = fetchFromGitHub {
owner = "strukturag";
repo = "libde265";
tag = "v${finalAttrs.version}";
hash = "sha256-N6K82ElrzrMSNKfPTDsc5onrxucIJ8niwFgbaEPPd2I=";
hash = "sha256-ZHfPC86oylqt2bwWMJRWVjdMEEmX6UOKR7XkR0HPyok=";
};
nativeBuildInputs = [
@ -43,6 +43,7 @@ stdenv.mkDerivation (finalAttrs: {
meta = {
homepage = "https://github.com/strukturag/libde265";
changelog = "https://github.com/strukturag/libde265/releases/tag/${finalAttrs.src.tag}";
description = "Open h.265 video codec implementation";
mainProgram = "dec265";
license = lib.licenses.lgpl3;

View file

@ -17,11 +17,11 @@ assert enableCapabilities -> stdenv.hostPlatform.isLinux;
stdenv.mkDerivation rec {
pname = "libgcrypt";
version = "1.11.2";
version = "1.12.2";
src = fetchurl {
url = "mirror://gnupg/libgcrypt/${pname}-${version}.tar.bz2";
hash = "sha256-a6Wd0ZInDowdIt20GgfZXc28Hw+wLQPEtUsjWBQzCqw=";
hash = "sha256-fOM8JJIiGgQ2+WqFACFenz49y1/SanV81BXnqEO6vV4=";
};
outputs = [
@ -73,17 +73,6 @@ stdenv.mkDerivation rec {
postConfigure = ''
sed -i configure \
-e 's/NOEXECSTACK_FLAGS=$/NOEXECSTACK_FLAGS="-Wa,--noexecstack"/'
''
# The cipher/simd-common-riscv.h wasn't added to the release tarball, please remove this hack on next version update
# https://dev.gnupg.org/T7647
+ lib.optionalString stdenv.hostPlatform.isRiscV ''
cp ${
fetchurl {
url = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob_plain;f=cipher/simd-common-riscv.h;h=8381000f9ac148c60a6963a1d9ec14a3fee1c576;hb=81ce5321b1b79bde6dfdc3c164efb40c13cf656b";
hash = "sha256-Toe15YLAOYULnLc2fGMMv/xzs/q1t3LsyiqtL7imc+8=";
name = "simd-common-riscv.h";
}
} cipher/simd-common-riscv.h
'';
enableParallelBuilding = true;

View file

@ -24,7 +24,7 @@
stdenv.mkDerivation (finalAttrs: {
pname = "libheif";
version = "1.21.2";
version = "1.23.0";
outputs = [
"bin"
@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: {
owner = "strukturag";
repo = "libheif";
rev = "v${finalAttrs.version}";
hash = "sha256-odkJ0wZSGoZ7mX9fkaNREDpMvQuQA9HKaf3so1dYrbc=";
hash = "sha256-+LbYwDSxixy4TaraUCN2LiCnn32dkMppCA8EOFXbvtg=";
};
nativeBuildInputs = [

View file

@ -11,10 +11,10 @@
assert zlib != null;
let
patchVersion = "1.6.56";
patchVersion = "1.6.58";
patch_src = fetchurl {
url = "mirror://sourceforge/libpng-apng/libpng-${patchVersion}-apng.patch.gz";
hash = "sha256-nOMtSidjoqxfJYcmui9J6QETJ8HujDCGKjLQ8wiJ++g=";
hash = "sha256-7ufeoi7VAoaAF5cchsY8TtHmCF3guuv9zD0zIvAPPrA=";
};
whenPatched = lib.optionalString apngSupport;
@ -24,11 +24,11 @@ let
in
stdenv'.mkDerivation (finalAttrs: {
pname = "libpng" + whenPatched "-apng";
version = "1.6.56";
version = "1.6.58";
src = fetchurl {
url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz";
hash = "sha256-99i/FgG3gE9YOiVKs0OmVJymzyfSVcMCxHry2dNqbxg=";
hash = "sha256-KOtAP1Hw90BSSRMs7P6C6lwO+X8bMsWmWCiBSuDTR3U=";
};
postPatch =
whenPatched "gunzip < ${patch_src} | patch -Np1"

View file

@ -23,6 +23,9 @@ let
pname = "libressl";
inherit version;
strictDeps = true;
__structuredAttrs = true;
src = fetchurl {
url = "mirror://openbsd/LibreSSL/libressl-${version}.tar.gz";
inherit hash;
@ -60,6 +63,23 @@ let
preCheck = ''
export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName}
export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)"
''
+ lib.optionalString stdenv.hostPlatform.isElf ''
# Bail if any shared object has executable stack enabled. This can
# happen when an object produced from an assmbly file in libcrypto is
# missing a .note.GNU-stack section. An executable stack is dangerous
# and unintentional, but without this check the derivation will build
# and even run if W^X is not enforced; it would fail dangerously.
objdump -p **/*.so | awk '
BEGIN { res = 0 }
/file format/ { file = $1 }
/STACK/ { stack = 1; next }
stack {
if ($0 ~ /flags.*x/) { print file " has executable stack"; res = 1 }
stack = 0
}
END { exit res }
'
'';
postCheck = ''
export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName}
@ -96,6 +116,7 @@ let
maintainers = with lib.maintainers; [
thoughtpolice
fpletz
ruuda
];
inherit knownVulnerabilities;
@ -111,32 +132,17 @@ let
identifiers.cpeParts = lib.meta.cpeFullVersionWithVendor "openbsd" version;
};
};
# https://github.com/libressl/portable/pull/1206
# This got merged in February 2026 and is included as of LibreSSL 4.3.0.
common-cmake-install-full-dirs-patch = fetchpatch {
url = "https://github.com/libressl/portable/commit/a15ea0710398eaeed3be53cf643e80a1e80c981d.patch";
hash = "sha256-Mlf4SrGCCqALQicbGtmVGdkdfcE8DEGYkOuVyG2CozM=";
};
in
{
libressl_4_1 = generic {
version = "4.1.2";
hash = "sha256-+6Ti+ip/UjBt96OJlwoQ6YuX6w7bKZqf252/SZmcYeE=";
# Fixes build on loongarch64
# https://github.com/libressl/portable/pull/1184
postPatch = ''
mkdir -p include/arch/loongarch64
cp ${
fetchurl {
url = "https://github.com/libressl/portable/raw/refs/tags/v4.1.0/include/arch/loongarch64/opensslconf.h";
hash = "sha256-68dw5syUy1z6GadCMR4TR9+0UQX6Lw/CbPWvjHGAhgo=";
}
} include/arch/loongarch64/opensslconf.h
'';
patches = [
common-cmake-install-full-dirs-patch
];
};
# 4.2 was released October 2025 and will become unsupported on October 22,
# 2026, one year after the release of OpenBSD 7.8.
libressl_4_2 = generic {
version = "4.2.1";
hash = "sha256-bVwvWFg1iOp5H0yGRQBAcdAN+lVKW/eIoAbKHrWr1ws=";
@ -144,4 +150,24 @@ in
common-cmake-install-full-dirs-patch
];
};
# 4.3 was released April 2026 and will become unsupported one year after the
# release of OpenBSD 7.9.
libressl_4_3 = generic {
version = "4.3.1";
hash = "sha256-wttCrOFOfVQZgm+rNadC7G5NEnJaBRpR0M6jwQug+lA=";
patches = [
# Fix for https://github.com/libressl/portable/issues/1278, where LibreSSL
# 4.3 started requiring executable stack because some objects were missing
# a .note.GNU-stack section; will probably be included in the next release.
(fetchpatch {
url = "https://raw.githubusercontent.com/libressl/portable/4dae91d056c6c75ba5cf2bc5e6148b8e02239119/patches/gnu-stack.patch";
hash = "sha256-Q1oWL4N8w5Zmjfq5QkTJR53NgZ4GqChSDaBicli5G2I=";
# This patch is written to be applied with -p0, with no leading path
# component, but Nix applies with -p1 by default, so we add it to not
# break compatibility with how other patches must be applied.
decode = "sed 's|^--- |--- a/|; s|^+++ |+++ b/|'";
})
];
};
}

View file

@ -19,7 +19,7 @@ SSH_DEFAULT_OPTS: Final = [
"-o",
"ControlMaster=auto",
"-o",
f"ControlPath={tmpdir.TMPDIR_PATH / 'ssh-%n'}",
f"ControlPath={tmpdir.TMPDIR_PATH / 'ssh-%C'}",
"-o",
"ControlPersist=60",
]

View file

@ -12,13 +12,13 @@ let
in
stdenv.mkDerivation (finalAttrs: {
pname = "openapv";
version = "0.2.1.2";
version = "0.2.1.3";
src = fetchFromGitHub {
owner = "AcademySoftwareFoundation";
repo = "openapv";
tag = "v${finalAttrs.version}";
hash = "sha256-wxncN7j5p0GXpWhOx4Ix0oTgGK2sIrfJgQ45fFwmQBI=";
tag = "v${finalAttrs.version}-fix"; # Remove the `-fix` suffix after the next version
hash = "sha256-lc/x2dWh6T8c63siHB32ka+SPVYTTyaO4YrQ12EbGqw=";
};
postPatch = ''

View file

@ -122,6 +122,8 @@ stdenv.mkDerivation (finalAttrs: {
# https://bugs.openldap.org/show_bug.cgi?id=8623
rm -f tests/scripts/test022-ppolicy
rm -f tests/scripts/test*-sync*
rm -f tests/scripts/test063-delta-multiprovider
# https://bugs.openldap.org/show_bug.cgi?id=10009

View file

@ -7,13 +7,13 @@
stdenvNoCC.mkDerivation {
pname = "publicsuffix-list";
version = "0-unstable-2026-03-26";
version = "0-unstable-2026-05-13";
src = fetchFromGitHub {
owner = "publicsuffix";
repo = "list";
rev = "d333b72b39575da1ce6932b01d7c421a4107c620";
hash = "sha256-LWnvQrIyj+iq96T1u9WEq+HGOZ5sJYN5nCintEr6sBk=";
rev = "e452c7058d6946bd76952b128c12f5ce87a5acb8";
hash = "sha256-5D4RZAyJOL4hMU32Rmp3SYmjgqEtF36mZJr4YBG0k7E=";
};
dontBuild = true;

View file

@ -1,56 +0,0 @@
From 9b104ed9859f17b6ed4c4ad01806c75a0c197dd7 Mon Sep 17 00:00:00 2001
From: Emily <hello@emily.moe>
Date: Tue, 5 Aug 2025 15:55:24 +0100
Subject: [PATCH] Allow `ls(1)` to fail in test setup
This can happen when the tests are unable to `stat(2)` some files in
`/etc`, `/bin`, or `/`, due to Unix permissions or other sandboxing. We
still guard against serious errors, which use exit code 2.
---
testsuite/longdir.test | 4 ++--
testsuite/rsync.fns | 8 ++++----
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/testsuite/longdir.test b/testsuite/longdir.test
index 8d66bb5f..26747292 100644
--- a/testsuite/longdir.test
+++ b/testsuite/longdir.test
@@ -16,9 +16,9 @@ makepath "$longdir" || test_skipped "unable to create long directory"
touch "$longdir/1" || test_skipped "unable to create files in long directory"
date > "$longdir/1"
if [ -r /etc ]; then
- ls -la /etc >"$longdir/2"
+ ls -la /etc >"$longdir/2" || [ $? -eq 1 ]
else
- ls -la / >"$longdir/2"
+ ls -la / >"$longdir/2" || [ $? -eq 1 ]
fi
checkit "$RSYNC --delete -avH '$fromdir/' '$todir'" "$fromdir/" "$todir"
diff --git a/testsuite/rsync.fns b/testsuite/rsync.fns
index 2ab97b69..f7da363f 100644
--- a/testsuite/rsync.fns
+++ b/testsuite/rsync.fns
@@ -195,15 +195,15 @@ hands_setup() {
echo some data > "$fromdir/dir/subdir/foobar.baz"
mkdir "$fromdir/dir/subdir/subsubdir"
if [ -r /etc ]; then
- ls -ltr /etc > "$fromdir/dir/subdir/subsubdir/etc-ltr-list"
+ ls -ltr /etc > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" || [ $? -eq 1 ]
else
- ls -ltr / > "$fromdir/dir/subdir/subsubdir/etc-ltr-list"
+ ls -ltr / > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" || [ $? -eq 1 ]
fi
mkdir "$fromdir/dir/subdir/subsubdir2"
if [ -r /bin ]; then
- ls -lt /bin > "$fromdir/dir/subdir/subsubdir2/bin-lt-list"
+ ls -lt /bin > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" || [ $? -eq 1 ]
else
- ls -lt / > "$fromdir/dir/subdir/subsubdir2/bin-lt-list"
+ ls -lt / > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" || [ $? -eq 1 ]
fi
# echo testing head:
--
2.50.1

View file

@ -1,12 +1,12 @@
{
lib,
stdenv,
fetchpatch,
fetchurl,
fetchpatch,
updateAutotoolsGnuConfigScriptsHook,
perl,
python3,
libiconv,
zlib,
popt,
@ -29,24 +29,29 @@
stdenv.mkDerivation (finalAttrs: {
pname = "rsync";
version = "3.4.1";
version = "3.4.4";
src = fetchurl {
# signed with key 9FEF 112D CE19 A0DC 7E88 2CB8 1BB2 4997 A853 5F6F
url = "mirror://samba/rsync/src/rsync-${finalAttrs.version}.tar.gz";
hash = "sha256-KSS8s6Hti1UfwQH3QLnw/gogKxFQJ2R89phQ1l/YjFI=";
hash = "sha256-vYjPgvplPaMjFPsikTZAfFyQ+A0XWNj0sJF2eHfY+pY=";
};
patches = [
# See: <https://github.com/RsyncProject/rsync/pull/790>
./fix-tests-in-darwin-sandbox.patch
# fix compilation with gcc15
patches = lib.optionals (stdenv.hostPlatform.isDarwin) [
# Fixes test failure on darwin
(fetchpatch {
url = "https://github.com/RsyncProject/rsync/commit/a4b926dcdce96b0f2cc0dc7744e95747b233500a.patch";
hash = "sha256-UiEQJ+p2gtIDYNJqnxx4qKgItKIZzCpkHnvsgoxBmSE=";
url = "https://github.com/RsyncProject/rsync/commit/e1c5f0e93a75dd45f32f3b92ba221ef158ac2e5f.patch";
hash = "sha256-pg65K9BCTq/WvS5icK6KT28ARccFKedp2445wLYdRsE=";
excludes = [
".github/workflows/cygwin-build.yml"
];
})
];
preBuild = ''
patchShebangs ./runtests.py
'';
nativeBuildInputs = [
updateAutotoolsGnuConfigScriptsHook
perl
@ -86,6 +91,15 @@ stdenv.mkDerivation (finalAttrs: {
passthru.tests = { inherit (nixosTests) rsyncd; };
nativeCheckInputs = [
python3
];
# Test fails when built in a chroot store
preCheck = ''
rm testsuite/chgrp.test
'';
doCheck = true;
__darwinAllowLocalNetworking = true;

View file

@ -14,16 +14,16 @@
rustPlatform.buildRustPackage (finalAttrs: {
pname = "rust-cbindgen";
version = "0.29.2";
version = "0.29.3";
src = fetchFromGitHub {
owner = "mozilla";
repo = "cbindgen";
rev = "v${finalAttrs.version}";
hash = "sha256-P2A+XSLrcuYsI48gnZSNNs5qX+EatiuEJSEJbMvMSxg=";
hash = "sha256-d0rY7Sk37s8HEZlQq9Sbjj1P+DgygD0Yjx8cXlFKEIA=";
};
cargoHash = "sha256-DbmlpjiOraLWPh5RgJqCIGIYzE1h82MH2S6gpLH+CIQ=";
cargoHash = "sha256-UeierkQpfCiB5ES9ZW9hO+0AcI9Ip8qSJ/Nd+I1xrmQ=";
nativeCheckInputs = [
cmake

View file

@ -70,7 +70,7 @@ assert lib.assertMsg (ibusSupport -> dbusSupport) "SDL3 requires dbus support to
stdenv.mkDerivation (finalAttrs: {
pname = "sdl3";
version = "3.4.8";
version = "3.4.10";
outputs = [
"lib"
@ -83,14 +83,21 @@ stdenv.mkDerivation (finalAttrs: {
owner = "libsdl-org";
repo = "SDL";
tag = "release-${finalAttrs.version}";
hash = "sha256-uBGyGxrUVx642Ku8qhR2sTy2JagcSioIhh/5RsXVAIM=";
hash = "sha256-6Dph2eLiJUmpQzPWe8EuY5LrWhrFwde2f2dwfgCcWNw=";
};
postPatch =
# Tests timeout on Darwin
lib.optionalString (finalAttrs.finalPackage.doCheck) ''
# Tests timeout on Darwin
substituteInPlace test/CMakeLists.txt \
--replace-fail 'set(noninteractive_timeout 10)' 'set(noninteractive_timeout 30)'
# intermittent test failure
# https://github.com/libsdl-org/SDL/issues/15346
substituteInPlace test/CMakeLists.txt \
--replace-fail \
'add_sdl_test_executable(testrwlock SOURCES testrwlock.c NONINTERACTIVE NONINTERACTIVE_TIMEOUT 20)' \
'add_sdl_test_executable(testrwlock SOURCES testrwlock.c NONINTERACTIVE NONINTERACTIVE_TIMEOUT 300)'
''
+ lib.optionalString waylandSupport ''
substituteInPlace src/dialog/unix/SDL_zenitymessagebox.c \

View file

@ -7,13 +7,13 @@
stdenv.mkDerivation (finalAttrs: {
pname = "simdjson";
version = "4.6.0";
version = "4.6.4";
src = fetchFromGitHub {
owner = "simdjson";
repo = "simdjson";
tag = "v${finalAttrs.version}";
hash = "sha256-VGErBWAHk63XMv8yC+Na+gXHByhYhtIEMSBySwIDlXk=";
hash = "sha256-8oQzsR7DSaNTN9su1uI9tRQ9HvOwXShPwSrnQj8+lGM=";
};
nativeBuildInputs = [ cmake ];

View file

@ -57,13 +57,13 @@
stdenv.mkDerivation (finalAttrs: {
pname = "unbound";
version = "1.25.0";
version = "1.25.1";
src = fetchFromGitHub {
owner = "NLnetLabs";
repo = "unbound";
tag = "release-${finalAttrs.version}";
hash = "sha256-BAqGNi5lfYYTQd7CPH0lssLc5/AkeuKSVEFcrF/cNyc=";
hash = "sha256-1PXnxCPxoB5IrVBQIsrxiWAq+IoH7Ma9T1TTJsoTJc4=";
};
outputs = [

View file

@ -2,7 +2,6 @@
lib,
stdenv,
fetchFromGitHub,
fetchpatch,
lua,
jemalloc,
pkg-config,
@ -25,13 +24,13 @@
stdenv.mkDerivation (finalAttrs: {
pname = "valkey";
version = "9.0.4";
version = "9.1.0";
src = fetchFromGitHub {
owner = "valkey-io";
repo = "valkey";
rev = finalAttrs.version;
hash = "sha256-FDm6i6G6h9WapMTj7ke4YtOjZ4rwIJZGONunQi0v7CE=";
hash = "sha256-RMZz83fycpOTPWB1dIXU0/hdh4ZGC+6JhCws8htAQ5E=";
};
patches = lib.optional useSystemJemalloc ./use_system_jemalloc.patch;
@ -94,13 +93,14 @@ stdenv.mkDerivation (finalAttrs: {
fi
# Skip some more flaky tests.
# Skip test requiring custom jemalloc (unit/memefficiency).
# Skip test requiring custom jemalloc (unit/memefficiency, unit/type/string).
./runtest \
--no-latency \
--timeout 2000 \
--clients "$CLIENTS" \
--tags -leaks \
--skipunit unit/memefficiency \
--skipunit unit/type/string \
--skipunit integration/failover \
--skipunit integration/aof-multi-part

View file

@ -38,13 +38,7 @@
stdenv.mkDerivation (finalAttrs: {
pname = "xvfb";
# TODO: rebuild avoidance. revert on staging.
# inherit (xorg-server) src version;
version = "21.1.22";
src = fetchurl {
url = "mirror://xorg/individual/xserver/xorg-server-${finalAttrs.version}.tar.xz";
hash = "sha256-GiQsiRfEm6KczB9gIWE9iiuYBd0NJxpmrp0J9LC7BrM=";
};
inherit (xorg-server) src version;
strictDeps = true;

View file

@ -25,11 +25,11 @@ let
in
stdenv.mkDerivation (finalAttrs: {
pname = "go";
version = "1.26.3";
version = "1.26.4";
src = fetchurl {
url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz";
hash = "sha256-HGRoddCqh5kTMYTtV895/yS97+jIggRwYCqdPW2Rkrg=";
hash = "sha256-T2aKMvv8ETLmqIH7lowvHa2mMUkqM5IRc1+7JVpCYC0=";
};
strictDeps = true;

View file

@ -3,6 +3,7 @@
stdenv,
pkgsHostHost,
pkgsBuildBuild,
fetchpatch,
file,
curl,
pkg-config,
@ -26,6 +27,23 @@ rustPlatform.buildRustPackage.override
pname = "cargo";
inherit (rustc.unwrapped) version src;
patches = [
(fetchpatch {
name = "CVE-2026-5222.patch";
url = "https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f.patch";
stripLen = 1;
extraPrefix = "src/tools/cargo/";
hash = "sha256-YG7xtC308z+o1xVzrV81qqWov1121GVouyAXKflyBF8=";
})
(fetchpatch {
name = "CVE-2026-5223.patch";
url = "https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577.patch";
stripLen = 1;
extraPrefix = "src/tools/cargo/";
hash = "sha256-DbmPQ31N4AIYZEBiwwGAn59hgPsFEVTzA6PrI071LXE=";
})
];
# the rust source tarball already has all the dependencies vendored, no need to fetch them again
cargoVendorDir = "vendor";
buildAndTestSubdir = "src/tools/cargo";

View file

@ -0,0 +1,20 @@
Targeted patch for CVE-2026-8376, based on 5e7f119eb2bb1181be908701f22bf7068e722f1c but avoids changes to t/re/pat_psycho.t as they do not apply cleanly.
diff --git a/regcomp_study.c b/regcomp_study.c
index b513454a4258..1602663f4b26 100644
--- a/regcomp_study.c
+++ b/regcomp_study.c
@@ -2784,6 +2784,13 @@ Perl_study_chunk(pTHX_
(U8 *) SvEND(data->last_found))
- (U8*)s;
l -= old;
+
+ if (l > 0 &&
+ (mincount >= SSize_t_MAX / (SSize_t)l
+ || old > SSize_t_MAX - mincount * (SSize_t)l)) {
+ FAIL("Regexp out of space");
+ }
+
/* Get the added string: */
last_str = newSVpvn_utf8(s + old, l, UTF);
last_chrs = UTF ? utf8_length((U8*)(s + old),

View file

@ -36,6 +36,8 @@ let
commonPatches = [
# Do not look in /usr etc. for dependencies.
./no-sys-dirs.patch
./CVE-2026-8376.patch
]
# Fix build on Solaris on x86_64
@ -79,6 +81,61 @@ let
# Some more details: https://arsv.github.io/perl-cross/modules.html
++ lib.optional crossCompiling ./cross.patch;
# Inject fixed CPAN releases for bundled dual-life distributions until the
# next perl maintenance release includes them.
vendoredPerlDistributions = [
{
# CVE-2026-7010
path = "cpan/HTTP-Tiny";
src = fetchurl {
url = "mirror://cpan/authors/id/H/HA/HAARG/HTTP-Tiny-0.094.tar.gz";
hash = "sha256-poQemfwbVdFd6VlHzL17dnvsxRxxAhl/qPBE333cB0M=";
};
}
{
# CVE-2026-3381, CVE-2026-4176
path = "cpan/Compress-Raw-Zlib";
src = fetchurl {
url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Zlib-2.222.tar.gz";
hash = "sha256-Hf19URplVifIGBXTDTurwo+luIRV/wP4sECZ3LUShrg=";
};
}
{
# Runtime dependency of IO-Compress 2.220.
path = "cpan/Compress-Raw-Bzip2";
src = fetchurl {
url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Bzip2-2.218.tar.gz";
hash = "sha256-iRU+ai69pSNJSTsHT6S3VJ/x+QU952E8GKXgXFtBX6g=";
};
}
{
# CVE-2026-48962, CVE-2026-48961, CVE-2026-48959
path = "cpan/IO-Compress";
src = fetchurl {
url = "mirror://cpan/authors/id/P/PM/PMQS/IO-Compress-2.220.tar.gz";
hash = "sha256-nZbqKR8sVO82fHOWuFfZO6GsHEsvG84T7Yo+Xz7rtic=";
};
}
{
# CVE-2026-42496, CVE-2026-42497, CVE-2026-9538
path = "cpan/Archive-Tar";
src = fetchurl {
url = "mirror://cpan/authors/id/B/BI/BINGOS/Archive-Tar-3.12.tar.gz";
hash = "sha256-ARTvObZfSfiWgoOrR3Gdfoj5jXNg/jZJvjMcf1PVgyw=";
};
}
];
replaceVendoredPerlDistributions = lib.concatMapStringsSep "\n" (d: ''
rm -rf ${d.path}
mkdir -p ${d.path}
tar --strip-components=1 -C ${d.path} -xf ${d.src}
# Remove executable bits to make t/porting/exec-bit.t happy.
find ${d.path} -type f -exec chmod a-x {} +
'') vendoredPerlDistributions;
libc = if stdenv.cc.libc or null != null then stdenv.cc.libc else "/usr";
libcInc = lib.getDev libc;
libcLib = lib.getLib libc;
@ -136,10 +193,10 @@ stdenv.mkDerivation (
--replace "/bin/pwd" "$(type -P pwd)"
''
)
+
# Perl's build system uses the src variable, and its value may end up in
# the output in some cases (when cross-compiling)
''
+ replaceVendoredPerlDistributions
+ ''
# Perl's build system uses the src variable, and its value may end up in
# the output in some cases (when cross-compiling).
unset src
'';

View file

@ -30,8 +30,8 @@ let
hash = "sha256-GDN0+tJY8Nap9UkNUfzqT9cGV1IVCuy5Du/64G+8QdE=";
};
v8 = {
version = "8.1";
hash = "sha256-FdKhhCveEo5UodEoyUh3aBHABv3OT2VXmwBXE1ce3p0=";
version = "8.1.1";
hash = "sha256-WPGfjTZjsgpR5QiANRWF4g6LF2ejGzFQUrLjhzw9cfQ=";
};
in

View file

@ -7154,3 +7154,762 @@ index 00181cfefb..e83ea2b939 100644
TEST_VERIFY (ret != 0);
TEST_COMPARE (errno, EBUSY);
}
commit f13c1bb0f97fbc12a6ba1ab5669ce561ea32b80a
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Apr 16 19:13:43 2026 +0200
Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046)
Follow the example in iso-2022-jp-3.c and use the __count state
variable to store the pending character. This avoids restarting
the conversion if the output buffer ends between two 4-byte UCS-4
code points, so that the assert reported in the bug can no longer
happen.
Even though the fix is applied to ibm1364.c, the change is only
effective for the two HAS_COMBINED codecs for IBM1390, IBM1399.
The test case was mostly auto-generated using
claude-4.6-opus-high-thinking, and composer-2-fast shows up in the
log as well. During review, gpt-5.4-xhigh flagged that the original
version of the test case was not exercising the new character
flush logic.
This fixes bug 33980.
Assisted-by: LLM
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit d6f08d1cf027f4eb2ba289a6cc66853722d4badc)
diff --git a/iconvdata/Makefile b/iconvdata/Makefile
index 5a2abeea24..cc689f63e9 100644
--- a/iconvdata/Makefile
+++ b/iconvdata/Makefile
@@ -76,7 +76,7 @@ tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \
bug-iconv13 bug-iconv14 bug-iconv15 \
- tst-iconv-iso-2022-cn-ext
+ tst-iconv-iso-2022-cn-ext tst-bug33980
ifeq ($(have-thread-library),yes)
tests += bug-iconv3
endif
@@ -333,6 +333,8 @@ $(objpfx)bug-iconv15.out: $(addprefix $(objpfx), $(gconv-modules)) \
$(addprefix $(objpfx),$(modules.so))
$(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \
$(addprefix $(objpfx),$(modules.so))
+$(objpfx)tst-bug33980.out: $(addprefix $(objpfx), $(gconv-modules)) \
+ $(addprefix $(objpfx),$(modules.so))
$(objpfx)iconv-test.out: run-iconv-test.sh \
$(addprefix $(objpfx), $(gconv-modules)) \
diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c
index 45c62acee5..244c61ad7a 100644
--- a/iconvdata/ibm1364.c
+++ b/iconvdata/ibm1364.c
@@ -67,12 +67,29 @@
/* Since this is a stateful encoding we have to provide code which resets
the output state to the initial state. This has to be done during the
- flushing. */
+ flushing. For the to-internal direction (FROM_DIRECTION is true),
+ there may be a pending character that needs flushing. */
#define EMIT_SHIFT_TO_INIT \
if ((data->__statep->__count & ~7) != sb) \
{ \
if (FROM_DIRECTION) \
- data->__statep->__count &= 7; \
+ { \
+ uint32_t ch = data->__statep->__count >> 7; \
+ if (__glibc_unlikely (ch != 0)) \
+ { \
+ if (__glibc_unlikely (outend - outbuf < 4)) \
+ status = __GCONV_FULL_OUTPUT; \
+ else \
+ { \
+ put32 (outbuf, ch); \
+ outbuf += 4; \
+ /* Clear character and db bit. */ \
+ data->__statep->__count &= 7; \
+ } \
+ } \
+ else \
+ data->__statep->__count &= 7; \
+ } \
else \
{ \
/* We are not in the initial state. To switch back we have \
@@ -99,11 +116,13 @@
*curcsp = save_curcs
-/* Current codeset type. */
+/* Current codeset type. The bit is stored in the __count variable of
+ the conversion state. If the db bit is set, bit 7 and above store
+ a pending UCS-4 code point if non-zero. */
enum
{
- sb = 0,
- db = 64
+ sb = 0, /* Single byte mode. */
+ db = 64 /* Double byte mode. */
};
@@ -119,21 +138,29 @@ enum
} \
else \
{ \
- /* This is a combined character. Make sure we have room. */ \
- if (__glibc_unlikely (outptr + 8 > outend)) \
- { \
- result = __GCONV_FULL_OUTPUT; \
- break; \
- } \
- \
const struct divide *cmbp \
= &DB_TO_UCS4_COMB[ch - __TO_UCS4_COMBINED_MIN]; \
assert (cmbp->res1 != 0 && cmbp->res2 != 0); \
\
put32 (outptr, cmbp->res1); \
outptr += 4; \
- put32 (outptr, cmbp->res2); \
- outptr += 4; \
+ \
+ /* See whether we have room for the second character. */ \
+ if (outend - outptr >= 4) \
+ { \
+ put32 (outptr, cmbp->res2); \
+ outptr += 4; \
+ } \
+ else \
+ { \
+ /* Otherwise store only the first character now, and \
+ put the second one into the queue. */ \
+ curcs |= cmbp->res2 << 7; \
+ inptr += 2; \
+ /* Tell the caller why we terminate the loop. */ \
+ result = __GCONV_FULL_OUTPUT; \
+ break; \
+ } \
} \
}
#else
@@ -153,7 +180,20 @@ enum
#define LOOPFCT FROM_LOOP
#define BODY \
{ \
- uint32_t ch = *inptr; \
+ uint32_t ch; \
+ \
+ ch = curcs >> 7; \
+ if (__glibc_unlikely (ch != 0)) \
+ { \
+ put32 (outptr, ch); \
+ outptr += 4; \
+ /* Remove the pending character, but preserve state bits. */ \
+ curcs &= (1 << 7) - 1; \
+ continue; \
+ } \
+ \
+ /* Otherwise read the next input byte. */ \
+ ch = *inptr; \
\
if (__builtin_expect (ch, 0) == SO) \
{ \
diff --git a/iconvdata/tst-bug33980.c b/iconvdata/tst-bug33980.c
new file mode 100644
index 0000000000..c9693e0efe
--- /dev/null
+++ b/iconvdata/tst-bug33980.c
@@ -0,0 +1,153 @@
+/* Test for bug 33980: combining characters in IBM1390/IBM1399.
+ Copyright (C) 2026 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <alloc_buffer.h>
+#include <errno.h>
+#include <iconv.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include <support/check.h>
+#include <support/next_to_fault.h>
+#include <support/support.h>
+
+/* Run iconv in a loop with a small output buffer of OUTBUFSIZE bytes
+ starting at OUTBUF. OUTBUF should be right before an unmapped page
+ so that writing past the end will fault. Skip SHIFT bytes at the
+ start of the input and output, to exercise different buffer
+ alignment. TRUNCATE indicates skipped bytes at the end of
+ input (0 and 1 a valid). */
+static void
+test_one (const char *encoding, unsigned int shift, unsigned int truncate,
+ char *outbuf, size_t outbufsize)
+{
+ /* In IBM1390 and IBM1399, the DBCS code 0xECB5 expands to two
+ Unicode code points when translated. */
+ static char input[] =
+ {
+ /* 8 letters X. */
+ 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7,
+ /* SO, 0xECB5, SI: shift to DBCS, special character, shift back. */
+ 0x0e, 0xec, 0xb5, 0x0f
+ };
+
+ /* Expected output after UTF-8 conversion. */
+ static char expected[] =
+ {
+ 'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X',
+ /* U+304B (HIRAGANA LETTER KA). */
+ 0xe3, 0x81, 0x8b,
+ /* U+309A (COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK). */
+ 0xe3, 0x82, 0x9a
+ };
+
+ iconv_t cd = iconv_open ("UTF-8", encoding);
+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
+
+ char result_storage[64];
+ struct alloc_buffer result_buf
+ = alloc_buffer_create (result_storage, sizeof (result_storage));
+
+ char *inptr = &input[shift];
+ size_t inleft = sizeof (input) - shift - truncate;
+
+ while (inleft > 0)
+ {
+ char *outptr = outbuf;
+ size_t outleft = outbufsize;
+ size_t inleft_before = inleft;
+
+ size_t ret = iconv (cd, &inptr, &inleft, &outptr, &outleft);
+ size_t produced = outptr - outbuf;
+ alloc_buffer_copy_bytes (&result_buf, outbuf, produced);
+
+ if (ret == (size_t) -1 && errno == E2BIG)
+ {
+ if (produced == 0 && inleft == inleft_before)
+ {
+ /* Output buffer too small to make progress. This is
+ expected for very small output buffer sizes. */
+ TEST_VERIFY_EXIT (outbufsize < 3);
+ break;
+ }
+ continue;
+ }
+ if (ret == (size_t) -1)
+ FAIL_EXIT1 ("%s (outbufsize %zu): iconv: %m", encoding, outbufsize);
+ break;
+ }
+
+ /* Flush any pending state (e.g. a buffered combined character).
+ With outbufsize < 3, we could not store the first character, so
+ the second character did not become pending, and there is nothing
+ to flush. */
+ {
+ char *outptr = outbuf;
+ size_t outleft = outbufsize;
+
+ size_t ret = iconv (cd, NULL, NULL, &outptr, &outleft);
+ TEST_VERIFY_EXIT (ret == 0);
+ size_t produced = outptr - outbuf;
+ alloc_buffer_copy_bytes (&result_buf, outbuf, produced);
+
+ /* Second flush does not provide more data. */
+ outptr = outbuf;
+ outleft = outbufsize;
+ ret = iconv (cd, NULL, NULL, &outptr, &outleft);
+ TEST_VERIFY_EXIT (ret == 0);
+ TEST_VERIFY (outptr == outbuf);
+ }
+
+ TEST_VERIFY_EXIT (!alloc_buffer_has_failed (&result_buf));
+ size_t result_used
+ = sizeof (result_storage) - alloc_buffer_size (&result_buf);
+
+ if (outbufsize >= 3)
+ {
+ TEST_COMPARE (inleft, 0);
+ TEST_COMPARE (result_used, sizeof (expected) - shift);
+ TEST_COMPARE_BLOB (result_storage, result_used,
+ &expected[shift], sizeof (expected) - shift);
+ }
+ else
+ /* If the buffer is too small, only the leading X could be converted. */
+ TEST_COMPARE (result_used, 8 - shift);
+
+ TEST_VERIFY_EXIT (iconv_close (cd) == 0);
+}
+
+static int
+do_test (void)
+{
+ struct support_next_to_fault ntf
+ = support_next_to_fault_allocate (8);
+
+ for (int shift = 0; shift <= 8; ++shift)
+ for (int truncate = 0; truncate < 2; ++truncate)
+ for (size_t outbufsize = 1; outbufsize <= 8; outbufsize++)
+ {
+ char *outbuf = ntf.buffer + ntf.length - outbufsize;
+ test_one ("IBM1390", shift, truncate, outbuf, outbufsize);
+ test_one ("IBM1399", shift, truncate, outbuf, outbufsize);
+ }
+
+ support_next_to_fault_free (&ntf);
+ return 0;
+}
+
+#include <support/test-driver.c>
commit 12feedaf67e11c4618dc50c6aab4dbfd1e6d9531
Author: DJ Delorie <dj@redhat.com>
Date: Mon Jan 26 22:24:42 2026 -0500
include: isolate __O_CLOEXEC flag for sys/mount.h and fcntl.h
Including sys/mount.h should not implicitly include fcntl.h
as that causes namespace pollution and conflicts with kernel
headers. It only needs O_CLOEXEC for OPEN_TREE_CLOEXEC
(although it shouldn't need that, but it's defined that way)
so we provide that define (via a private version) separately.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Tested-by: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit 419245719ccbc7dad6a97f24465e7f09c090327a)
diff --git a/io/fcntl.c b/io/fcntl.c
index e88e28664c..b7dab1bb39 100644
--- a/io/fcntl.c
+++ b/io/fcntl.c
@@ -18,6 +18,10 @@
#include <errno.h>
#include <fcntl.h>
+#ifndef __O_CLOEXEC
+# error __O_CLOEXEC not defined by fcntl.h/cloexec.h
+#endif
+
/* Perform file control operations on FD. */
int
__fcntl (int fd, int cmd, ...)
diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
index c47cbdf428..053041f256 100644
--- a/sysdeps/unix/sysv/linux/Makefile
+++ b/sysdeps/unix/sysv/linux/Makefile
@@ -129,6 +129,7 @@ CFLAGS-test-errno-linux.c += $(no-fortify-source)
sysdep_headers += \
bits/a.out.h \
+ bits/cloexec.h \
bits/epoll.h \
bits/eventfd.h \
bits/inotify.h \
diff --git a/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h b/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h
new file mode 100644
index 0000000000..f381f28a53
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h
@@ -0,0 +1 @@
+#define __O_CLOEXEC 010000000
diff --git a/sysdeps/unix/sysv/linux/bits/cloexec.h b/sysdeps/unix/sysv/linux/bits/cloexec.h
new file mode 100644
index 0000000000..3059fb6473
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/bits/cloexec.h
@@ -0,0 +1 @@
+#define __O_CLOEXEC 02000000
diff --git a/sysdeps/unix/sysv/linux/bits/fcntl-linux.h b/sysdeps/unix/sysv/linux/bits/fcntl-linux.h
index f425a4bf22..98954feaca 100644
--- a/sysdeps/unix/sysv/linux/bits/fcntl-linux.h
+++ b/sysdeps/unix/sysv/linux/bits/fcntl-linux.h
@@ -81,9 +81,7 @@
#ifndef __O_NOFOLLOW
# define __O_NOFOLLOW 0400000
#endif
-#ifndef __O_CLOEXEC
-# define __O_CLOEXEC 02000000
-#endif
+#include <bits/cloexec.h>
#ifndef __O_DIRECT
# define __O_DIRECT 040000
#endif
diff --git a/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h b/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h
new file mode 100644
index 0000000000..f381f28a53
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h
@@ -0,0 +1 @@
+#define __O_CLOEXEC 010000000
diff --git a/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h b/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h
new file mode 100644
index 0000000000..6706eaa7d5
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h
@@ -0,0 +1 @@
+#define __O_CLOEXEC 0x400000
diff --git a/sysdeps/unix/sysv/linux/sys/mount.h b/sysdeps/unix/sysv/linux/sys/mount.h
index b549e75148..365da1c296 100644
--- a/sysdeps/unix/sysv/linux/sys/mount.h
+++ b/sysdeps/unix/sysv/linux/sys/mount.h
@@ -21,7 +21,6 @@
#ifndef _SYS_MOUNT_H
#define _SYS_MOUNT_H 1
-#include <fcntl.h>
#include <features.h>
#include <stdint.h>
#include <stddef.h>
@@ -266,6 +265,11 @@ enum fsconfig_command
/* open_tree flags. */
#define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */
+#ifndef O_CLOEXEC
+# include <bits/cloexec.h>
+# define O_CLOEXEC __O_CLOEXEC
+#endif
+#undef OPEN_TREE_CLOEXEC
#define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */
diff --git a/sysdeps/unix/sysv/linux/tst-mount.c b/sysdeps/unix/sysv/linux/tst-mount.c
index 40913c7082..78a2772b2f 100644
--- a/sysdeps/unix/sysv/linux/tst-mount.c
+++ b/sysdeps/unix/sysv/linux/tst-mount.c
@@ -20,6 +20,7 @@
#include <support/check.h>
#include <support/xunistd.h>
#include <support/namespace.h>
+#include <fcntl.h> /* For AT_ constants. */
#include <sys/mount.h>
_Static_assert (sizeof (struct mount_attr) == MOUNT_ATTR_SIZE_VER0,
commit 3ecfa68561d723564a1fb565366182eb4acb3e8f
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Mar 4 18:32:36 2026 +0100
Linux: Only define OPEN_TREE_* macros in <sys/mount.h> if undefined (bug 33921)
There is a conditional inclusion of <linux/mount.h> earlier in the file.
If that defines the macros, do not redefine them. This addresses build
problems as the token sequence used by the UAPI macro definitions
changes between Linux versions.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
(cherry picked from commit d12b017cddfeb9fe9920ba054ae3dfcb8e9238b8)
diff --git a/sysdeps/unix/sysv/linux/sys/mount.h b/sysdeps/unix/sysv/linux/sys/mount.h
index 365da1c296..30ba56c1e8 100644
--- a/sysdeps/unix/sysv/linux/sys/mount.h
+++ b/sysdeps/unix/sysv/linux/sys/mount.h
@@ -264,14 +264,16 @@ enum fsconfig_command
#define FSOPEN_CLOEXEC 0x00000001
/* open_tree flags. */
-#define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */
+#ifndef OPEN_TREE_CLONE
+# define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */
+#endif
#ifndef O_CLOEXEC
# include <bits/cloexec.h>
# define O_CLOEXEC __O_CLOEXEC
#endif
-#undef OPEN_TREE_CLOEXEC
-#define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */
-
+#ifndef OPEN_TREE_CLOEXEC
+# define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */
+#endif
__BEGIN_DECLS
commit 3e87cf9be93acf19d685e8003fc649cdb052a891
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Apr 13 10:46:42 2026 +0800
abilist.awk: Handle weak unversioned defined symbols
After
commit f685e3953f9a38a41bbd0a597f9882870cee13d5
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Wed Oct 29 09:49:57 2025 +0800
elf: Don't set its DT_VERSYM entry for unversioned symbol
ld no longer assigns version index 1 to unversioned defined symbol.
For libmachuser.so, "objdump --dynamic-syms" reports:
0000dd30 w DF .text 000000f8 processor_start
instead of
0000dd30 w DF .text 000000f8 (Base) processor_start
Also allow NF == 6 for weak unversioned dynamic symbols. This fixes BZ
33650.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Sam James <sam@gentoo.org>
(cherry picked from commit ee5d1db2a81468413fbf7c82779ffa782f429d1a)
diff --git a/scripts/abilist.awk b/scripts/abilist.awk
index 6cc7af6ac8..7ea1edf8c0 100644
--- a/scripts/abilist.awk
+++ b/scripts/abilist.awk
@@ -38,7 +38,7 @@ $4 == "*UND*" { next }
$2 == "l" { next }
# If the target uses ST_OTHER, it will be output before the symbol name.
-$2 == "g" || $2 == "w" && (NF == 7 || NF == 8) {
+$2 == "g" || $2 == "w" && (NF == 6 || NF == 7 || NF == 8) {
type = $3;
size = $5;
sub(/^0*/, "", size);
commit b4bca35ab9e76890504c4dbdd5eaf15a93514580
Author: Rocket Ma <marocketbd@gmail.com>
Date: Fri May 1 20:39:07 2026 -0700
libio: Fix ungetwc operating on byte stream [BZ #33998]
* libio/wgenops.c: When _IO_wdefault_pbackfail attempts to push back one
character, it accidently compare the wchar to push back with the last
char from byte stream, instead of wide stream. Under specific coding,
attacker may exploit this to leak information. This commit fix bug
33998, or CVE-2026-5928.
Signed-off-by: Rocket Ma <marocketbd@gmail.com>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit ef3bfb5f910011f3780cb06aa47e730035f53285)
diff --git a/libio/Makefile b/libio/Makefile
index f020f8ec4d..fa2b8ae791 100644
--- a/libio/Makefile
+++ b/libio/Makefile
@@ -83,6 +83,7 @@ tests = \
bug-ungetwc1 \
bug-ungetwc2 \
bug-wfflush \
+ bug-wgenops-bz33998 \
bug-wmemstream1 \
bug-wsetpos \
test-fmemopen \
diff --git a/libio/bug-wgenops-bz33998.c b/libio/bug-wgenops-bz33998.c
new file mode 100644
index 0000000000..cc4067da99
--- /dev/null
+++ b/libio/bug-wgenops-bz33998.c
@@ -0,0 +1,54 @@
+/* Regression test for ungetwc operating on byte stream (BZ #33998)
+ Copyright (C) 2026 The GNU Toolchain Authors.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include "support/temp_file.h"
+#include "support/xstdio.h"
+#include "support/xunistd.h"
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <stdio.h>
+#include <wchar.h>
+#include <support/check.h>
+
+static int
+do_test (void)
+{
+ char *filename;
+ int fd = create_temp_file ("tst-bz33998-", &filename);
+ TEST_VERIFY (fd != -1);
+ xwrite (fd, "A", sizeof ("A")); // write "A\0" by design
+ xclose (fd);
+
+ FILE *fp = xfopen (filename, "r+");
+ TEST_COMPARE (getwc (fp), L'A');
+ /* If the bug is fixed, then ungetwc should not touch byte stream.
+ If the bug is not fixed, ungetwc firstly match last read char, L'A',
+ failed, then the pbackfail branch, matching last read char in byte
+ stream, that is, '\0' (initialized when setup wide stream). */
+ char *old_read_ptr = fp->_IO_read_ptr;
+ TEST_COMPARE (ungetwc (L'\0', fp), L'\0');
+ TEST_VERIFY (fp->_IO_read_ptr == old_read_ptr);
+
+ xfclose (fp);
+ free (filename);
+
+ return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/libio/wgenops.c b/libio/wgenops.c
index 0a11d1b1de..9e0b2c00ea 100644
--- a/libio/wgenops.c
+++ b/libio/wgenops.c
@@ -108,8 +108,8 @@ _IO_wdefault_pbackfail (FILE *fp, wint_t c)
{
if (fp->_wide_data->_IO_read_ptr > fp->_wide_data->_IO_read_base
&& !_IO_in_backup (fp)
- && (wint_t) fp->_IO_read_ptr[-1] == c)
- --fp->_IO_read_ptr;
+ && (wint_t) fp->_wide_data->_IO_read_ptr[-1] == c)
+ --fp->_wide_data->_IO_read_ptr;
else
{
/* Need to handle a filebuf in write mode (switch to read mode). FIXME!*/
commit 4ebd33dd77eabe8d4c45232bed4b42a31d2f9edc
Author: Rocket Ma <marocketbd@gmail.com>
Date: Fri Apr 17 23:48:41 2026 -0700
stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]
* stdio-common/vfscanf-internal.c: When enlarging allocated buffer with
format %mc or %mC, glibc allocates one byte less, leading to
user-controlled one byte overflow. This commit fixes BZ #34008, or
CVE-2026-5450.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Signed-off-by: Rocket Ma <marocketbd@gmail.com>
Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
(cherry picked from commit 839898777226a3ed88c0859f25ffe712519b4ead)
diff --git a/stdio-common/Makefile b/stdio-common/Makefile
index 64b3575acb..e52c333808 100644
--- a/stdio-common/Makefile
+++ b/stdio-common/Makefile
@@ -347,6 +347,7 @@ tests := \
tst-vfprintf-user-type \
tst-vfprintf-width-i18n \
tst-vfprintf-width-prec-alloc \
+ tst-vfscanf-bz34008 \
tst-wc-printf \
tstdiomisc \
tstgetln \
@@ -562,6 +563,9 @@ tst-printf-bz18872-ENV = MALLOC_TRACE=$(objpfx)tst-printf-bz18872.mtrace \
tst-vfprintf-width-prec-ENV = \
MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace \
LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+tst-vfscanf-bz34008-ENV = \
+ MALLOC_CHECK_=3 \
+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
tst-printf-bz25691-ENV = \
MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace \
LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
diff --git a/stdio-common/tst-vfscanf-bz34008.c b/stdio-common/tst-vfscanf-bz34008.c
new file mode 100644
index 0000000000..48371c8a3d
--- /dev/null
+++ b/stdio-common/tst-vfscanf-bz34008.c
@@ -0,0 +1,48 @@
+/* Regression test for vfscanf %Nmc out-of-bound write (BZ #34008)
+ Copyright (C) 2026 The GNU Toolchain Authors.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include "malloc/mcheck.h"
+#include <stddef.h>
+#include <stdio.h>
+#include <string.h>
+#include <wchar.h>
+#include <stdlib.h>
+#include <malloc.h>
+#include <support/check.h>
+
+#define WIDTH 0x410
+#define SCANFSTR "%1040mc"
+static int
+do_test (void)
+{
+ mcheck_pedantic (NULL);
+ char *input = malloc (WIDTH + 1);
+ TEST_VERIFY (input != NULL);
+ memset (input, 'A', WIDTH);
+ input[WIDTH] = '\0';
+
+ char *buf = NULL;
+ TEST_VERIFY (sscanf (input, SCANFSTR, &buf) != -1);
+ TEST_VERIFY (buf != NULL);
+
+ free (buf);
+ free (input);
+ return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c
index 86ae5019a6..17b5565d0f 100644
--- a/stdio-common/vfscanf-internal.c
+++ b/stdio-common/vfscanf-internal.c
@@ -853,8 +853,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,
{
/* Enlarge the buffer. */
size_t newsize
- = strsize
- + (strsize >= width ? width - 1 : strsize);
+ = strsize + (strsize >= width ? width : strsize);
str = (char *) realloc (*strptr, newsize);
if (str == NULL)
@@ -925,7 +924,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,
&& wstr == (wchar_t *) *strptr + strsize)
{
size_t newsize
- = strsize + (strsize > width ? width - 1 : strsize);
+ = strsize + (strsize >= width ? width : strsize);
/* Enlarge the buffer. */
wstr = (wchar_t *) realloc (*strptr,
newsize * sizeof (wchar_t));
@@ -980,7 +979,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr,
&& wstr == (wchar_t *) *strptr + strsize)
{
size_t newsize
- = strsize + (strsize > width ? width - 1 : strsize);
+ = strsize + (strsize >= width ? width : strsize);
/* Enlarge the buffer. */
wstr = (wchar_t *) realloc (*strptr,
newsize * sizeof (wchar_t));

View file

@ -51,7 +51,7 @@
let
version = "2.42";
patchSuffix = "-61";
patchSuffix = "-67";
sha256 = "sha256-0XdeMuRijmTvkw9DW2e7Y691may2viszW58Z8WUJ8X8=";
in
@ -68,8 +68,8 @@ stdenv.mkDerivation (
patches = [
/*
No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping.
$ git fetch --all -p && git checkout origin/release/2.40/master && git describe
glibc-2.42-61-ga56a2943d2
$ git fetch --all -p && git checkout origin/release/2.42/master && git describe
glibc-2.42-67-g4ebd33dd77
$ git show --minimal --reverse glibc-2.42.. ':!ADVISORIES' > 2.42-master.patch
To compare the archive contents zdiff can be used.

View file

@ -46,13 +46,13 @@ let
};
};
libxml2 = callPackage ./common.nix {
version = "2.15.2";
version = "2.15.3";
src = fetchFromGitLab {
domain = "gitlab.gnome.org";
owner = "GNOME";
repo = "libxml2";
tag = "v${packages.libxml2.version}";
hash = "sha256-k5dZ75D/BOouYAjrof9Jm2lY29XZhOqS1kudDGmGY9Q=";
hash = "sha256-fDntZDyITs223by8n7ueOXiO7yyzshtANoWbY0+yeqo=";
};
extraMeta = {
maintainers = with lib.maintainers; [

View file

@ -13,13 +13,13 @@
stdenv.mkDerivation rec {
pname = "openexr";
version = "3.4.10";
version = "3.4.11";
src = fetchFromGitHub {
owner = "AcademySoftwareFoundation";
repo = "openexr";
rev = "v${version}";
hash = "sha256-jXio+PvagKTR8NjcYIQ/j8LOMNc/0sQBuaixKk/0V3k=";
hash = "sha256-5dx2tag6XyuJfNfJgc68X+VWKXaHOL3M7ZJEQbQwFDA=";
};
outputs = [

View file

@ -1,202 +1,202 @@
{
"qt3d": {
"url": "https://invent.kde.org/qt/qt/qt3d.git",
"rev": "208f5835e6c2415c9dc5cbe92bba83aa28bab7ea",
"sha256": "0zqvdq5y25b1w7agx5wlr16p1wrx54086r0xcdfg9wx8dayhh1md"
"rev": "c3892c3ee3c0a2b8a050d0a1532f34806636eade",
"sha256": "0y3f4pr0vr7cpwmjxqspv79p7rljgc913fl8nqpv8y2aw8i5r4ly"
},
"qtactiveqt": {
"url": "https://invent.kde.org/qt/qt/qtactiveqt.git",
"rev": "e4c93bc7cac45bac6bccda3310947e8fe026a9ed",
"sha256": "1qq6jvqkl4ff7sw20pi1mawh5pypv7vxmj56d38z6p06r1azkvls"
"rev": "e85773764374878adc197b6a45ae8ec3ff44dafa",
"sha256": "1sbayayxgjj8jfi3apxw6m8qsmkba0gph2rm1wsnzjsa80zr17ia"
},
"qtandroidextras": {
"url": "https://invent.kde.org/qt/qt/qtandroidextras.git",
"rev": "4928bd58dbc1cdcf44a7e454e3d4654c3c2016f1",
"sha256": "02rsh60lyl6bn2jhx0ajn43safbi904nhwvdpikanrmdbg0z6dpp"
"rev": "14a14b137f0d794278947e980d99c47e6929e5e2",
"sha256": "0nvyxjm5qfq7sk22rp9hxrf8gvs6jq4i3kww1s0i8lsr69fl9biz"
},
"qtbase": {
"url": "https://invent.kde.org/qt/qt/qtbase.git",
"rev": "bebdfd54917e25d1c100e6bd9f5dd53c2e645fd8",
"sha256": "0bg36lxngkq2k11bhqdyfvbc1qyqaghwsi446zfn67vxvyxya3hx"
"rev": "fbed962c3195ab3952fa54d40e012ad1a4fdc42b",
"sha256": "1gnbgs7kh0vxjh3spv5g5zaaj1z1b0h8752pqi4lqg6jd1js2bpl"
},
"qtcharts": {
"url": "https://invent.kde.org/qt/qt/qtcharts.git",
"rev": "1093fb53ced126100d14af30a8adffd29b7ef855",
"sha256": "0cnlg59l743milkki8mjbrfd4cx5ycbqw73apcrnrsag9dqdbw41"
"rev": "16e9aff210cd4de7192adfc6cd91cdd44ba45a3d",
"sha256": "02virkb7h8hhkdsqpv2qg3lly4msf648f7421z10acxhin6ypw5i"
},
"qtconnectivity": {
"url": "https://invent.kde.org/qt/qt/qtconnectivity.git",
"rev": "f1be05c8efeb65b77a8bfd21763ab55bb5c04906",
"sha256": "1vl7wfw9sd8qfl8ixzl5wz4v5km5zdf9bii53q3pw4f2lplsralq"
"rev": "7e29434e06372efbb2127d0ef41538ff9aec1597",
"sha256": "1wv9bh13rq6mnnzsh6g88a2kj2j4nfv83vqpbdxmyavdf349pwdj"
},
"qtdatavis3d": {
"url": "https://invent.kde.org/qt/qt/qtdatavis3d.git",
"rev": "d9b988d3c5f9f34b97f3a9ac1347bfb55464cd60",
"sha256": "09jk32kw7wgcrd117a9lsm5w7jszsdhdslk10qn631wz203zbs4i"
"rev": "b52063032fda9af894ca0e582774364ce8caf0f8",
"sha256": "1zbfx7hqh1ydi2vx8pj6dxlrrc7wf8sqcwxzx8acphdyj66zcmch"
},
"qtdeclarative": {
"url": "https://invent.kde.org/qt/qt/qtdeclarative.git",
"rev": "1189557a50f11e7bc5716467a149cd09987a9f88",
"sha256": "0cd89d8i8chy1j1yanp1cq5s7467qr24b9c7cx9qw0nb0rf6f8qr"
"rev": "5bc1ac07b2d2c7839368084a4bb97e4c67eb8294",
"sha256": "0xpq0xjiscx72dcyg0lpr90ag5q7gypzcqnwbsnh401jrxn2pll1"
},
"qtdoc": {
"url": "https://invent.kde.org/qt/qt/qtdoc.git",
"rev": "ddb2afda6f713259fc8d95fb22a1c96bb448c36a",
"sha256": "0nk2vwl0ppix794xzj8nqrhsc333v8v4vr1rmwddymwlrdqlqd5d"
"rev": "385efd460ec13a465765fc30dd11217ae46d1846",
"sha256": "0djflkibfgjp8gr16hiv6nipj4q4xyclgv84f3d951dj2q7779v6"
},
"qtgamepad": {
"url": "https://invent.kde.org/qt/qt/qtgamepad.git",
"rev": "269fc0731f6838a1c02877a83c0ada23659c69fc",
"sha256": "06jhby671yzbj753yb0lnk4bv2r0nxxibq7fq1yljxdms0rc72iz"
"rev": "9b69ae558f0f9feffe30b0aa8993e270dfcc81ff",
"sha256": "056b39r4jsag5d7f5m04vmpydvnwpfs5mcynsdx717qdginlmiam"
},
"qtgraphicaleffects": {
"url": "https://invent.kde.org/qt/qt/qtgraphicaleffects.git",
"rev": "dfb2e7b2c98a9b7185c300d0b92b4048f5d89ba5",
"sha256": "1sn46lmq0y56mw0q11sgaijr2vg1wpp6lj237finp6vr3bji2816"
"rev": "551732fb1d963e53af437e3982a010f69eb76253",
"sha256": "1pyjb66nhlhin6ysm4005ng4m2ak857ai761rqx8l2h4fscgwvhf"
},
"qtimageformats": {
"url": "https://invent.kde.org/qt/qt/qtimageformats.git",
"rev": "c91e4c63c1eaf1e23806d9df10e3d5a9ae353c1d",
"sha256": "0q0vcymiqfyz8sfs9wdkhhwff55acj2rsmrb8w6yikmwcmcxp2a3"
"rev": "4076e38d68f05f5e1bcdedb79442d9008f18702c",
"sha256": "1kgvs3jgs2qysrx2kr4vn68h9gjv6ir1nd4hg0m2fbsjk644aa8w"
},
"qtlocation": {
"url": "https://invent.kde.org/qt/qt/qtlocation.git",
"rev": "ba48a8b5cedd157d972c08d371ac2581db166bf7",
"sha256": "00kwv405qq9q8fcwar33s2wvs1dm10fb8plxbz1q0jqcjs2ips6x"
"rev": "81f560be2274958011c255efa1d2d573874bed11",
"sha256": "1lpxngppxkhych9pkkcvw7ypw02cd324pw0z9hd9kqcd803p2017"
},
"qtlottie": {
"url": "https://invent.kde.org/qt/qt/qtlottie.git",
"rev": "27ed5a3c95a0810a96fac2a8661ea94d8ea3c44e",
"sha256": "04ivyxnn8d3pkjsbx0gwyj3f5if4m4cih6wyavm8bd2m2kkszx35"
"rev": "5f1be885cf4ee0f1eb5400bf0c5d138818fc01d0",
"sha256": "01880y8r2acnzfg09qm031kx99vp3zjv3zi38sh17shgcipx1fxp"
},
"qtmacextras": {
"url": "https://invent.kde.org/qt/qt/qtmacextras.git",
"rev": "fc7e9f41d9cec2df05c1d38d6e55d3a0d501dd25",
"sha256": "07q1arvdjwmbrayp2b213b8gqm4psczhx9z1m83invwmbs8iqj07"
"rev": "722060e4edff268feb2dda1298a7837c90f6262f",
"sha256": "1fqw1p6vx3gqw1sf1yk4cz1cb3d1xrbjq0p22gi0pspll314c8x0"
},
"qtmultimedia": {
"url": "https://invent.kde.org/qt/qt/qtmultimedia.git",
"rev": "ff83d119c75cd8406f73ccc08958fe36747e7390",
"sha256": "09jadnvphilcxxy85dlsr8a6x5w32r1c2hrbh93qbvvf9zlg60ld"
"rev": "8ddc44103baf166525d6650c842d7f08f651e7bb",
"sha256": "0akj2d8b6kdy125ggs9cd7pra3vm47frqpn6p756jafsxylkqwbh"
},
"qtnetworkauth": {
"url": "https://invent.kde.org/qt/qt/qtnetworkauth.git",
"rev": "510687fa4fdee84dd3d6d166e8f080c484016199",
"sha256": "0a8abmql94wxpfvdj5a1rnh3xsd49c5z8x93hm311sgjkd0aajx7"
"rev": "d1ce24a72122c315e3d190c9ebc26ed603b90057",
"sha256": "1wcw26x38k619xavrwav21w0vrzb24bn6ncxllcwd9bdn7vvn1wr"
},
"qtpurchasing": {
"url": "https://invent.kde.org/qt/qt/qtpurchasing.git",
"rev": "8e9a5ec9f68639162c85c198b28e072e7150883c",
"sha256": "04pmwqnw907dg0hpas0pdrh2fxcqn2mvqz82b1vkviksg8ny3saw"
"rev": "b471c6ca3edfa5ba459b8694622825b9e776bed6",
"sha256": "1plwpxasiw2sx76a294i4i92vk5g5gaigjfy284jpmaargxsyd7k"
},
"qtquick3d": {
"url": "https://invent.kde.org/qt/qt/qtquick3d.git",
"rev": "47a325358078b72016081a86be628411df2728a9",
"sha256": "18h309g6ni6y4bcss930g04z8ymhl2nfm3sv5s4h2fz3dl0xsqwr"
"rev": "4e85bd063c726f015dc8afb05834de7a71bf6a1b",
"sha256": "0k6wjkr2jyc1v6xrm34dnlbbdnippiph5jxzjxawlxijzzvmgcp5"
},
"qtquickcontrols": {
"url": "https://invent.kde.org/qt/qt/qtquickcontrols.git",
"rev": "0c3c18bf8bdac1ef1afdb8aade903edb5c2bc041",
"sha256": "0h8bhrbgfcf7nbfppah8lxnhvygc09983qrvp935r5sw7251km4d"
"rev": "af7fc486c8910b51733e1c7e758d50ca1a158b36",
"sha256": "1nbgpnz2qi8g24cmli25a9319vgqmk9vgngb12q2j8c8k3nlhhfs"
},
"qtquickcontrols2": {
"url": "https://invent.kde.org/qt/qt/qtquickcontrols2.git",
"rev": "e464888c53a641ee44a34ff2350cfb156c8ed59f",
"sha256": "08lnqz6v48j1hi6dpll7a052p6r5qfb32md16fppqzn6g5jg9ir2"
"rev": "5b808e0995d018c6de9f075d4a61f58d3641c11b",
"sha256": "1a65j06nzlxl1hmdh5li1gglcrqms0g560c2cj9vqzqm551krdj8"
},
"qtquicktimeline": {
"url": "https://invent.kde.org/qt/qt/qtquicktimeline.git",
"rev": "43130f2681b76a8d743a04704465b716b6b2faee",
"sha256": "1z1avxxq9d9nzqyxy5pq5maj73cf6dvsn5k83p3sf5kq3x0y75cj"
"rev": "ea9d6c4d5a0a172b4778e8f37d694d02aab83f37",
"sha256": "0170n0mcrf8phh3nsg2f904p8vxwmw8lks48zkpnbvyrj4gzqcr2"
},
"qtremoteobjects": {
"url": "https://invent.kde.org/qt/qt/qtremoteobjects.git",
"rev": "b2740a7c7f5b6ac810240404a947ca5cff9de5f7",
"sha256": "1jxlwc2y165fxdalcr4iqq55gsg5x4nxqd8wdq3dc1824yfnzm6i"
"rev": "48d10f341279e08c1bc4abb764c2d3ab9a259a51",
"sha256": "0523n172f96w474y804sanppfx2zkgsm342vwa6ailrcfkjw8v58"
},
"qtscxml": {
"url": "https://invent.kde.org/qt/qt/qtscxml.git",
"rev": "57491f554bc53bd020978b5744437b7ac7e56a27",
"sha256": "00mvwgb3xr116nl7649zq7ai2074clzw760c140sy91zqgqkjsx4"
"rev": "edc6f0dd5e806cced1937b2b853717f588e14fd2",
"sha256": "1072slgrvy910mxxqsvf7fgi237mjnbd2b8amw1srqzqj2bmnsj3"
},
"qtsensors": {
"url": "https://invent.kde.org/qt/qt/qtsensors.git",
"rev": "50a61b360877e7c1300df76b5aabf8d75554a398",
"sha256": "0giqwn4grg9999y31avh7ajsv9gkcfzf0xndx8bvv79si0wp59g6"
"rev": "8c6d11df60d4d783869c2d81568e3178f5ae75ce",
"sha256": "18jc5nncmpmbf758mcj9wj6dfn87hl51zp0ihqcvk6k6a8ra6l7p"
},
"qtserialbus": {
"url": "https://invent.kde.org/qt/qt/qtserialbus.git",
"rev": "c23069351ec31563c9ea9fcdce42ccdba95ea518",
"sha256": "1qgxlgnl53gabrfqihxwygdbdiqjvn2hfajmwb3h44srpq0srk33"
"rev": "6734222bccc5541f9527281c810c6b5f8fdd092f",
"sha256": "0ragq01wdwqwqp9720i3xan3a4xnkkvgc8gjy1wgwmdrs0mlb49z"
},
"qtserialport": {
"url": "https://invent.kde.org/qt/qt/qtserialport.git",
"rev": "b64a7eeda9b6a65b5ed01b1b40b07177f0aa4c0f",
"sha256": "134mn0njfvmzgrf325bikazkiq4xdn5wjhj56kxh1hhaz3q25hyp"
"rev": "ca1f2486527e7acf87d466062c035845f9774573",
"sha256": "0xdywglxh9sxs2s60shwf6c4m5w20h77l9d58rganqwpbrh49vkj"
},
"qtspeech": {
"url": "https://invent.kde.org/qt/qt/qtspeech.git",
"rev": "aa2376f9b1302222edcd16b4641bbd7004318c00",
"sha256": "0vcxgkymzhaw01f26zlny4bka9k829rwzkwk95rr3dfq7wlyxshz"
"rev": "a384f0d4fb8a2d0743d5dfdf12e40f6d76f8714c",
"sha256": "0imn7jskjvz30xnbg1z8wxkcw82hb6v92xls327385wxxj0a5i6r"
},
"qtsvg": {
"url": "https://invent.kde.org/qt/qt/qtsvg.git",
"rev": "b74f7291f343dcbcb487b020868f042d8fe83098",
"sha256": "1n0sjn8h5k2sh8p2a85cxdpqbnd63gz4rf9wwbshhd13w623f9s8"
"rev": "d2abfb9cb1f036446e5913fadb0f065dab9f0159",
"sha256": "048lbk25rbfbd2c8pbsifdxjcxb2003hi04lfsmgh7xr27x55gch"
},
"qttools": {
"url": "https://invent.kde.org/qt/qt/qttools.git",
"rev": "fa40a2d3373b89be0cd0a43fe0c1d047e3d34058",
"sha256": "06kr88gmwc7xh1whdbcg84y1naak5rv99jkscjbhzyz3z91xy7hl"
"rev": "3e3ab58b40734a1b9bbb7e72b2969d1f752351b1",
"sha256": "18dmmw1r13in7h90y3637jw3sc2pvv33bfr1bs11dyp951spw8d3"
},
"qttranslations": {
"url": "https://invent.kde.org/qt/qt/qttranslations.git",
"rev": "3cbcceb8e3e2e63a4022f1be946c7118c527a83e",
"sha256": "15lw5snqfkwwcsazh02lhiia39gy08nfijdpkzvll2qvg4b58zkn"
"rev": "388e4f32ed4b28d92bd61b917ba0e6b910e2784d",
"sha256": "1k76zl5c1x9q8kid3sjv4d66wy9ryl24fyiabrg32c7nbn53pbd4"
},
"qtvirtualkeyboard": {
"url": "https://invent.kde.org/qt/qt/qtvirtualkeyboard.git",
"rev": "859d2a6ee329cc08414410b2ef8c0af77a6853d3",
"sha256": "06sdpcanzp1a71d99rjivrbjp780mvwssc4w1sap2gskcmmgkwbs"
"rev": "4fc9919ee3fad1d520d0921ba3069dca3c34ff78",
"sha256": "12kn69l34s1r6s9w7cw9l5524kwrx8xrxwbx4hw059jns1pqac0d"
},
"qtwayland": {
"url": "https://invent.kde.org/qt/qt/qtwayland.git",
"rev": "df49b9f3badce793a0a9ea850cf1a02cc5bafef6",
"sha256": "01xm2r1pv7kxb4aj72ldfzmax6d799h6bj4h2xhpcii812wf5lda"
"rev": "605b8bc942ab263b9d1892af33a81b408f522ccc",
"sha256": "09vrd62ikxzjpv6awi7n34pswg4w5yvmac5ckc6ma6rqvps7mbip"
},
"qtwebchannel": {
"url": "https://invent.kde.org/qt/qt/qtwebchannel.git",
"rev": "2a157921861e651f43456cb7941b250c89feb736",
"sha256": "1w58b602f20mppd0zfr9yvfdn1xwfkfclnjs0p5mgymq6d946dyk"
"rev": "6a20afaeba182ce6e3faee592e1e85a0d3ec0fc6",
"sha256": "18jfxpasn47qd4glkgvps7nzm07dag6w9jbkq9l7fzbkpcbnqykb"
},
"qtwebglplugin": {
"url": "https://invent.kde.org/qt/qt/qtwebglplugin.git",
"rev": "b9aaac72d0853ba48f6bfd710a43df94d83d4701",
"sha256": "07zx55f52jgk31bm6c68iydknrih245ndnvz714l6kxw66fv4rjq"
"rev": "2a8ce0a61b4b9e892d948948182d935fa6792a1b",
"sha256": "10n50frndssj3vmmhghlw48dn0c9b26zgkgjvkza8x234j9dijv2"
},
"qtwebsockets": {
"url": "https://invent.kde.org/qt/qt/qtwebsockets.git",
"rev": "0f910acb737cefc889ce1088fc60d15bc18efe9c",
"sha256": "1ba9ll28hznd6qpjjiqvc2z6gaz2qgq7105dd0w810xpbaiixy0a"
"rev": "10eb706b24aa05f4ee69c2f2fec99b21994dfe2b",
"sha256": "1k01s4qkpzsjy7lygb0nhniym6g7yinih3sc16l3kljkabw44rx0"
},
"qtwebview": {
"url": "https://invent.kde.org/qt/qt/qtwebview.git",
"rev": "34342073a59f3a27ef3de02f6b21337c4f8db6cf",
"sha256": "1h6n7dkd6mjclxllyw2brz8wv4d68dx2ykckbwb3bkxyd6rmg1f6"
"rev": "043cb7c0eaf8d1bcee56a62d6a102f727a22fcbc",
"sha256": "0ha0ksbxm21hj37z7yk3f09ncgchw78cpcrxv56a205i2f04370d"
},
"qtwinextras": {
"url": "https://invent.kde.org/qt/qt/qtwinextras.git",
"rev": "5e5ae2b77078dbe51fb798743de606e6f9a5e19d",
"sha256": "04x8ax197z0dr01nxrb6bh4q8c077ny5n812fx5mq56l54v2m1ks"
"rev": "0704d01ff1218c2f32a194e38005e625c579222c",
"sha256": "0fsfrs770cia9i9ijvx1jyh0mjiza1cn1l7fm1a877h2qbd20l9f"
},
"qtx11extras": {
"url": "https://invent.kde.org/qt/qt/qtx11extras.git",
"rev": "c44c4fa86fa0794c25baef4ee1f6272aca8c511a",
"sha256": "0287cvs9wqlzz6gnj81gi8rp50s2rdnigcmld3fgddsg8f3v7hdj"
"rev": "6695a3df4460577b3fcb5546b45a0c5cb3addac4",
"sha256": "1xjdicq8kf6816hgnz4hc7ykcfngispm8xzv3bxacf98zicmy9rm"
},
"qtxmlpatterns": {
"url": "https://invent.kde.org/qt/qt/qtxmlpatterns.git",
"rev": "0b644263abca66503db1ce8a4e126cf358a34685",
"sha256": "1b1zzglvcdp7wvlpgk1gj8gmyy2r21yi6p8xiyvbccq5bbjpn0hw"
"rev": "ed3b333aa56ac193e969725e3c34be9070441271",
"sha256": "0s0z9dbivrq5pva6psfcfclw4816zb1rlr9ns03lf286iy196368"
}
}

View file

@ -5,7 +5,7 @@
}:
let
version = "5.15.18";
version = "5.15.19";
mk = name: args: {
inherit version;

View file

@ -1 +1 @@
WGET_ARGS=( https://download.qt.io/official_releases/qt/6.11/6.11.0/submodules/ -A '*.tar.xz' )
WGET_ARGS=( https://download.qt.io/official_releases/qt/6.11/6.11.1/submodules/ -A '*.tar.xz' )

View file

@ -246,11 +246,6 @@ stdenv.mkDerivation {
# don't pass qtbase's QML directory to qmlimportscanner if it's empty
./skip-missing-qml-directory.patch
# backport crash fix
(fetchpatch {
url = "https://github.com/qt/qtbase/commit/1466f88633b2c29a6159a0c2eacd0c0d6601aa5e.diff";
hash = "sha256-ubDAXF47SYagRAJ5SYyBxXl2PiHjAZo3xlYPDz1jRYM=";
})
# another crash fix
(fetchpatch {
url = "https://github.com/qt/qtbase/commit/515cbbacfba9f4259c9c3b0714a31222c2b4c879.diff";

View file

@ -43,6 +43,12 @@ qtModule {
hash = "sha256-ESy35OlmsvI4yFQ/rFT8oelOUBCwCmlcbQJvwcTrCig=";
revert = true;
})
# backport fix recommended by KDE
(fetchpatch {
url = "https://github.com/qt/qtdeclarative/commit/8a2c82be6ad90e3f2a0760d8bab1e3a8cdb2473a.diff";
hash = "sha256-3KbyoQPAiRyCwGnwwYV3y0yz2i6UAJcX70EPsXV0ZZM=";
})
];
cmakeFlags = [

View file

@ -6,13 +6,13 @@
qtModule rec {
pname = "qtmqtt";
version = "6.11.0";
version = "6.11.1";
src = fetchFromGitHub {
owner = "qt";
repo = "qtmqtt";
tag = "v${version}";
hash = "sha256-7X+HWAftWHn40RPFQD3/f+bp00LQk8Vsb871WfxdZSE=";
hash = "sha256-GWaF4iCPtATL1mJkPHVY0rom8R2FMNWGahE3KWBlfV8=";
};
propagatedBuildInputs = [ qtbase ];

View file

@ -4,339 +4,339 @@
{
qt3d = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qt3d-everywhere-src-6.11.0.tar.xz";
sha256 = "086xpissihbil51ryl83dlcpkpv3pp3ryj0712x9k9z6756j7ks0";
name = "qt3d-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qt3d-everywhere-src-6.11.1.tar.xz";
sha256 = "01q11bs7vjz1s5wdrdjq904dgl2m6l7r8d3vd2kyf7lx0j78qvd6";
name = "qt3d-everywhere-src-6.11.1.tar.xz";
};
};
qt5compat = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qt5compat-everywhere-src-6.11.0.tar.xz";
sha256 = "0gn6sj136y8yl1c00nbm81rmhws0mgx35ny7llx74j97ddj58ag6";
name = "qt5compat-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qt5compat-everywhere-src-6.11.1.tar.xz";
sha256 = "06qndy534rzabxk9yq07dsl8fj1vd72lmck11r5xbajil3d9zjyg";
name = "qt5compat-everywhere-src-6.11.1.tar.xz";
};
};
qtactiveqt = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtactiveqt-everywhere-src-6.11.0.tar.xz";
sha256 = "1kbqa0gx41s097281g4zym9jmjs2ffc75p3rgkbs6bvnlrvl0h89";
name = "qtactiveqt-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtactiveqt-everywhere-src-6.11.1.tar.xz";
sha256 = "05hcnhxkajry4ha7ykmqr83p16qjipspwxid8l2rxgz80wy6aadv";
name = "qtactiveqt-everywhere-src-6.11.1.tar.xz";
};
};
qtbase = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtbase-everywhere-src-6.11.0.tar.xz";
sha256 = "0pkmrd8ypw1v21cx0890gc6z4v0xr5qip2jnr56r2kc6g5cxh6i3";
name = "qtbase-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtbase-everywhere-src-6.11.1.tar.xz";
sha256 = "1b616gr7k8byfr2ns4vczs4kj3sznhlrlw9inpb3m8la48qllnfr";
name = "qtbase-everywhere-src-6.11.1.tar.xz";
};
};
qtcanvaspainter = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtcanvaspainter-everywhere-src-6.11.0.tar.xz";
sha256 = "1gmgzmh81wrnj81xsmilqwhc1wv7j2avg91mww8jlrv5rplzynjl";
name = "qtcanvaspainter-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtcanvaspainter-everywhere-src-6.11.1.tar.xz";
sha256 = "1l08zp68q3wcr9v5hh82kw6jqvc1wmnrjn7h9959psx520dwcdly";
name = "qtcanvaspainter-everywhere-src-6.11.1.tar.xz";
};
};
qtcharts = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtcharts-everywhere-src-6.11.0.tar.xz";
sha256 = "1dcldlw24qd9swynxcdsxnk8haiv442wx323j7qgfwjp13a9nh5c";
name = "qtcharts-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtcharts-everywhere-src-6.11.1.tar.xz";
sha256 = "0p2icmrwb6am7x2kgk9pnpa8ypi7jiscyaawgi0x31iaihqyvqrz";
name = "qtcharts-everywhere-src-6.11.1.tar.xz";
};
};
qtconnectivity = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtconnectivity-everywhere-src-6.11.0.tar.xz";
sha256 = "0fhrqqz58h3smkksfgnax73bmsiz7q9a1w9vhwd83vs9r0jc3w60";
name = "qtconnectivity-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtconnectivity-everywhere-src-6.11.1.tar.xz";
sha256 = "14g5h0wixqy981cnn5f8gkjbji804f18gfjkzbanxd0lljg2h191";
name = "qtconnectivity-everywhere-src-6.11.1.tar.xz";
};
};
qtdatavis3d = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdatavis3d-everywhere-src-6.11.0.tar.xz";
sha256 = "1jr3bkvp4wj1jdafc64ziq4raxbya6jk6s0d4mq0w2kr7zpqrggf";
name = "qtdatavis3d-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdatavis3d-everywhere-src-6.11.1.tar.xz";
sha256 = "1b4kcqfq5q79lm70f08qiksxl36laa9dgx9ladjk2xwl1af7n6hy";
name = "qtdatavis3d-everywhere-src-6.11.1.tar.xz";
};
};
qtdeclarative = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdeclarative-everywhere-src-6.11.0.tar.xz";
sha256 = "1sgxxmg49flana7mylyz4c5mf5hr00kzl8nkwwj87pqx8dlybv2f";
name = "qtdeclarative-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdeclarative-everywhere-src-6.11.1.tar.xz";
sha256 = "193ar0fcfzjjr7mi8i2622vip95qrr3qry949d9lyc5hf3v71rjj";
name = "qtdeclarative-everywhere-src-6.11.1.tar.xz";
};
};
qtdoc = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdoc-everywhere-src-6.11.0.tar.xz";
sha256 = "1wwl2vr1qs2lqmz45iqpkzkxqp97g0yzfmz0kb5wpi8sys7c07bx";
name = "qtdoc-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdoc-everywhere-src-6.11.1.tar.xz";
sha256 = "1hd5z6prx2sbr3wxzkynrn2iyjllvkids505l2xg3p272j4b5306";
name = "qtdoc-everywhere-src-6.11.1.tar.xz";
};
};
qtgraphs = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtgraphs-everywhere-src-6.11.0.tar.xz";
sha256 = "0nxifvs5042pzyd5syhgpmxzsq07fhpbbm57ckwzsn55q14cnvyz";
name = "qtgraphs-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtgraphs-everywhere-src-6.11.1.tar.xz";
sha256 = "0qh43qxqg4biyrrsd78nmi4dm3dnbswa95cq8db2k3lans517cc4";
name = "qtgraphs-everywhere-src-6.11.1.tar.xz";
};
};
qtgrpc = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtgrpc-everywhere-src-6.11.0.tar.xz";
sha256 = "0yd8jjxigaynv386f3cs1i743nm7yngciw346xqfil3chd8wpvcx";
name = "qtgrpc-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtgrpc-everywhere-src-6.11.1.tar.xz";
sha256 = "0l52w91hd2crq6zyh5a8arv07yixnwcr2pya74bxpk2hqpq08ys3";
name = "qtgrpc-everywhere-src-6.11.1.tar.xz";
};
};
qthttpserver = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qthttpserver-everywhere-src-6.11.0.tar.xz";
sha256 = "16wqglm8ws63qs7i769xy94bygwbhkz7hjfw27hnps7d4yirb41b";
name = "qthttpserver-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qthttpserver-everywhere-src-6.11.1.tar.xz";
sha256 = "01p7li9fvwnz2shx3d9wj9nnnnipya2q0whchyvgjqb8yzy71gq4";
name = "qthttpserver-everywhere-src-6.11.1.tar.xz";
};
};
qtimageformats = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtimageformats-everywhere-src-6.11.0.tar.xz";
sha256 = "1j0cjj7gxjbprszw349janl3zk38rkby1bmxil329zp2qlmb1bfk";
name = "qtimageformats-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtimageformats-everywhere-src-6.11.1.tar.xz";
sha256 = "04y4pa5krrpyiqn039d6m8bzcxj6pa1m850rz3bmw5xc8ml6rgxj";
name = "qtimageformats-everywhere-src-6.11.1.tar.xz";
};
};
qtlanguageserver = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlanguageserver-everywhere-src-6.11.0.tar.xz";
sha256 = "1gq5yjvk6iyg606pgpxkb136qlz9hpb7ngll81nhiyb1ym1y9j0v";
name = "qtlanguageserver-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlanguageserver-everywhere-src-6.11.1.tar.xz";
sha256 = "1vwavpi8swgs88pfjfddnb9cmsb4k1sjcgywp2rsnm6ay8vqa02h";
name = "qtlanguageserver-everywhere-src-6.11.1.tar.xz";
};
};
qtlocation = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlocation-everywhere-src-6.11.0.tar.xz";
sha256 = "1vxb6n8xf98zcg2bw29gsaqa74sg6jn9ilzs8c5b9q79i9m3if49";
name = "qtlocation-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlocation-everywhere-src-6.11.1.tar.xz";
sha256 = "06z4hbiqki5chhmph131s71czyrjpnjvy3rxb4560vwy55vwx49p";
name = "qtlocation-everywhere-src-6.11.1.tar.xz";
};
};
qtlottie = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlottie-everywhere-src-6.11.0.tar.xz";
sha256 = "02ndplkk4bq01b0fh9l2ykw09v0k5nbsayrs9wcjwrdwg5law8rg";
name = "qtlottie-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlottie-everywhere-src-6.11.1.tar.xz";
sha256 = "0y969gp64imwh49d5zbnw0wi2yva9fsp6qn58617rs9kvkdzml70";
name = "qtlottie-everywhere-src-6.11.1.tar.xz";
};
};
qtmultimedia = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtmultimedia-everywhere-src-6.11.0.tar.xz";
sha256 = "0h30l8zflkla7rcshgs0jfjbjwvq9rqx0wq83f6vd0x9lz0cmi4h";
name = "qtmultimedia-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtmultimedia-everywhere-src-6.11.1.tar.xz";
sha256 = "02lvq1jk6m67m6z0w7vdzxhzmi441j8avvp79mfclfpfvm98w3rr";
name = "qtmultimedia-everywhere-src-6.11.1.tar.xz";
};
};
qtnetworkauth = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtnetworkauth-everywhere-src-6.11.0.tar.xz";
sha256 = "1mqly8had79f54dlygh42jr0c0jfiv4j4w2rbr0s7qx9nk9ig342";
name = "qtnetworkauth-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtnetworkauth-everywhere-src-6.11.1.tar.xz";
sha256 = "0gan2qjv97d1387jqaiis2gigm6lz5jbk1k10x13w0yc5kr5n7cz";
name = "qtnetworkauth-everywhere-src-6.11.1.tar.xz";
};
};
qtopenapi = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtopenapi-everywhere-src-6.11.0.tar.xz";
sha256 = "1h2pcq6i72yic0r7ns36vj678d1xqy291jamqd6b6jkjddmj1hlg";
name = "qtopenapi-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtopenapi-everywhere-src-6.11.1.tar.xz";
sha256 = "0nzl95w5pbfd6mfb6rzv6arz09pcm6siz1n07pgm9rrdr6z083a4";
name = "qtopenapi-everywhere-src-6.11.1.tar.xz";
};
};
qtpositioning = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtpositioning-everywhere-src-6.11.0.tar.xz";
sha256 = "1scnnz65qyfg0nl9vjkqcss8xsw3yf91w71d9p1kwlfybscd07yn";
name = "qtpositioning-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtpositioning-everywhere-src-6.11.1.tar.xz";
sha256 = "1xbq1xjjbhb41lfp9mli8a5rgqf5pniswv0161v6wa5f04cbkrnm";
name = "qtpositioning-everywhere-src-6.11.1.tar.xz";
};
};
qtquick3d = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquick3d-everywhere-src-6.11.0.tar.xz";
sha256 = "1549gdb3yxj1bpl54kgnkkhzjx0zxqi71ssp4rj6qnz56fxh085l";
name = "qtquick3d-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquick3d-everywhere-src-6.11.1.tar.xz";
sha256 = "0vs5bcz62r32gin0g4lb6wdmqrv0ypzar1s9wsza98la7zg8asy7";
name = "qtquick3d-everywhere-src-6.11.1.tar.xz";
};
};
qtquick3dphysics = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquick3dphysics-everywhere-src-6.11.0.tar.xz";
sha256 = "0dcx9913xss435cijx5bzckvsn66qfi6c39rx0gyv9iiys76qym5";
name = "qtquick3dphysics-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquick3dphysics-everywhere-src-6.11.1.tar.xz";
sha256 = "1bvrmjb6m0ynq00ybdghvkbmwm237vff23ng8n4njysf05pns26i";
name = "qtquick3dphysics-everywhere-src-6.11.1.tar.xz";
};
};
qtquickeffectmaker = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquickeffectmaker-everywhere-src-6.11.0.tar.xz";
sha256 = "05fpv497rmx2lw7gx05sxyxjwx8gq8fbbnkzhnw73pk2xqzq20mc";
name = "qtquickeffectmaker-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquickeffectmaker-everywhere-src-6.11.1.tar.xz";
sha256 = "0sqk8hkkdibv0ayxrvpcbgj3dcwfngpd6qjp2xm15pcbx1q3xrng";
name = "qtquickeffectmaker-everywhere-src-6.11.1.tar.xz";
};
};
qtquicktimeline = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquicktimeline-everywhere-src-6.11.0.tar.xz";
sha256 = "1micycw7m25gw0bgbfq7bnr7cg7qrjj2r69320rglc8lak6f3nq6";
name = "qtquicktimeline-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquicktimeline-everywhere-src-6.11.1.tar.xz";
sha256 = "09wcx83yxif8r4v81h2jfj3wlj60wnc9k4dsp7hlah4yzm1zclxg";
name = "qtquicktimeline-everywhere-src-6.11.1.tar.xz";
};
};
qtremoteobjects = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtremoteobjects-everywhere-src-6.11.0.tar.xz";
sha256 = "15yykbaxqc6v2flgjvn92w7gwfvi820dg4cxkjxcfhpix2m21571";
name = "qtremoteobjects-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtremoteobjects-everywhere-src-6.11.1.tar.xz";
sha256 = "06hiiyjpcgn8dp9jmgxj30nlrw73rqb869f0m63scccmqsarhqj0";
name = "qtremoteobjects-everywhere-src-6.11.1.tar.xz";
};
};
qtscxml = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtscxml-everywhere-src-6.11.0.tar.xz";
sha256 = "1rylchpvzldy7hhr3icr85w8m4hf7wch17yqh368yrn3q19klf3c";
name = "qtscxml-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtscxml-everywhere-src-6.11.1.tar.xz";
sha256 = "0gr0j09isxgii3aivfvr35x40d9n0kj0g2icc7g7bzniwm2m4jcf";
name = "qtscxml-everywhere-src-6.11.1.tar.xz";
};
};
qtsensors = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtsensors-everywhere-src-6.11.0.tar.xz";
sha256 = "1iy33w7gjp06xi4342si979q9w84cvbbk90kxmk2gx69icjjja21";
name = "qtsensors-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtsensors-everywhere-src-6.11.1.tar.xz";
sha256 = "13ygry3lybkgci6gkrd7k081l01icavzkiyy4g82drbvv9i70q93";
name = "qtsensors-everywhere-src-6.11.1.tar.xz";
};
};
qtserialbus = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtserialbus-everywhere-src-6.11.0.tar.xz";
sha256 = "1qfs9zqvz3hf16w8gg6nlwxcv6sz72546pds02dabhkcw47nqvmh";
name = "qtserialbus-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtserialbus-everywhere-src-6.11.1.tar.xz";
sha256 = "02pj4jnxc4afl5ymv7w8asggpg0hdj3dbnwwcqd305b8il69qv64";
name = "qtserialbus-everywhere-src-6.11.1.tar.xz";
};
};
qtserialport = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtserialport-everywhere-src-6.11.0.tar.xz";
sha256 = "111pmva70mcffhq09q2h1gcr03fivs9j2ywx4ib00pbyxfvr4ii6";
name = "qtserialport-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtserialport-everywhere-src-6.11.1.tar.xz";
sha256 = "0x1r5l3kx7riprf0b2api0bcg0z755fq9vbgmx7px6pxiy4imwws";
name = "qtserialport-everywhere-src-6.11.1.tar.xz";
};
};
qtshadertools = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtshadertools-everywhere-src-6.11.0.tar.xz";
sha256 = "0jp1sb9pl7y821awln7rpk0hz7d5ipwnkqhy51caich9i2pb2g74";
name = "qtshadertools-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtshadertools-everywhere-src-6.11.1.tar.xz";
sha256 = "1z42r414jid12jmhm1yf5kw44j886w01igav0kggkg13kcphax90";
name = "qtshadertools-everywhere-src-6.11.1.tar.xz";
};
};
qtspeech = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtspeech-everywhere-src-6.11.0.tar.xz";
sha256 = "08fv8v6rvcv0pa6r52kr2na2rcpjr3yk556ksinnh6aslv8qbid9";
name = "qtspeech-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtspeech-everywhere-src-6.11.1.tar.xz";
sha256 = "051z4yf22hkqhy3pkgxq8s77x06k4cd70i9jcmd8f99004cc6df0";
name = "qtspeech-everywhere-src-6.11.1.tar.xz";
};
};
qtsvg = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtsvg-everywhere-src-6.11.0.tar.xz";
sha256 = "1rih59jsn0wq12gq5gbs1cz9by27x2x4wjpd0ya7s207pr9xda6z";
name = "qtsvg-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtsvg-everywhere-src-6.11.1.tar.xz";
sha256 = "154adaicyy5wyz6yc95g3lm4iw9v2zdsd7l5qp107gr490pz0g3z";
name = "qtsvg-everywhere-src-6.11.1.tar.xz";
};
};
qttasktree = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttasktree-everywhere-src-6.11.0.tar.xz";
sha256 = "0kxkm3qvzw5i5x2ads6skpz8z6shbn2msznmr614yvsdgiga4yjr";
name = "qttasktree-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttasktree-everywhere-src-6.11.1.tar.xz";
sha256 = "1mjdwy3i24ggn2g82z5pg3grzhnaxmq7nmvdc7ba8dsdixzvjam2";
name = "qttasktree-everywhere-src-6.11.1.tar.xz";
};
};
qttools = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttools-everywhere-src-6.11.0.tar.xz";
sha256 = "0xpwv483zrw3jkajhv9sbr7bm95qahxg770vn1jqk10hg8yrkcfg";
name = "qttools-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttools-everywhere-src-6.11.1.tar.xz";
sha256 = "03gmr9zpf0raqcvqk2cpw9lblw907hsl5cb5c2fgm4wwcxd86qcf";
name = "qttools-everywhere-src-6.11.1.tar.xz";
};
};
qttranslations = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttranslations-everywhere-src-6.11.0.tar.xz";
sha256 = "0mpy3y76n1jw2prhad9rqyn48miqlmqg3581jgzr4s1iwhpqpx2l";
name = "qttranslations-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttranslations-everywhere-src-6.11.1.tar.xz";
sha256 = "0xsnxhiqc3ybwvyn1jbhdf1sjmcf7v4mma6w9sxwg535420jrh1p";
name = "qttranslations-everywhere-src-6.11.1.tar.xz";
};
};
qtvirtualkeyboard = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtvirtualkeyboard-everywhere-src-6.11.0.tar.xz";
sha256 = "11p6m1s7r7q2y6a2ak5lyzfd2907s2skfa630snf64x32cblp2nq";
name = "qtvirtualkeyboard-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtvirtualkeyboard-everywhere-src-6.11.1.tar.xz";
sha256 = "073y02qmpwxxdqc4pkm6k9frghsjg1zppg2hip5b4hv269xrdim1";
name = "qtvirtualkeyboard-everywhere-src-6.11.1.tar.xz";
};
};
qtwayland = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwayland-everywhere-src-6.11.0.tar.xz";
sha256 = "0dsdv1d4p1wf0sqd26cmj486bvwlprmqzmjddsw24agrc3kyc477";
name = "qtwayland-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwayland-everywhere-src-6.11.1.tar.xz";
sha256 = "1cyr5frhglp2krxvpnqk9q426rgp6nr34ngnxpa42m7p0ajqly4m";
name = "qtwayland-everywhere-src-6.11.1.tar.xz";
};
};
qtwebchannel = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebchannel-everywhere-src-6.11.0.tar.xz";
sha256 = "097vm6pxh18bil9ld9cxg50v861nyhaha4f6bjfjqph1icx18ip9";
name = "qtwebchannel-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebchannel-everywhere-src-6.11.1.tar.xz";
sha256 = "10ld2nh6gd1v2ssbgqlf6w0lsjlqkjdfwqv85mn5krnnf45vbyv9";
name = "qtwebchannel-everywhere-src-6.11.1.tar.xz";
};
};
qtwebengine = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebengine-everywhere-src-6.11.0.tar.xz";
sha256 = "0dk72k92zp19jkph1vl88l2dyrh105v6cycsxln1anfxnb423fb3";
name = "qtwebengine-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebengine-everywhere-src-6.11.1.tar.xz";
sha256 = "10vhcvw8j60n0mf38bi3fjcx5v1i0cbfyn4wbqhzqn61qv66d737";
name = "qtwebengine-everywhere-src-6.11.1.tar.xz";
};
};
qtwebsockets = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebsockets-everywhere-src-6.11.0.tar.xz";
sha256 = "0cnh67ncfh0gvpqfiqhr0cpmswq9zysza130axlmh69mzg8i17sn";
name = "qtwebsockets-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebsockets-everywhere-src-6.11.1.tar.xz";
sha256 = "1gvgci383dfm4sljqlapdiva7jhks1i2z2ayck0wbj1436hklgi4";
name = "qtwebsockets-everywhere-src-6.11.1.tar.xz";
};
};
qtwebview = {
version = "6.11.0";
version = "6.11.1";
src = fetchurl {
url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebview-everywhere-src-6.11.0.tar.xz";
sha256 = "1cy4x331h0f4d5l8c18xrvdq6hwz7r16qd1xhr8gdm8j9bcsw3nb";
name = "qtwebview-everywhere-src-6.11.0.tar.xz";
url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebview-everywhere-src-6.11.1.tar.xz";
sha256 = "0g8k4xs7b0s474x00ds4i8q9b164icdgrdg8ngln10nmf3pwhqld";
name = "qtwebview-everywhere-src-6.11.1.tar.xz";
};
};
}

View file

@ -170,7 +170,7 @@ let
in
stdenv.mkDerivation (finalAttrs: {
pname = "openblas";
version = "0.3.32";
version = "0.3.33";
outputs = [
"out"
@ -181,7 +181,7 @@ stdenv.mkDerivation (finalAttrs: {
owner = "OpenMathLib";
repo = "OpenBLAS";
rev = "v${finalAttrs.version}";
hash = "sha256-D0Wu5Ew72aTqSjj970yOfAwPg1T4Qm6zmpaGlQ/5Q1k=";
hash = "sha256-EArf0K2Gs+w8IRD5wkMOQv79e8yMoTgQfa9kzjXKn3Y=";
};
patches = [
@ -190,13 +190,13 @@ stdenv.mkDerivation (finalAttrs: {
# INCLUDEDIR already fixed in upstream HEAD & significant refactor
# to config gen so not PRing changes
./cmake-include-fixes.patch
# Fix build on LoongArch (error: '_Float16' is not supported on this target)
# This was an attempted fix for the below commit but still leaves some scipy tests failing.
(fetchpatch {
url = "https://github.com/OpenMathLib/OpenBLAS/commit/7086a1b075ca317e12cfe79d40a32ad342a30496.patch";
hash = "sha256-pA3HK2f2MJr/+h/uale7edIYk/KH194EscYFcsujPXY=";
url = "https://github.com/OpenMathLib/OpenBLAS/commit/e3ce4623c299068bbd47c35ee87aab334bac73b1.patch";
revert = true;
hash = "sha256-WrP3RCDk/EbpqVOw9XGLnFI+6/bBGJTIrt2TRYGLVQ4=";
})
# This commit led to miscompilation of certain ASIMD extensions code paths.
# There was an attempted fix in upstream but this still leaves some scipy tests failing.
(fetchpatch {
url = "https://github.com/OpenMathLib/OpenBLAS/commit/3f6e928d34aca977bd5d4191e6d2c2338a342.patch";
revert = true;

View file

@ -8,14 +8,14 @@
buildPythonPackage (finalAttrs: {
pname = "aiodns";
version = "4.0.0";
version = "4.0.4";
pyproject = true;
src = fetchFromGitHub {
owner = "saghul";
repo = "aiodns";
tag = "v${finalAttrs.version}";
hash = "sha256-/iYkhzN01+NaUfMXaM39IvlEKfoKc29+f0S4y0y3GG8=";
hash = "sha256-TLiiSRhZaEbHeyrQPk8uvj10VEttRanYEgkBy7DxH4Y=";
};
build-system = [ setuptools ];

View file

@ -49,6 +49,8 @@ buildPythonPackage rec {
pythonImportsCheck = [ "asgi_csrf" ];
meta = {
# https://github.com/simonw/asgi-csrf/issues/38
broken = lib.versionAtLeast python-multipart.version "0.0.26";
description = "ASGI middleware for protecting against CSRF attacks";
license = lib.licenses.asl20;
homepage = "https://github.com/simonw/asgi-csrf";

View file

@ -69,6 +69,13 @@ buildPythonPackage rec {
"test_update_docs"
];
disabledTestPaths = [
# unexpected exit code afer nodejs_24 24.16.0 update
"test/integration/test_quickstart_templates.py::TestQuickStartTemplates::test_templates"
"test/integration/test_quickstart_templates_non_strict.py::TestQuickStartTemplates::test_module_integration"
"test/integration/test_quickstart_templates_non_strict.py::TestQuickStartTemplates::test_templates"
];
pythonImportsCheck = [ "cfnlint" ];
meta = {

View file

@ -41,14 +41,14 @@
buildPythonPackage rec {
pname = "django";
version = "5.2.14";
version = "5.2.15";
pyproject = true;
src = fetchFromGitHub {
owner = "django";
repo = "django";
tag = version;
hash = "sha256-gb/4WL2VLoqRucpXuKyPsMSwKZ6gaxy5JA7QTeeazjk=";
hash = "sha256-K9yFHr3IkVNMqoeumESszVlju2fW2r8hS8z6M2OdVpE=";
};
patches = [

View file

@ -20,14 +20,14 @@
buildPythonPackage (finalAttrs: {
pname = "fakeredis";
version = "2.35.1";
version = "2.36.2";
pyproject = true;
src = fetchFromGitHub {
owner = "cunla";
repo = "fakeredis-py";
tag = "v${finalAttrs.version}";
hash = "sha256-euhWKXFERpRoXX7G81ffAygt5e1mt7uy9Y9zAGacu38=";
hash = "sha256-vOQBezPsgcjSUigCiW7Q+VueUTtQm3Y7hhB0mTstwKM=";
};
build-system = [ hatchling ];

View file

@ -45,14 +45,14 @@
buildPythonPackage rec {
pname = "fastapi";
version = "0.135.3";
version = "0.136.3";
pyproject = true;
src = fetchFromGitHub {
owner = "tiangolo";
repo = "fastapi";
tag = version;
hash = "sha256-sE5d+MgmP9L+MUosRBsR+KSJkcC9i2EOOtKHq0sXjRM=";
hash = "sha256-lfmk8ZveKPukEEfwWq2mKtWmOHAtVzGuE5BsOskDzh0=";
};
build-system = [ pdm-backend ];

View file

@ -31,14 +31,14 @@
buildPythonPackage (finalAttrs: {
pname = "fasthtml";
version = "0.12.48";
version = "0.13.3";
pyproject = true;
src = fetchFromGitHub {
owner = "AnswerDotAI";
repo = "fasthtml";
tag = finalAttrs.version;
hash = "sha256-lMAuIw4sMkS3XSG/0Bs0iQPSjMusbmjUKv0w4cINwas=";
hash = "sha256-PS5HGegC6pG/bJAGrKDsRYguBnNS9EDrZIjWvjErO4M=";
};
build-system = [

View file

@ -195,7 +195,8 @@ buildPythonPackage rec {
openpyxl
xlrd
]
++ lib.concatAttrValues optional-dependencies;
# datasette is transitively broken by asgi-csrf
++ lib.concatAttrValues (lib.removeAttrs optional-dependencies [ "datasette" ]);
disabledTestPaths = [
# Requires optional dependencies that have not been packaged (commented out above)

View file

@ -8,14 +8,14 @@
buildPythonPackage rec {
pname = "mistune";
version = "3.2.0";
version = "3.2.1";
pyproject = true;
src = fetchFromGitHub {
owner = "lepture";
repo = "mistune";
tag = "v${version}";
hash = "sha256-rUEZNVuMT5+GsMakrkK6rshKSKtTTN72kK92AmQ8bl8=";
hash = "sha256-8AEEh/SWAk/Esq0jAoZGLw1FIQUw6C5Xq8CgnI2fjv0=";
};
build-system = [ setuptools ];

View file

@ -30,6 +30,7 @@ buildPythonPackage rec {
dependencies = [
bcrypt
cryptography
invoke
pynacl
];
@ -39,7 +40,6 @@ buildPythonPackage rec {
gssapi
];
ed25519 = [ ];
invoke = [ invoke ];
};
nativeCheckInputs = [

View file

@ -77,6 +77,17 @@ buildPythonPackage rec {
disabledTests = [
# Time sensitive speed test, not reproducible
"test_decode_threads"
# Tests failing with libheif 1.22.0. To be removed in the next release
# https://github.com/bigcat88/pillow_heif/issues/424
# these check what happens when the ispe is not valid
"test_numpy_array_invalid_ispe"
"test_allow_incorrect_headers"
"test_invalid_ispe_ok"
"test_invalid_ispe_allow"
"test_invalid_ispe_stride"
"test_invalid_ispe_stride_pillow"
# disable version check for libheif
"test_libheif_info"
]
++ lib.optionals stdenv.hostPlatform.isDarwin [
# https://github.com/bigcat88/pillow_heif/issues/89

View file

@ -13,14 +13,14 @@
buildPythonPackage rec {
pname = "pyjwt";
version = "2.12.1";
version = "2.13.0";
pyproject = true;
src = fetchFromGitHub {
owner = "jpadilla";
repo = "pyjwt";
tag = version;
hash = "sha256-wgOa5JhQT82ppoad6s8gPH7tGRNbbVWmJaaDF84d+r0=";
hash = "sha256-q4ynXCJVDsyZh70439dloyWgRTLVm+elDOahUVOT5vA=";
};
outputs = [

View file

@ -2,10 +2,8 @@
lib,
buildPythonPackage,
fetchFromGitHub,
fetchpatch,
hatchling,
pytestCheckHook,
mock,
pyyaml,
# for passthru.tests
@ -18,32 +16,22 @@
buildPythonPackage (finalAttrs: {
pname = "python-multipart";
version = "0.0.22";
version = "0.0.29";
pyproject = true;
src = fetchFromGitHub {
owner = "Kludex";
repo = "python-multipart";
tag = finalAttrs.version;
hash = "sha256-UegnwGxiXQalbp18t1dl2JOQH6BY975cpBa9uo3SOuk=";
hash = "sha256-1aV7gWLuulINesm3L8Wm3+prmeD9+OY/ihm36rtQPRs=";
};
patches = [
(fetchpatch {
name = "CVE-2026-40347-part-1.patch";
url = "https://github.com/Kludex/python-multipart/commit/6a7b76dd2653d99d8e5981d7ff09a4a047750b37.patch";
hash = "sha256-W1nyYMMoaf+lsNze3ppPeAXN+swG1dScDibazePSt+k=";
})
./CVE-2026-40347-part-2.patch
];
build-system = [ hatchling ];
pythonImportsCheck = [ "python_multipart" ];
nativeCheckInputs = [
pytestCheckHook
mock
pyyaml
];

View file

@ -27,14 +27,14 @@
buildPythonPackage rec {
pname = "starlette";
version = "0.52.1";
version = "1.1.0";
pyproject = true;
src = fetchFromGitHub {
owner = "encode";
repo = "starlette";
tag = version;
hash = "sha256-XPAeRnh9a0A1/5VGZzzGQBhlBsih1VR8QmFdkxG5cQE=";
hash = "sha256-9iQXlpA1VDGw1c7X1zJPmJ3Dub46PwqrVIX1+fWOZ7M=";
};
build-system = [ hatchling ];

View file

@ -40,11 +40,20 @@ buildPythonPackage rec {
};
patches = [
# valkey 9.0 compat
(fetchpatch {
# valkey 9.0 compat
url = "https://github.com/valkey-io/valkey-py/commit/c01505e547f614f278b882a016557b6ed652bb9f.patch";
hash = "sha256-rvA65inIioqdc+QV4KaaUv1I/TMZUq0TWaFJcJiy8NU=";
})
# valkey 9.1 compat
(fetchpatch {
url = "https://github.com/valkey-io/valkey-py/commit/df5c44903dc8e2dda733e5576324ba0ff8c4c6a0.patch";
hash = "sha256-0wsWuaOYWBgf6BjlJuciZYRbugYfchTU2khQX7rtRJg=";
})
(fetchpatch {
url = "https://github.com/valkey-io/valkey-py/commit/046c7fb9e8260c2d69d05141b1519903c4e40efe.patch";
hash = "sha256-/yN1y0hbmBR6o6ab4h0qkn/qhU6jASOIeqWhxUi5w/I=";
})
];
build-system = [ setuptools ];

View file

@ -8,14 +8,14 @@
buildPythonPackage rec {
pname = "xmltodict";
version = "1.0.2";
version = "1.0.4";
pyproject = true;
src = fetchFromGitHub {
owner = "martinblech";
repo = "xmltodict";
tag = "v${version}";
hash = "sha256-gnTNkh0GLfRmjMsLhfvpNrewfinNOhem0i3wzIZvKpA=";
hash = "sha256-G7hVtS6toUJC0YY1AXBOJSc3wnAZyWilLnT/5vvFRRw=";
};
build-system = [ setuptools ];

View file

@ -47,7 +47,7 @@
uvwasi,
zlib,
zstd,
icu,
icu78,
bash,
ninja,
pkgconf,
@ -274,7 +274,7 @@ let
# that use bash wrappers, e.g. polaris-web.
buildInputs = [
bash
icu
icu78
]
++ builtins.attrValues sharedLibDeps;

View file

@ -23,8 +23,8 @@ let
[ ];
in
buildNodejs {
version = "24.15.0";
sha256 = "a4f653d79ed140aaad921e8c22a3b585ca85cfdab80d4030f6309e4663a8a1c8";
version = "24.16.0";
sha256 = "2ff84a6de70b6165290111b0fc656ded1ad207a799816fe720cc7c31232df30f";
patches =
(
if (stdenv.hostPlatform.emulatorAvailable buildPackages) then
@ -56,13 +56,6 @@ buildNodejs {
./use-correct-env-in-tests.patch
./bin-sh-node-run-v22.patch
./use-nix-codesign.patch
# https://github.com/NixOS/nixpkgs/pull/507974#issuecomment-4249433124
# OpenSSL reports different errors
# https://github.com/nodejs/node/pull/62629
(fetchpatch2 {
url = "https://github.com/nodejs/node/commit/dd25d8f29d3ddadcf5a5ebfdf98ece55f9df96c6.patch?full_index=1";
hash = "sha256-6cxRN7TyWmJgUZt3jp2YXbVIjrDb2BNep5LxBOtT3Q0=";
})
# Patch for nghttp2 1.69 support
(fetchpatch2 {

View file

@ -24,6 +24,7 @@
libqalculate,
pipewire,
gpsd,
fetchpatch,
}:
mkKdeDerivation {
pname = "plasma-workspace";
@ -41,6 +42,12 @@ mkKdeDerivation {
# stop accidentally duplicating fontconfig configs
./fontconfig.patch
# backport qt 6.11.1 regression workaround
(fetchpatch {
url = "https://invent.kde.org/plasma/plasma-workspace/-/commit/31a64dfa1a71ab1b6a495f2f44132c86858acb8f.diff";
hash = "sha256-j+AEdDlutDuXmYdK8BJH8bgDF9gieCkbFJK8di+9nxk=";
})
];
outputs = [

View file

@ -201,13 +201,13 @@ let
in
stdenv.mkDerivation (finalAttrs: {
inherit pname;
version = "260.1";
version = "260.2";
src = fetchFromGitHub {
owner = "systemd";
repo = "systemd";
rev = "v${finalAttrs.version}";
hash = "sha256-FUKj3lvjz8TIsyu8NyJYtiNele+1BhdJPdw7r7nW6as=";
hash = "sha256-NXmmSV7/9WIW6C8wjdOwaerCy4v7Zcrd8+XDzcS8rEk=";
};
# PATCH POLICY

View file

@ -50,5 +50,8 @@ stdenv.mkDerivation (finalAttrs: {
pkgConfigModules = [ "bz2" ];
platforms = lib.platforms.all;
maintainers = [ ];
knownVulnerabilities = [
"CVE-2026-42250"
];
};
})

View file

@ -30,6 +30,9 @@ stdenv.mkDerivation (
patchFlags = [ "-p0" ];
patches = [
# https://sourceware.org/cgit/bzip2/patch/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67
./patches/CVE-2026-42250.patch
./patches/bzip2-1.0.6.2-autoconfiscated.patch
];
# Fix up hardcoded version from the above patch, e.g. seen in bzip2.pc or libbz2.so.1.0.N

View file

@ -0,0 +1,34 @@
From 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Thu, 28 May 2026 16:15:45 +0200
Subject: bzip2recover: Make sure to not process more than
BZ_MAX_HANDLED_BLOCKS
There is an off-by-one in the check before calling tooManyBlocks. This
causes the scanning loop to run one more time and cause a possible
read or write one past the global bStart, bEnd, rbStart and rbEnd
buffers. There are no known exploits of this issue and you will need
to compile with something like gcc -fsanitize=address (ASAN
AddressSanitizer) to observe the faulty read/write.
This has been assigned CVE-2026-42250.
---
bzip2recover.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git bzip2recover.c bzip2recover.c
index a8131e0..4b1c219 100644
--- bzip2recover.c
+++ bzip2recover.c
@@ -402,7 +402,7 @@ Int32 main ( Int32 argc, Char** argv )
rbEnd[rbCtr] = bEnd[currBlock];
rbCtr++;
}
- if (currBlock >= BZ_MAX_HANDLED_BLOCKS)
+ if (currBlock >= BZ_MAX_HANDLED_BLOCKS - 1)
tooManyBlocks(BZ_MAX_HANDLED_BLOCKS);
currBlock++;
--
cgit

View file

@ -15,8 +15,10 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-+Hzuae7CtPy/YKOWsDCtaqNBXxkqpffuhMrV4R9/WuM=";
};
# This test is filesystem-dependent - observed failing on ZFS
postPatch = lib.optionalString stdenv.hostPlatform.isFreeBSD ''
# This test is filesystem-dependent - observed failing on ZFS.
# It is also just plain flaky: it has been observed failing about 10%
# of the time on btrfs and ext4 too.
postPatch = ''
sed -E -i -e '/bad-filenames/d' tests/Makefile.am
'';

View file

@ -6770,8 +6770,8 @@ with pkgs;
zunclient = with python313Packages; toPythonApplication python-zunclient;
inherit (callPackages ../by-name/li/libressl { })
libressl_4_1
libressl_4_2
libressl_4_3
;
openssl = openssl_3_6;

View file

@ -16655,12 +16655,12 @@ with self;
};
};
HTTPDaemon = buildPerlPackage {
HTTPDaemon = buildPerlModule {
pname = "HTTP-Daemon";
version = "6.16";
version = "6.17";
src = fetchurl {
url = "mirror://cpan/authors/id/O/OA/OALDERS/HTTP-Daemon-6.16.tar.gz";
hash = "sha256-s40JJyXm+k4MTcKkfhVwcEkbr6Db4Wx4o1joBqp+Fz0=";
url = "mirror://cpan/authors/id/O/OA/OALDERS/HTTP-Daemon-6.17.tar.gz";
hash = "sha256-FigVgMQOIxCNAoQ0aYtdfVNje/kEyd+CJIHiU8vskgw=";
};
buildInputs = [
ModuleBuildTiny