Merge branch 'staging-26.05' into staging-next-26.05

This commit is contained in:
Vladimír Čunát 2026-07-06 09:28:34 +02:00
commit 9ac4887409
No known key found for this signature in database
GPG key ID: E747DF1F9575A3AA
72 changed files with 1060 additions and 605 deletions

View file

@ -103,6 +103,14 @@ stdenv.mkDerivation (finalAttrs: {
# Fix path to ps2pdf binary
inherit ghostscript;
})
# https://gitlab.com/inkscape/inkscape/-/merge_requests/7919
(fetchpatch {
name = "fix-build-poppler-26.05.0";
url = "https://gitlab.com/inkscape/inkscape/-/commit/98828255aa0c1212329236b3ff4ac7f41efb4a67.patch";
hash = "sha256-ujUl0SxZyb/TyJRmq1ETNn5W8lDDNn3JqHQQQPU5klA=";
})
# https://gitlab.com/inkscape/inkscape/-/merge_requests/7968
./fix-build-poppler-26.06.0.patch
];
postPatch = ''

View file

@ -0,0 +1,487 @@
From 35a470d9cbff50467cc700bc17ab2c4e8f5cf0bc Mon Sep 17 00:00:00 2001
From: KrIr17 <elendil.krir17@gmail.com>
Date: Mon, 8 Jun 2026 20:16:32 +0200
Subject: [PATCH] Fix Building with Poppler 26.06.0
- pdfparser: Some `const PDFRectangle *` to `const PDFRectangle &` [1]
- pdfparser: Some `const GfxColor *` to `const GfxColor &` [2]
- pdf-utils: Add a `getRect(const PDFRectangle &)` alongside `getRect(const
PDFRectangle *)`
- poppler-cairo-font-engine: `getKey()` now returns std::string and not
char[], so change `strcmp` to `std::string(...).compare(...)` [3]
- poppler-utils: `obj->dictGetKey()` etc. were removed; use
`obj->dict()->getKey()` instead (these have also existed in poppler
since the beginning, so shouldn't break any old poppler) [4,5]
- svg-builder: `convertGfxColor` now takes `const GfxColor &` as input.
A convenience function taking `const GfxColor *` (for older poppler)
now calls the new one after confirming `color` is a valid pointer
- svg-builder: `_addStopToGradient` now takes `const GfxColor &` as
input. This was used only in `convertGfxColor` and therefore doesn't
need a helper function for compatibility
- testfiles pdf-utils-test: `<poppler/*.h>` to `<*.h>` (see e3eb1210)
- testfiles pdf-utils-test: Some `const PDFRectangle *`
to `const PDFRectangle &` [1]
Fixes https://gitlab.com/inkscape/inkscape/-/work_items/6210
Upstream Commits:
[1] https://gitlab.freedesktop.org/poppler/poppler/-/commit/d50a4510
[2] https://gitlab.freedesktop.org/poppler/poppler/-/commit/0f94f530
[3] https://gitlab.freedesktop.org/poppler/poppler/-/commit/a3de7f8a
[4] https://gitlab.freedesktop.org/poppler/poppler/-/commit/bb13b0f5
[5] https://gitlab.freedesktop.org/poppler/poppler/-/commit/8ae0f8e7
---
src/extension/internal/pdfinput/pdf-input.cpp | 14 +++++-
.../internal/pdfinput/pdf-parser.cpp | 45 ++++++++++---------
src/extension/internal/pdfinput/pdf-parser.h | 4 +-
src/extension/internal/pdfinput/pdf-utils.cpp | 5 +++
src/extension/internal/pdfinput/pdf-utils.h | 1 +
.../pdfinput/poppler-cairo-font-engine.cpp | 2 +-
.../pdfinput/poppler-transition-api.h | 16 +++++++
.../internal/pdfinput/poppler-utils.cpp | 20 +++++----
.../internal/pdfinput/svg-builder.cpp | 36 +++++++++------
src/extension/internal/pdfinput/svg-builder.h | 3 +-
testfiles/src/pdf-utils-test.cpp | 7 +--
11 files changed, 100 insertions(+), 53 deletions(-)
diff --git a/src/extension/internal/pdfinput/pdf-input.cpp b/src/extension/internal/pdfinput/pdf-input.cpp
index aa4285b01d..dc5394c3d8 100644
--- a/src/extension/internal/pdfinput/pdf-input.cpp
+++ b/src/extension/internal/pdfinput/pdf-input.cpp
@@ -820,7 +820,11 @@ PdfInput::add_builder_page(std::shared_ptr<PDFDoc>pdf_doc, SvgBuilder *builder,
}
// Apply crop settings
+#if POPPLER_CHECK_VERSION(26, 2, 0)
+ std::optional<PDFRectangle> clipToBox;
+#else
_POPPLER_CONST PDFRectangle *clipToBox = nullptr;
+#endif
if (crop_to == "media-box") {
clipToBox = page->getMediaBox();
@@ -834,8 +838,16 @@ PdfInput::add_builder_page(std::shared_ptr<PDFDoc>pdf_doc, SvgBuilder *builder,
clipToBox = page->getArtBox();
}
+ std::optional<PDFRectangle> cropBox;
+#if POPPLER_CHECK_VERSION(26, 2, 0)
+ cropBox = clipToBox;
+#else
+ if (clipToBox) {
+ cropBox = *clipToBox;
+ }
+#endif
// Create parser (extension/internal/pdfinput/pdf-parser.h)
- auto pdf_parser = PdfParser(pdf_doc, builder, page, clipToBox);
+ auto pdf_parser = PdfParser(pdf_doc, builder, page, cropBox);
// Set up approximation precision for parser. Used for converting Mesh Gradients into tiles.
if ( color_delta <= 0.0 ) {
diff --git a/src/extension/internal/pdfinput/pdf-parser.cpp b/src/extension/internal/pdfinput/pdf-parser.cpp
index b336c48ce3..86fc51b1f2 100644
--- a/src/extension/internal/pdfinput/pdf-parser.cpp
+++ b/src/extension/internal/pdfinput/pdf-parser.cpp
@@ -43,6 +43,7 @@
#include <poppler/GlobalParams.h>
#include <poppler/Lexer.h>
#include <poppler/Object.h>
+#include <poppler/OptionalContent.h>
#include <poppler/OutputDev.h>
#include <poppler/PDFDoc.h>
#include <poppler/Page.h>
@@ -264,7 +265,7 @@ GfxPatch blankPatch()
//------------------------------------------------------------------------
PdfParser::PdfParser(std::shared_ptr<PDFDoc> pdf_doc, Inkscape::Extension::Internal::SvgBuilder *builderA, Page *page,
- _POPPLER_CONST PDFRectangle *cropBox)
+ const std::optional<PDFRectangle> &cropBox)
: _pdf_doc(pdf_doc)
, xref(pdf_doc->getXRef())
, builder(builderA)
@@ -307,8 +308,8 @@ PdfParser::PdfParser(std::shared_ptr<PDFDoc> pdf_doc, Inkscape::Extension::Inter
builder->setMargins(getRect(page->getTrimBox()) * scale,
getRect(page->getArtBox()) * scale,
getRect(page->getBleedBox()) * scale);
- if (cropBox && getRect(cropBox) != page_box) {
- builder->cropPage(getRect(cropBox) * scale);
+ if (cropBox && getRect(*cropBox) != page_box) {
+ builder->cropPage(getRect(*cropBox) * scale);
}
saveState();
@@ -331,7 +332,7 @@ PdfParser::PdfParser(XRef *xrefA, Inkscape::Extension::Internal::SvgBuilder *bui
, printCommands(false)
, res(new GfxResources(xref, resDict, nullptr))
, // start the resource stack
- state(new GfxState(72, 72, box, 0, false))
+ state(new _POPPLER_GFX_STATE(72, 72, *box, 0, false))
, fontChanged(gFalse)
, clip(clipNone)
, ignoreUndef(0)
@@ -964,7 +965,7 @@ void PdfParser::opSetFillGray(Object args[], int /*numArgs*/)
state->setFillPattern(nullptr);
state->setFillColorSpace(_POPPLER_CONSUME_UNIQPTR_ARG(std::make_unique<GfxDeviceGrayColorSpace>()));
color.c[0] = dblToCol(args[0].getNum());
- state->setFillColor(&color);
+ state->_POPPLER_SET_FILL_COLOR(color);
builder->updateStyle(state);
}
@@ -976,7 +977,7 @@ void PdfParser::opSetStrokeGray(Object args[], int /*numArgs*/)
state->setStrokePattern(nullptr);
state->setStrokeColorSpace(_POPPLER_CONSUME_UNIQPTR_ARG(std::make_unique<GfxDeviceGrayColorSpace>()));
color.c[0] = dblToCol(args[0].getNum());
- state->setStrokeColor(&color);
+ state->_POPPLER_SET_STROKE_COLOR(color);
builder->updateStyle(state);
}
@@ -991,7 +992,7 @@ void PdfParser::opSetFillCMYKColor(Object args[], int /*numArgs*/)
for (i = 0; i < 4; ++i) {
color.c[i] = dblToCol(args[i].getNum());
}
- state->setFillColor(&color);
+ state->_POPPLER_SET_FILL_COLOR(color);
builder->updateStyle(state);
}
@@ -1005,7 +1006,7 @@ void PdfParser::opSetStrokeCMYKColor(Object args[], int /*numArgs*/)
for (int i = 0; i < 4; ++i) {
color.c[i] = dblToCol(args[i].getNum());
}
- state->setStrokeColor(&color);
+ state->_POPPLER_SET_STROKE_COLOR(color);
builder->updateStyle(state);
}
@@ -1019,7 +1020,7 @@ void PdfParser::opSetFillRGBColor(Object args[], int /*numArgs*/)
for (int i = 0; i < 3; ++i) {
color.c[i] = dblToCol(args[i].getNum());
}
- state->setFillColor(&color);
+ state->_POPPLER_SET_FILL_COLOR(color);
builder->updateStyle(state);
}
@@ -1032,7 +1033,7 @@ void PdfParser::opSetStrokeRGBColor(Object args[], int /*numArgs*/) {
for (int i = 0; i < 3; ++i) {
color.c[i] = dblToCol(args[i].getNum());
}
- state->setStrokeColor(&color);
+ state->_POPPLER_SET_STROKE_COLOR(color);
builder->updateStyle(state);
}
@@ -1048,7 +1049,7 @@ void PdfParser::opSetFillColorSpace(Object args[], int numArgs)
GfxColor color;
colorSpace->getDefaultColor(&color);
state->setFillColorSpace(_POPPLER_CONSUME_UNIQPTR_ARG(colorSpace));
- state->setFillColor(&color);
+ state->_POPPLER_SET_FILL_COLOR(color);
builder->updateStyle(state);
} else {
error(errSyntaxError, getPos(), "Bad color space (fill)");
@@ -1069,7 +1070,7 @@ void PdfParser::opSetStrokeColorSpace(Object args[], int numArgs)
GfxColor color;
colorSpace->getDefaultColor(&color);
state->setStrokeColorSpace(_POPPLER_CONSUME_UNIQPTR_ARG(colorSpace));
- state->setStrokeColor(&color);
+ state->_POPPLER_SET_STROKE_COLOR(color);
builder->updateStyle(state);
} else {
error(errSyntaxError, getPos(), "Bad color space (stroke)");
@@ -1089,7 +1090,7 @@ void PdfParser::opSetFillColor(Object args[], int numArgs) {
for (i = 0; i < numArgs; ++i) {
color.c[i] = dblToCol(args[i].getNum());
}
- state->setFillColor(&color);
+ state->_POPPLER_SET_FILL_COLOR(color);
builder->updateStyle(state);
}
@@ -1106,7 +1107,7 @@ void PdfParser::opSetStrokeColor(Object args[], int numArgs) {
for (i = 0; i < numArgs; ++i) {
color.c[i] = dblToCol(args[i].getNum());
}
- state->setStrokeColor(&color);
+ state->_POPPLER_SET_STROKE_COLOR(color);
builder->updateStyle(state);
}
@@ -1127,7 +1128,7 @@ void PdfParser::opSetFillColorN(Object args[], int numArgs) {
color.c[i] = dblToCol(args[i].getNum());
}
}
- state->setFillColor(&color);
+ state->_POPPLER_SET_FILL_COLOR(color);
builder->updateStyle(state);
}
if (auto pattern = lookupPattern(&(args[numArgs - 1]), state)) {
@@ -1146,7 +1147,7 @@ void PdfParser::opSetFillColorN(Object args[], int numArgs) {
color.c[i] = dblToCol(args[i].getNum());
}
}
- state->setFillColor(&color);
+ state->_POPPLER_SET_FILL_COLOR(color);
builder->updateStyle(state);
}
}
@@ -1170,7 +1171,7 @@ void PdfParser::opSetStrokeColorN(Object args[], int numArgs) {
color.c[i] = dblToCol(args[i].getNum());
}
}
- state->setStrokeColor(&color);
+ state->_POPPLER_SET_STROKE_COLOR(color);
builder->updateStyle(state);
}
if (auto pattern = lookupPattern(&(args[numArgs - 1]), state)) {
@@ -1189,7 +1190,7 @@ void PdfParser::opSetStrokeColorN(Object args[], int numArgs) {
color.c[i] = dblToCol(args[i].getNum());
}
}
- state->setStrokeColor(&color);
+ state->_POPPLER_SET_STROKE_COLOR(color);
builder->updateStyle(state);
}
}
@@ -1673,7 +1674,7 @@ void PdfParser::doFunctionShFill1(GfxFunctionShading *shading,
// use the center color
shading->getColor(xM, yM, &fillColor);
- state->setFillColor(&fillColor);
+ state->_POPPLER_SET_FILL_COLOR(fillColor);
// fill the rectangle
state->moveTo(x0 * matrix[0] + y0 * matrix[2] + matrix[4],
@@ -1799,7 +1800,7 @@ void PdfParser::gouraudFillTriangle(double x0, double y0, GfxColor *color0,
}
}
if (i == nComps || depth == maxDepths[pdfGouraudTriangleShading-1]) {
- state->setFillColor(color0);
+ state->_POPPLER_SET_FILL_COLOR(*color0);
state->moveTo(x0, y0);
state->lineTo(x1, y1);
state->lineTo(x2, y2);
@@ -1877,7 +1878,7 @@ void PdfParser::fillPatch(_POPPLER_CONST GfxPatch *patch, int nComps, int depth)
color.c[i] = GfxColorComp(patch->color[0][0].c[i]);
}
if (i == nComps || depth == maxDepths[pdfPatchMeshShading-1]) {
- state->setFillColor(&color);
+ state->_POPPLER_SET_FILL_COLOR(color);
state->moveTo(patch->x[0][0], patch->y[0][0]);
state->curveTo(patch->x[0][1], patch->y[0][1],
patch->x[0][2], patch->y[0][2],
diff --git a/src/extension/internal/pdfinput/pdf-parser.h b/src/extension/internal/pdfinput/pdf-parser.h
index 098ff26e26..29dd259167 100644
--- a/src/extension/internal/pdfinput/pdf-parser.h
+++ b/src/extension/internal/pdfinput/pdf-parser.h
@@ -113,8 +113,8 @@ struct OpHistoryEntry {
class PdfParser {
public:
- // Constructor for regular output.
- PdfParser(std::shared_ptr<PDFDoc> pdf_doc, SvgBuilder *builderA, Page *page, _POPPLER_CONST PDFRectangle *cropBox);
+ // Constructor for regular output.
+ PdfParser(std::shared_ptr<PDFDoc> pdf_doc, SvgBuilder *builderA, Page *page, const std::optional<PDFRectangle> &cropBox);
// Constructor for a sub-page object.
PdfParser(XRef *xrefA, SvgBuilder *builderA, Dict *resDict, _POPPLER_CONST PDFRectangle *box);
diff --git a/src/extension/internal/pdfinput/pdf-utils.cpp b/src/extension/internal/pdfinput/pdf-utils.cpp
index 22e5df62c8..3aa6c02d3c 100644
--- a/src/extension/internal/pdfinput/pdf-utils.cpp
+++ b/src/extension/internal/pdfinput/pdf-utils.cpp
@@ -133,6 +133,11 @@ Geom::Rect getRect(_POPPLER_CONST PDFRectangle *box)
return Geom::Rect(box->x1, box->y1, box->x2, box->y2);
}
+Geom::Rect getRect(const PDFRectangle &box)
+{
+ return Geom::Rect(box.x1, box.y1, box.x2, box.y2);
+}
+
Geom::PathVector getPathV(GfxPath *path)
{
if (!path) {
diff --git a/src/extension/internal/pdfinput/pdf-utils.h b/src/extension/internal/pdfinput/pdf-utils.h
index d259a8c2f7..30e9b5bf86 100644
--- a/src/extension/internal/pdfinput/pdf-utils.h
+++ b/src/extension/internal/pdfinput/pdf-utils.h
@@ -59,6 +59,7 @@ private:
};
Geom::Rect getRect(_POPPLER_CONST PDFRectangle *box);
+Geom::Rect getRect(_POPPLER_CONST PDFRectangle &box);
Geom::PathVector getPathV(GfxPath *gPath);
#endif /* PDF_UTILS_H */
diff --git a/src/extension/internal/pdfinput/poppler-cairo-font-engine.cpp b/src/extension/internal/pdfinput/poppler-cairo-font-engine.cpp
index 19ebd26693..39ce22af38 100644
--- a/src/extension/internal/pdfinput/poppler-cairo-font-engine.cpp
+++ b/src/extension/internal/pdfinput/poppler-cairo-font-engine.cpp
@@ -713,7 +713,7 @@ CairoType3Font *CairoType3Font::create(GfxFont *gfxFont, PDFDoc *doc, CairoFontE
codeToGID[i] = 0;
if (charProcs && (name = enc[i])) {
for (int j = 0; j < charProcs->getLength(); j++) {
- if (strcmp(name, charProcs->getKey(j)) == 0) {
+ if (std::string(charProcs->getKey(j)).compare(name) == 0) {
codeToGID[i] = j;
}
}
diff --git a/src/extension/internal/pdfinput/poppler-transition-api.h b/src/extension/internal/pdfinput/poppler-transition-api.h
index d69829d512..23550a3068 100644
--- a/src/extension/internal/pdfinput/poppler-transition-api.h
+++ b/src/extension/internal/pdfinput/poppler-transition-api.h
@@ -15,6 +15,22 @@
#include <glib/poppler-features.h>
#include <UTF.h>
+#if POPPLER_CHECK_VERSION(26, 6, 0)
+#define _POPPLER_GET_GRAY(color, gray) getGray(color, gray)
+#define _POPPLER_GET_RGB(color, rgb) getRGB(color, rgb)
+#define _POPPLER_GET_CMYK(color, cmyk) getCMYK(color, cmyk)
+#define _POPPLER_SET_FILL_COLOR(color) setFillColor(color)
+#define _POPPLER_SET_STROKE_COLOR(color) setStrokeColor(color)
+#define _POPPLER_GFX_STATE(h, v, Rect, rotateA, upsideDown) GfxState(h, v, Rect, rotateA, upsideDown)
+#else
+#define _POPPLER_GET_GRAY(color, gray) getGray(&color, gray)
+#define _POPPLER_GET_RGB(color, rgb) getRGB(&color, rgb)
+#define _POPPLER_GET_CMYK(color, cmyk) getCMYK(&color, cmyk)
+#define _POPPLER_SET_FILL_COLOR(color) setFillColor(&color)
+#define _POPPLER_SET_STROKE_COLOR(color) setStrokeColor(&color)
+#define _POPPLER_GFX_STATE(h, v, Rect, rotateA, upsideDown) GfxState(h, v, &Rect, rotateA, upsideDown)
+#endif
+
#if POPPLER_CHECK_VERSION(26, 2, 0)
#define _POPPLER_WMODE GfxFont::WritingMode
#define _POPPLER_WMODE_HORIZONTAL GfxFont::WritingMode::Horizontal
diff --git a/src/extension/internal/pdfinput/poppler-utils.cpp b/src/extension/internal/pdfinput/poppler-utils.cpp
index 2338dbe2d9..66dcf85e1d 100644
--- a/src/extension/internal/pdfinput/poppler-utils.cpp
+++ b/src/extension/internal/pdfinput/poppler-utils.cpp
@@ -196,15 +196,17 @@ void InkFontDict::hashFontObject1(const Object *obj, FNVHash *h)
hashFontObject1(&obj2, h);
}
break;
- case objDict:
- h->hash('d');
- n = obj->dictGetLength();
- h->hash((char *)&n, sizeof(int));
- for (i = 0; i < n; ++i) {
- p = obj->dictGetKey(i);
- h->hash(p, (int)strlen(p));
- const Object &obj2 = obj->dictGetValNF(i);
- hashFontObject1(&obj2, h);
+ case objDict: {
+ h->hash('d');
+ auto objdict = obj->getDict();
+ n = objdict->getLength();
+ h->hash((char *)&n, sizeof(int));
+ for (i = 0; i < n; ++i) {
+ auto p = std::string(objdict->getKey(i));
+ h->hash(p.c_str(), p.length());
+ const Object &obj2 = objdict->getValNF(i);
+ hashFontObject1(&obj2, h);
+ }
}
break;
case objStream:
diff --git a/src/extension/internal/pdfinput/svg-builder.cpp b/src/extension/internal/pdfinput/svg-builder.cpp
index 3dfdfbbed4..bf7ccf1a8b 100644
--- a/src/extension/internal/pdfinput/svg-builder.cpp
+++ b/src/extension/internal/pdfinput/svg-builder.cpp
@@ -392,7 +392,15 @@ static std::string svgConvertGfxRGB(GfxRGB *color)
return svgConvertRGBToText(r, g, b);
}
-std::string SvgBuilder::convertGfxColor(const GfxColor *color, GfxColorSpace *space)
+// for poppler < 26.06.0
+std::string SvgBuilder::convertGfxColor(const GfxColor *color, GfxColorSpace *space) {
+ if (!color) {
+ return "";
+ }
+ return convertGfxColor(*color, space);
+}
+
+std::string SvgBuilder::convertGfxColor(const GfxColor &color, GfxColorSpace *space)
{
std::string icc = "";
switch (space->getMode()) {
@@ -419,7 +427,7 @@ std::string SvgBuilder::convertGfxColor(const GfxColor *color, GfxColorSpace *sp
Inkscape::CSSOStringStream icc_color;
icc_color << rgb_color << " icc-color(" << icc;
for (int i = 0; i < space->getNComps(); ++i) {
- icc_color << ", " << colToDbl((*color).c[i]);
+ icc_color << ", " << colToDbl((color).c[i]);
}
icc_color << ");";
return icc_color.str();
@@ -1204,7 +1212,7 @@ gchar *SvgBuilder::_createGradient(GfxShading *shading, const Geom::Affine pat_m
/**
* \brief Adds a stop with the given properties to the gradient's representation
*/
-void SvgBuilder::_addStopToGradient(Inkscape::XML::Node *gradient, double offset, GfxColor *color, GfxColorSpace *space,
+void SvgBuilder::_addStopToGradient(Inkscape::XML::Node *gradient, double offset, GfxColor &color, GfxColorSpace *space,
double opacity)
{
Inkscape::XML::Node *stop = _xml_doc->createElement("svg:stop");
@@ -1255,8 +1263,8 @@ bool SvgBuilder::_addGradientStops(Inkscape::XML::Node *gradient, GfxShading *sh
if (!svgGetShadingColor(shading, 0.0, &stop1) || !svgGetShadingColor(shading, 1.0, &stop2)) {
return false;
} else {
- _addStopToGradient(gradient, 0.0, &stop1, space, 1.0);
- _addStopToGradient(gradient, 1.0, &stop2, space, 1.0);
+ _addStopToGradient(gradient, 0.0, stop1, space, 1.0);
+ _addStopToGradient(gradient, 1.0, stop2, space, 1.0);
}
} else if (type == _POPPLER_FUNCTION_TYPE_STITCHING) {
auto stitchingFunc = static_cast<_POPPLER_CONST StitchingFunction*>(func);
@@ -1269,7 +1277,7 @@ bool SvgBuilder::_addGradientStops(Inkscape::XML::Node *gradient, GfxShading *sh
// Add stops from all the stitched functions
GfxColor prev_color, color;
svgGetShadingColor(shading, bounds[0], &prev_color);
- _addStopToGradient(gradient, bounds[0], &prev_color, space, 1.0);
+ _addStopToGradient(gradient, bounds[0], prev_color, space, 1.0);
for ( int i = 0 ; i < num_funcs ; i++ ) {
svgGetShadingColor(shading, bounds[i + 1], &color);
// Add stops
@@ -1279,14 +1287,14 @@ bool SvgBuilder::_addGradientStops(Inkscape::XML::Node *gradient, GfxShading *sh
expE = (bounds[i + 1] - bounds[i])/expE; // approximate exponential as a single straight line at x=1
if (encode[2*i] == 0) { // normal sequence
auto offset = (bounds[i + 1] - expE) / max_bound;
- _addStopToGradient(gradient, offset, &prev_color, space, 1.0);
+ _addStopToGradient(gradient, offset, prev_color, space, 1.0);
} else { // reflected sequence
auto offset = (bounds[i] + expE) / max_bound;
- _addStopToGradient(gradient, offset, &color, space, 1.0);
+ _addStopToGradient(gradient, offset, color, space, 1.0);
}
}
}
- _addStopToGradient(gradient, bounds[i + 1] / max_bound, &color, space, 1.0);
+ _addStopToGradient(gradient, bounds[i + 1] / max_bound, color, space, 1.0);
prev_color = color;
}
} else { // Unsupported function type
diff --git a/src/extension/internal/pdfinput/svg-builder.h b/src/extension/internal/pdfinput/svg-builder.h
index c4b217f58e..348f3a2ce3 100644
--- a/src/extension/internal/pdfinput/svg-builder.h
+++ b/src/extension/internal/pdfinput/svg-builder.h
@@ -186,7 +186,7 @@ private:
// Pattern creation
gchar *_createPattern(GfxPattern *pattern, GfxState *state, bool is_stroke=false);
gchar *_createGradient(GfxShading *shading, const Geom::Affine pat_matrix, bool for_shading = false);
- void _addStopToGradient(Inkscape::XML::Node *gradient, double offset, GfxColor *color, GfxColorSpace *space,
+ void _addStopToGradient(Inkscape::XML::Node *gradient, double offset, GfxColor &color, GfxColorSpace *space,
double opacity);
bool _addGradientStops(Inkscape::XML::Node *gradient, GfxShading *shading,
_POPPLER_CONST Function *func);
@@ -239,6 +239,7 @@ private:
static bool _attrEqual(Inkscape::XML::Node *a, Inkscape::XML::Node *b, char const *attr);
// Colors
+ std::string convertGfxColor(const GfxColor &color, GfxColorSpace *space);
std::string convertGfxColor(const GfxColor *color, GfxColorSpace *space);
std::string _getColorProfile(cmsHPROFILE hp);

View file

@ -397,6 +397,34 @@ stdenv.mkDerivation (finalAttrs: {
# Don't detect Qt paths from qmake, so our patched-in onese are used
./dont-detect-qt-paths-from-qmake.patch
# Fix build with Poppler 26.02
(fetchpatch2 {
url = "https://gitlab.archlinux.org/archlinux/packaging/packages/libreoffice-still/-/raw/25.8.7-2/fix_build_with_poppler_26.02.0.patch";
hash = "sha256-IInhSoqTemDITB+AtkvVa9eGbodTbUGSpMMpC9N/mmg=";
})
# Fix build with Poppler 26.04
(fetchpatch2 {
url = "https://gitlab.archlinux.org/archlinux/packaging/packages/libreoffice-still/-/raw/25.8.7-2/fix_build_with_poppler_26.04.0.patch";
hash = "sha256-I9owj/NTCTi6ISszuasH410NLlhunPn/Ig22tenu8tw=";
})
# Fix build with Poppler 26.05
(fetchpatch2 {
url = "https://gitlab.archlinux.org/archlinux/packaging/packages/libreoffice-still/-/raw/25.8.7-2/fix_build_with_poppler_26.05.0.patch";
hash = "sha256-7wdiciTf/LrTk0MibBBYGliWRCvK1rtTGESgH7db1I4=";
})
# Fix build with Poppler 26.06
(fetchpatch2 {
url = "https://gitlab.archlinux.org/archlinux/packaging/packages/libreoffice-still/-/raw/25.8.7-3/fix_build_with_poppler_26.06.0.patch";
hash = "sha256-j66IsrzaqQ55MRVzhlw25guuoDtxx1D4XeJsBhgWP2c=";
})
]
++ lib.optionals (variant != "fresh") [
# Fix build with Poppler 26.01
(fetchpatch2 {
url = "https://gitlab.archlinux.org/archlinux/packaging/packages/libreoffice-still/-/raw/25.8.7-2/fix_build_with_poppler_26.01.0.patch";
hash = "sha256-5JTTvJFIV5MG0Gz7y46wAr3q9tWdSVoZ9TJQlMJVqBc=";
})
]
++ lib.optionals (variant != "collabora" && variant != "collabora-coda") [
# Revert part of https://github.com/LibreOffice/core/commit/6f60670877208612b5ea320b3677480ef6508abb that broke zlib linking

View file

@ -0,0 +1,36 @@
commit c4aab1ba6aadd6985fcd271679d2118f094ec876
Author: Emilio Cobos Álvarez <emilio@crisal.io>
Date: Tue Jun 9 22:04:44 2026 +0000
Bug 2046162 - Remove some redundant pub qualifiers. r=gfx-reviewers,aosmond
The enum is not public so this doesn't change behavior but a patch I'm
working on in cbindgen gets a bit confused with this.
Differential Revision: https://phabricator.services.mozilla.com/D305678
diff --git a/gfx/wr/webrender/src/texture_cache.rs b/gfx/wr/webrender/src/texture_cache.rs
index e14c26bd3190..77e1f3a312ac 100644
--- a/gfx/wr/webrender/src/texture_cache.rs
+++ b/gfx/wr/webrender/src/texture_cache.rs
@@ -273,9 +273,9 @@ enum BudgetType {
}
impl BudgetType {
- pub const COUNT: usize = 7;
+ const COUNT: usize = 7;
- pub const VALUES: [BudgetType; BudgetType::COUNT] = [
+ const VALUES: [BudgetType; BudgetType::COUNT] = [
BudgetType::SharedColor8Linear,
BudgetType::SharedColor8Nearest,
BudgetType::SharedColor8Glyphs,
@@ -285,7 +285,7 @@ impl BudgetType {
BudgetType::Standalone,
];
- pub const PRESSURE_COUNTERS: [usize; BudgetType::COUNT] = [
+ const PRESSURE_COUNTERS: [usize; BudgetType::COUNT] = [
profiler::ATLAS_COLOR8_LINEAR_PRESSURE,
profiler::ATLAS_COLOR8_NEAREST_PRESSURE,
profiler::ATLAS_COLOR8_GLYPHS_PRESSURE,

View file

@ -340,6 +340,11 @@ buildStdenv.mkDerivation {
# https://bugzilla.mozilla.org/show_bug.cgi?id=1985509
./140-bindgen-string-view.patch
]
++ lib.optionals (lib.versionAtLeast version "140" && lib.versionOlder version "140.13") [
# https://github.com/mozilla/cbindgen/issues/1165
# https://bugzilla.mozilla.org/show_bug.cgi?id=2046162
./153-cbindgen-0.29.4-compat.patch
]
++ extraPatches;
postPatch = ''

View file

@ -20,7 +20,7 @@ let
lib.concatStringsSep "\n\n" extraCertificateStrings
);
version = "3.123";
version = "3.125";
meta = {
homepage = "https://firefox-source-docs.mozilla.org/security/nss/runbooks/rootstore.html#root-store-consumers";
description = "Bundle of X.509 certificates of public Certificate Authorities (CA)";
@ -52,7 +52,7 @@ stdenv.mkDerivation {
"https://hg-edge.mozilla.org/projects/nss/raw-file/${tag}/${file}"
"https://raw.githubusercontent.com/nss-dev/nss/refs/tags/${tag}/${file}"
];
hash = "sha256-dxMO+RITdyhEVh+9OqMdQTslwqx/V2/qO8O7/375NIk=";
hash = "sha256-5XkSgI2u97Kw+k3yzPF+R66vJsg5o4+Fx2AD66/YZr0=";
};
unpackPhase = ''

View file

@ -16,11 +16,14 @@ lib.extendMkDerivation {
auditable ? true,
hash ? "",
cargoHash ? "",
passthru ? { },
...
}:
{
inherit auditable pname;
__structuredAttrs = true;
src = fetchFromGitHub {
owner = "rust-secure-code";
repo = "cargo-auditable";
@ -45,7 +48,9 @@ lib.extendMkDerivation {
installManPage cargo-auditable/cargo-auditable.1
'';
passthru.bootstrap = auditable-bootstrap;
passthru = passthru // {
bootstrap = auditable-bootstrap;
};
meta = {
description = "Tool to make production Rust binaries auditable";

View file

@ -2,6 +2,7 @@
buildPackages,
callPackage,
makeRustPlatform,
nix-update-script,
}:
let
# Need to use the build platform rustc and Cargo so that
@ -18,9 +19,9 @@ let
auditable-bootstrap = bootstrap;
};
version = "0.7.2";
hash = "sha256-hR6PjTOps8JSM7UbfGlCoZmmwtWExVqYwh4lxDiFWdc=";
cargoHash = "sha256-JEfnUJ9J6Xak3AOCwQCnu+v+3Wl3QbXX20qVFWB6040=";
version = "0.7.5";
hash = "sha256-0VONJCv/msLcGenItWMLJ7DH79RTD6vsU9gX/nphh1g=";
cargoHash = "sha256-/iAYib+xDQSJ8B559/V7b994ErSUGsPSDx64jFF5B6I=";
# cargo-auditable cannot be built with cargo-auditable until cargo-auditable is built
bootstrap = auditableBuilder {
@ -32,4 +33,5 @@ in
auditableBuilder {
inherit version hash cargoHash;
auditable = true;
passthru.updateScript = nix-update-script { };
}

View file

@ -50,11 +50,11 @@ stdenv.mkDerivation (finalAttrs: {
+ lib.optionalString isMinimalBuild "-minimal"
+ lib.optionalString cursesUI "-cursesUI"
+ lib.optionalString qt5UI "-qt5UI";
version = "4.1.2";
version = "4.1.6";
src = fetchurl {
url = "https://cmake.org/files/v${lib.versions.majorMinor finalAttrs.version}/cmake-${finalAttrs.version}.tar.gz";
hash = "sha256-ZD8EGCt7oyOrMfUm94UTT7ecujGIqFIgbvBHP+4oKhU=";
hash = "sha256-UTOEifT7rjWgpptZQW9RLcnHVxKXWaSHxHsz39IVUg4=";
};
patches = [

View file

@ -6,6 +6,8 @@
perl,
nixosTests,
autoreconfHook,
buildPackages,
runtimeShellPackage,
brotliSupport ? false,
brotli,
c-aresSupport ? false,
@ -82,6 +84,9 @@ assert
]) > 1
);
let
isCross = !lib.systems.equals stdenv.buildPlatform stdenv.hostPlatform;
in
stdenv.mkDerivation (finalAttrs: {
pname = "curl";
version = "8.20.0";
@ -248,7 +253,20 @@ stdenv.mkDerivation (finalAttrs: {
ln $out/lib/libcurl${stdenv.hostPlatform.extensions.sharedLibrary} $out/lib/libcurl-gnutls${stdenv.hostPlatform.extensions.sharedLibrary}
ln $out/lib/libcurl${stdenv.hostPlatform.extensions.sharedLibrary} $out/lib/libcurl-gnutls${stdenv.hostPlatform.extensions.sharedLibrary}.4
ln $out/lib/libcurl${stdenv.hostPlatform.extensions.sharedLibrary} $out/lib/libcurl-gnutls${stdenv.hostPlatform.extensions.sharedLibrary}.4.4.0
''
# The wcurl shell script found in `''${!outputBin}/bin`, is located in the
# source along with all the scripts patched in `postPatch` above.
# `patchShebangs` at that stage causes the host intended wcurl script to get
# the buildPlatform's runtimeShell shebang, instead of the hostPlatform's. To
# make sure this doesn't happen we disallow it, and fix it above in the
# postInstall, and also with the conditional hostPlatform's
# runtimeShellPackage added in buildInputs.
+ lib.optionalString isCross ''
patchShebangs --update --host "''${!outputBin}/bin"
'';
outputChecks.bin.disallowedReferences = lib.optional isCross buildPackages.runtimeShellPackage;
outputChecks.out.disallowedReferences = lib.optional isCross buildPackages.runtimeShellPackage;
buildInputs = lib.optional isCross runtimeShellPackage;
passthru =
let

View file

@ -18,7 +18,7 @@
# files.
let
version = "2.8.1";
version = "2.8.2";
tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}";
in
stdenv.mkDerivation (finalAttrs: {
@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: {
url =
with finalAttrs;
"https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz";
hash = "sha256-ELGV7ngWCpCDiBgKj+NgPU6aEvR1X79fOBayOp11DaA=";
hash = "sha256-OtibhYjmZEvU5JmBSA1IshKJ7rvNTwoaSvscKfmbarQ=";
};
strictDeps = true;

View file

@ -5,7 +5,6 @@
# Build time
fetchurl,
fetchpatch,
pkg-config,
perl,
texinfo,
@ -68,11 +67,11 @@ in
stdenv.mkDerivation (finalAttrs: {
inherit pname;
version = "17.1";
version = "17.2";
src = fetchurl {
url = "mirror://gnu/gdb/gdb-${finalAttrs.version}.tar.xz";
hash = "sha256-FJlvX3TJ9o9aVD/cRbyngAIH+R+SrupsLnkYIsfG2HY=";
hash = "sha256-HANsDXLks9H7XJTIhjKt1vnXb018TS6nk8EqnxmjIow=";
};
postPatch =
@ -90,17 +89,6 @@ stdenv.mkDerivation (finalAttrs: {
patches = [
./debug-info-from-env.patch
(fetchurl {
name = "musl.patch";
url = "https://inbox.sourceware.org/gdb-patches/20260324164527.1446549-2-sunilkumar.dora@windriver.com/raw";
hash = "sha256-FC4DDVS4wtE/HXtbUqvkxu9+e7nE3DYi1zIuQP9yQO8=";
})
(fetchpatch {
name = "musl-aarch64.patch";
url = "https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=1ccc3f6a2e28fa1f3357826374cba165b3ba3ff7";
hash = "sha256-Q2oTo2b+9yNN3PSsxqgxV4/9/05uFE/JMLe1CPs9Y7I=";
})
]
++ optionals stdenv.hostPlatform.isDarwin [
./darwin-target-match.patch

View file

@ -0,0 +1,85 @@
diff --git a/src/xattrs.c b/src/xattrs.c
index 86a7e59cbc..c872ae308d 100644
--- a/src/xattrs.c
+++ b/src/xattrs.c
@@ -139,13 +139,13 @@
#ifdef HAVE_POSIX_ACLS
/* acl-at wrappers, TODO: move to gnulib in future? */
-static acl_t acl_get_file_at (int, const char *, acl_type_t);
-static int acl_set_file_at (int, const char *, acl_type_t, acl_t);
+static acl_t tar_acl_get_file_at (int, const char *, acl_type_t);
+static int tar_acl_set_file_at (int, const char *, acl_type_t, acl_t);
static int file_has_acl_at (int, char const *, struct stat const *);
-static int acl_delete_def_file_at (int, char const *);
+static int tar_acl_delete_def_file_at (int, char const *);
-/* acl_get_file_at */
-#define AT_FUNC_NAME acl_get_file_at
+/* tar_acl_get_file_at */
+#define AT_FUNC_NAME tar_acl_get_file_at
#define AT_FUNC_RESULT acl_t
#define AT_FUNC_FAIL (acl_t)NULL
#define AT_FUNC_F1 acl_get_file
@@ -159,8 +159,8 @@
#undef AT_FUNC_POST_FILE_PARAM_DECLS
#undef AT_FUNC_POST_FILE_ARGS
-/* acl_set_file_at */
-#define AT_FUNC_NAME acl_set_file_at
+/* tar_acl_set_file_at */
+#define AT_FUNC_NAME tar_acl_set_file_at
#define AT_FUNC_F1 acl_set_file
#define AT_FUNC_POST_FILE_PARAM_DECLS , acl_type_t type, acl_t acl
#define AT_FUNC_POST_FILE_ARGS , type, acl
@@ -170,8 +170,8 @@
#undef AT_FUNC_POST_FILE_PARAM_DECLS
#undef AT_FUNC_POST_FILE_ARGS
-/* acl_delete_def_file_at */
-#define AT_FUNC_NAME acl_delete_def_file_at
+/* tar_acl_delete_def_file_at */
+#define AT_FUNC_NAME tar_acl_delete_def_file_at
#define AT_FUNC_F1 acl_delete_def_file
#define AT_FUNC_POST_FILE_PARAM_DECLS
#define AT_FUNC_POST_FILE_ARGS
@@ -299,10 +299,10 @@
/* No "default" IEEE 1003.1e ACL set for directory. At this moment,
FILE_NAME may already have inherited default acls from parent
directory; clean them up. */
- if (acl_delete_def_file_at (chdir_fd, file_name))
+ if (tar_acl_delete_def_file_at (chdir_fd, file_name))
WARNOPT (WARN_XATTR_WRITE,
(0, errno,
- _("acl_delete_def_file_at: Cannot drop default POSIX ACLs "
+ _("tar_acl_delete_def_file_at: Cannot drop default POSIX ACLs "
"for file '%s'"),
file_name));
return;
@@ -316,11 +316,11 @@
return;
}
- if (acl_set_file_at (chdir_fd, file_name, type, acl) == -1)
+ if (tar_acl_set_file_at (chdir_fd, file_name, type, acl) == -1)
/* warn even if filesystem does not support acls */
WARNOPT (WARN_XATTR_WRITE,
(0, errno,
- _ ("acl_set_file_at: Cannot set POSIX ACLs for file '%s'"),
+ _ ("tar_acl_set_file_at: Cannot set POSIX ACLs for file '%s'"),
file_name));
acl_free (acl);
@@ -357,10 +357,10 @@
char *val = NULL;
acl_t acl;
- if (!(acl = acl_get_file_at (parentfd, file_name, type)))
+ if (!(acl = tar_acl_get_file_at (parentfd, file_name, type)))
{
if (errno != ENOTSUP)
- call_arg_warn ("acl_get_file_at", file_name);
+ call_arg_warn ("tar_acl_get_file_at", file_name);
return;
}

View file

@ -24,9 +24,17 @@ stdenv.mkDerivation (finalAttrs: {
sha256 = "sha256-TWL/NzQux67XSFNTI5MMfPlKz3HDWRiCsmp+pQ8+3BY=";
};
# GNU tar fails to link libiconv even though the configure script detects it.
# https://savannah.gnu.org/bugs/index.php?64441
patches = [ ./link-libiconv.patch ];
patches = [
# GNU tar fails to link libiconv even though the configure script detects it.
# https://savannah.gnu.org/bugs/index.php?64441
./link-libiconv.patch
# acl 2.4.0 adds functions that have name conflicts with internal
# (`static`) functions from GNU tar. we prefix `tar_` to these names to
# avoid this, matching the approach from
# https://lists.gnu.org/archive/html/bug-tar/2026-06/msg00013.html
./acl-2.4.0-name-conflicts.patch
];
# gnutar tries to call into gettext between `fork` and `exec`,
# which is not safe on darwin.

View file

@ -88,13 +88,13 @@ in
stdenv.mkDerivation (finalAttrs: {
pname = "imagemagick";
version = "7.1.2-24";
version = "7.1.2-27";
src = fetchFromGitHub {
owner = "ImageMagick";
repo = "ImageMagick";
tag = finalAttrs.version;
hash = "sha256-oSH0dsQ3cuFNYJIIr6LHbv82FbFxxcmkjQ5csTNsYCA=";
hash = "sha256-QCC2CO2zkhwlEWymwF739uSNuS7QCqqGIJnF/LtYzVc=";
};
outputs = [
@ -206,7 +206,7 @@ stdenv.mkDerivation (finalAttrs: {
meta = {
homepage = "http://www.imagemagick.org/";
changelog = "https://github.com/ImageMagick/Website/blob/main/ChangeLog.md";
changelog = "https://github.com/ImageMagick/Website/blob/main/docs/changelog/index.md";
description = "Software suite to create, edit, compose, or convert bitmap images";
pkgConfigModules = [
"ImageMagick"

View file

@ -1,49 +0,0 @@
From e47e56d226519635768e6aab2f38f0ab037c09e5 Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Thu, 12 Mar 2026 20:28:43 +0900
Subject: [PATCH] Fix heap buffer overflow in `jvp_string_append` and
`jvp_string_copy_replace_bad`
In `jvp_string_append`, the allocation size `(currlen + len) * 2` could
overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small
allocation followed by a large `memcpy`.
In `jvp_string_copy_replace_bad`, the output buffer size calculation
`length * 3 + 1` could overflow `uint32_t`, again resulting in a small
allocation followed by a large write.
Add overflow checks to both functions to return an error for strings
that would exceed `INT_MAX` in length. Fixes CVE-2026-32316.
---
src/jv.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/jv.c b/src/jv.c
index 722a539391..2a62b48419 100644
--- a/src/jv.c
+++ b/src/jv.c
@@ -1114,7 +1114,12 @@ static jv jvp_string_copy_replace_bad(const char* data, uint32_t length) {
const char* end = data + length;
const char* i = data;
- uint32_t maxlength = length * 3 + 1; // worst case: all bad bytes, each becomes a 3-byte U+FFFD
+ // worst case: all bad bytes, each becomes a 3-byte U+FFFD
+ uint64_t maxlength = (uint64_t)length * 3 + 1;
+ if (maxlength >= INT_MAX) {
+ return jv_invalid_with_msg(jv_string("String too long"));
+ }
+
jvp_string* s = jvp_string_alloc(maxlength);
char* out = s->data;
int c = 0;
@@ -1174,6 +1179,10 @@ static uint32_t jvp_string_remaining_space(jvp_string* s) {
static jv jvp_string_append(jv string, const char* data, uint32_t len) {
jvp_string* s = jvp_string_ptr(string);
uint32_t currlen = jvp_string_length(s);
+ if ((uint64_t)currlen + len >= INT_MAX) {
+ jv_free(string);
+ return jv_invalid_with_msg(jv_string("String too long"));
+ }
if (jvp_refcnt_unshared(string.u.ptr) &&
jvp_string_remaining_space(s) >= len) {

View file

@ -1,66 +0,0 @@
From fb59f1491058d58bdc3e8dd28f1773d1ac690a1f Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Mon, 13 Apr 2026 11:23:40 +0900
Subject: [PATCH] Limit path depth to prevent stack overflow
Deeply nested path arrays can cause unbounded recursion in
`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to
stack overflow. Add a depth limit of 10000 to match the
existing `tojson` depth limit. This fixes CVE-2026-33947.
---
src/jv_aux.c | 21 +++++++++++++++++++++
2 files changed, 46 insertions(+)
diff --git a/src/jv_aux.c b/src/jv_aux.c
index 018f380b10..fd5ff96684 100644
--- a/src/jv_aux.c
+++ b/src/jv_aux.c
@@ -365,6 +365,10 @@ static jv jv_dels(jv t, jv keys) {
return t;
}
+#ifndef MAX_PATH_DEPTH
+#define MAX_PATH_DEPTH (10000)
+#endif
+
jv jv_setpath(jv root, jv path, jv value) {
if (jv_get_kind(path) != JV_KIND_ARRAY) {
jv_free(value);
@@ -372,6 +376,12 @@ jv jv_setpath(jv root, jv path, jv value) {
jv_free(path);
return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
}
+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
+ jv_free(value);
+ jv_free(root);
+ jv_free(path);
+ return jv_invalid_with_msg(jv_string("Path too deep"));
+ }
if (!jv_is_valid(root)){
jv_free(value);
jv_free(path);
@@ -424,6 +434,11 @@ jv jv_getpath(jv root, jv path) {
jv_free(path);
return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
}
+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
+ jv_free(root);
+ jv_free(path);
+ return jv_invalid_with_msg(jv_string("Path too deep"));
+ }
if (!jv_is_valid(root)) {
jv_free(path);
return root;
@@ -502,6 +517,12 @@ jv jv_delpaths(jv object, jv paths) {
jv_free(elem);
return err;
}
+ if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) {
+ jv_free(object);
+ jv_free(paths);
+ jv_free(elem);
+ return jv_invalid_with_msg(jv_string("Path too deep"));
+ }
jv_free(elem);
}
if (jv_array_length(jv_copy(paths)) == 0) {

View file

@ -1,45 +0,0 @@
From 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Mon, 13 Apr 2026 08:46:11 +0900
Subject: [PATCH] Fix NUL truncation in the JSON parser
This fixes CVE-2026-33948.
---
src/util.c | 8 +-------
tests/shtest | 6 ++++++
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/util.c b/src/util.c
index fdfdb96d88..80d65fc808 100644
--- a/src/util.c
+++ b/src/util.c
@@ -312,13 +312,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) {
if (p != NULL)
state->current_line++;
- if (p == NULL && state->parser != NULL) {
- /*
- * There should be no NULs in JSON texts (but JSON text
- * sequences are another story).
- */
- state->buf_valid_len = strlen(state->buf);
- } else if (p == NULL && feof(state->current_input)) {
+ if (p == NULL && feof(state->current_input)) {
size_t i;
/*
diff --git a/tests/shtest b/tests/shtest
index cb88745277..370f7b7c69 100755
--- a/tests/shtest
+++ b/tests/shtest
@@ -880,4 +880,10 @@ $JQ -nf $d/prog.jq 2> $d/out && {
}
diff $d/out $d/expected
+# CVE-2026-33948: No NUL truncation in the JSON parser
+if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then
+ printf 'Error expected but jq exited successfully\n' 1>&2
+ exit 1
+fi
+
exit 0

View file

@ -1,27 +0,0 @@
From 2f09060afab23fe9390cce7cb860b10416e1bf5f Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Mon, 13 Apr 2026 11:04:52 +0900
Subject: [PATCH] Fix out-of-bounds read in jv_parse_sized()
This fixes CVE-2026-39979.
Co-authored-by: Mattias Wadman <mattias.wadman@gmail.com>
---
src/jv_parse.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/jv_parse.c b/src/jv_parse.c
index aa2054cc09..56847b5eaa 100644
--- a/src/jv_parse.c
+++ b/src/jv_parse.c
@@ -893,8 +893,9 @@ jv jv_parse_sized_custom_flags(const char* string, int length, int flags) {
if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) {
jv msg = jv_invalid_get_msg(value);
- value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')",
+ value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')",
jv_string_value(msg),
+ length,
string));
jv_free(msg);
}

View file

@ -1,87 +0,0 @@
From 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Mon, 13 Apr 2026 08:53:26 +0900
Subject: [PATCH] Randomize hash seed to mitigate hash collision DoS attacks
The hash function used a fixed seed, allowing attackers to craft colliding keys
and cause O(n^2) object parsing performance. Initialize the seed from a random
source at process startup to prevent the attack. This fixes CVE-2026-40164.
Co-authored-by: Asaf Meizner <asafmeizner@gmail.com>
---
configure.ac | 2 ++
src/jv.c | 34 ++++++++++++++++++++++++++++++++--
2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 5dac42655a..f7067a4341 100644
--- a/configure.ac
+++ b/configure.ac
@@ -149,6 +149,8 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [AC_DEFINE([HAVE_TM_TM_GMT_OFF],1,[Define
AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])],
[], [[#include <time.h>]])
AC_FIND_FUNC([setlocale], [c], [#include <locale.h>], [0,0])
+AC_FIND_FUNC([arc4random], [c], [#include <stdlib.h>], [])
+AC_FIND_FUNC([getentropy], [c], [#include <unistd.h>], [0, 0])
dnl Figure out if we have the pthread functions we actually need
AC_FIND_FUNC_NO_LIBS([pthread_key_create], [], [#include <pthread.h>], [NULL, NULL])
diff --git a/src/jv.c b/src/jv.c
index 2a62b48419..607ac174f7 100644
--- a/src/jv.c
+++ b/src/jv.c
@@ -40,6 +40,10 @@
#include <limits.h>
#include <math.h>
#include <float.h>
+#include <time.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <pthread.h>
#include "jv_alloc.h"
#include "jv.h"
@@ -1206,7 +1210,33 @@ static jv jvp_string_append(jv string, const char* data, uint32_t len) {
}
}
-static const uint32_t HASH_SEED = 0x432A9843;
+static uint32_t hash_seed;
+static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT;
+
+static void jvp_hash_seed_init(void) {
+ uint32_t seed;
+#if defined(HAVE_ARC4RANDOM)
+ seed = arc4random();
+#elif defined(HAVE_GETENTROPY)
+ if (getentropy(&seed, sizeof(seed)) != 0)
+ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
+#else
+ int fd = open("/dev/urandom", O_RDONLY);
+ if (fd >= 0) {
+ if (read(fd, &seed, sizeof(seed)) != 4)
+ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
+ close(fd);
+ } else {
+ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
+ }
+#endif
+ hash_seed = seed;
+}
+
+static uint32_t jvp_hash_seed(void) {
+ pthread_once(&hash_seed_once, jvp_hash_seed_init);
+ return hash_seed;
+}
static uint32_t rotl32 (uint32_t x, int8_t r){
return (x << r) | (x >> (32 - r));
@@ -1225,7 +1255,7 @@ static uint32_t jvp_string_hash(jv jstr) {
int len = (int)jvp_string_length(str);
const int nblocks = len / 4;
- uint32_t h1 = HASH_SEED;
+ uint32_t h1 = jvp_hash_seed();
const uint32_t c1 = 0xcc9e2d51;
const uint32_t c2 = 0x1b873593;

View file

@ -1,31 +0,0 @@
From 63e9449a8142ce30c83fcd7e9396e5de9843774e Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Thu, 3 Jul 2025 11:00:13 +0200
Subject: [PATCH] jq.test: drop non-portable %F test
%F is a non-portable GNU extension, not supported by all strptime
implementations (for example musl's).
Link: https://github.com/jqlang/jq/pull/3365
---
tests/jq.test | 4 ----
1 file changed, 4 deletions(-)
diff --git a/tests/jq.test b/tests/jq.test
index 4ecf72f..6bfb6f8 100644
--- a/tests/jq.test
+++ b/tests/jq.test
@@ -1848,10 +1848,6 @@ try ["OK", strflocaltime({})] catch ["KO", .]
"2015-03-05T23:51:47Z"
[[2015,2,5,23,51,47,4,63],1425599507]
-[strptime("%FT%T")|(.,mktime)]
-"2025-06-07T08:09:10"
-[[2025,5,7,8,9,10,6,157],1749283750]
-
# Check day-of-week and day of year computations
# (should trip an assert if this fails)
last(range(365 * 67)|("1970-03-01T01:02:03Z"|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime) + (86400 * .)|strftime("%Y-%m-%dT%H:%M:%SZ")|strptime("%Y-%m-%dT%H:%M:%SZ"))
--
2.49.0

View file

@ -14,12 +14,12 @@
stdenv.mkDerivation (finalAttrs: {
pname = "jq";
version = "1.8.1";
version = "1.8.2";
# Note: do not use fetchpatch or fetchFromGitHub to keep this package available in __bootPackages
src = fetchurl {
url = "https://github.com/jqlang/jq/releases/download/jq-${finalAttrs.version}/jq-${finalAttrs.version}.tar.gz";
hash = "sha256-K+ZOcSnOyxHVkGKQ66EK9pT7nj5/n8IIoxHcM8qDfrA=";
hash = "sha256-cbjW6PX+gfbG0NEQ44kiUfbOdu0JWr0xXibm4Rk6868=";
};
outputs = [
@ -30,15 +30,7 @@ stdenv.mkDerivation (finalAttrs: {
"out"
];
patches = [
./musl.patch
./CVE-2026-32316.patch
./CVE-2026-33947.patch
./CVE-2026-33948.patch
./CVE-2026-39979.patch
./CVE-2026-40164.patch
]
++ lib.optionals stdenv.hostPlatform.is32bit [
patches = lib.optionals stdenv.hostPlatform.is32bit [
# needed because epoch conversion test here is right at the end of 32 bit integer space
# See also: https://github.com/jqlang/jq/blob/859a8073ee8a21f2133154eea7c2bd5e0d60837f/tests/optional.test#L15-L18
# "-D_TIME_BITS=64 -D_FILE_OFFSET_BITS=64" would be preferrable, but breaks with dynamic linking,

View file

@ -0,0 +1,33 @@
From 2a5fd83d4436583f2ddc0e193269a4d800ee45c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebasti=C3=A1n=20Alba?= <sebasjosue84@gmail.com>
Date: Wed, 8 Apr 2026 18:32:25 -0400
Subject: [PATCH] Prevent read overrun in libkdb_ldap
In berval2tl_data(), reject inputs of length less than 2 to prevent an
integer underflow and subsequent read overrun. (The security impact
is negligible as the attacker would have to control the KDB LDAP
server.)
[ghudson@mit.edu: wrote commit message]
ticket: 9206 (new)
tags: pullup
target_version: 1.22-next
---
plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 418d253d17..9aa68bacd7 100644
--- a/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -80,6 +80,9 @@ getstringtime(krb5_timestamp);
krb5_error_code
berval2tl_data(struct berval *in, krb5_tl_data **out)
{
+ if (in->bv_len < 2)
+ return EINVAL;
+
*out = (krb5_tl_data *) malloc (sizeof (krb5_tl_data));
if (*out == NULL)
return ENOMEM;

View file

@ -44,6 +44,8 @@ stdenv.mkDerivation (finalAttrs: {
};
patches = [
# https://github.com/krb5/krb5/pull/1505
./CVE-2026-11850.patch
# https://github.com/krb5/krb5/pull/1506
./CVE-2026-40355-and-CVE-2026-40356.patch
]

View file

@ -11,11 +11,11 @@
stdenv.mkDerivation (finalAttrs: {
pname = "ldns";
version = "1.9.0";
version = "1.9.2";
src = fetchurl {
url = "https://www.nlnetlabs.nl/downloads/ldns/ldns-${finalAttrs.version}.tar.gz";
sha256 = "sha256-q67tKFj76oSk65gz4Z59IzgMwPPZtlSLlivkInb/3LM=";
sha256 = "sha256-tST6IZlLboNCAM64wn8bhL2lmC/jVwbwWBlsB525TV0=";
};
postPatch = ''

View file

@ -23,7 +23,7 @@
stdenv.mkDerivation (finalAttrs: {
pname = "libadwaita";
version = "1.9.1";
version = "1.9.2";
outputs = [
"out"
@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: {
owner = "GNOME";
repo = "libadwaita";
tag = finalAttrs.version;
hash = "sha256-Oy3WcsymNbbmAacm5hEOrorI1wKXjSp063mh4jCJRAE=";
hash = "sha256-XKKjnZz4CII6w9fKFptPK3aTNa5eMfyE7rcerbgaDco=";
};
depsBuildBuild = [

View file

@ -32,13 +32,13 @@
assert xarSupport -> libxml2 != null;
stdenv.mkDerivation (finalAttrs: {
pname = "libarchive";
version = "3.8.7";
version = "3.8.8";
src = fetchFromGitHub {
owner = "libarchive";
repo = "libarchive";
rev = "v${finalAttrs.version}";
hash = "sha256-LpD+lE+0PZi/3nYDVPXhBQL9A7mvqelOzRLskVtg9Y0=";
hash = "sha256-l8xh+z6lP7VnxMIf9tfoSByerjwN6Z4dE3JNA9zS3LM=";
};
outputs = [

View file

@ -24,7 +24,7 @@
stdenv.mkDerivation (finalAttrs: {
pname = "libheif";
version = "1.23.0";
version = "1.23.1";
outputs = [
"bin"
@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: {
owner = "strukturag";
repo = "libheif";
rev = "v${finalAttrs.version}";
hash = "sha256-+LbYwDSxixy4TaraUCN2LiCnn32dkMppCA8EOFXbvtg=";
hash = "sha256-o+gQCv/lpRx+IaqpjHACh8ysgl/N4Mo/9zbAI/cnWas=";
};
nativeBuildInputs = [

View file

@ -8,11 +8,11 @@
stdenv.mkDerivation (finalAttrs: {
pname = "libidn";
version = "1.43";
version = "1.44";
src = fetchurl {
url = "mirror://gnu/libidn/libidn-${finalAttrs.version}.tar.gz";
sha256 = "sha256-vcZiwS0EGyU50OY486bnQRMM2zOmRO80lpY6RDSC0WQ=";
sha256 = "sha256-SZYIurOmVlCg6lKIjBOo3uvj9xQI4xms2exS4C6xOVk=";
};
outputs = [
@ -30,6 +30,7 @@ stdenv.mkDerivation (finalAttrs: {
passthru.tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
meta = {
changelog = "https://codeberg.org/libidn/libidn/src/tag/v${finalAttrs.version}/NEWS";
homepage = "https://www.gnu.org/software/libidn/";
description = "Library for internationalized domain names";

View file

@ -50,7 +50,7 @@
stdenv.mkDerivation (finalAttrs: {
pname = "librsvg";
version = "2.62.1";
version = "2.62.3";
outputs = [
"out"
@ -62,13 +62,13 @@ stdenv.mkDerivation (finalAttrs: {
src = fetchurl {
url = "mirror://gnome/sources/librsvg/${lib.versions.majorMinor finalAttrs.version}/librsvg-${finalAttrs.version}.tar.xz";
hash = "sha256-tByoQgYkL93YJqK/djSNfN9SwQUMv6BguGboGiUhRcM=";
hash = "sha256-frRJsnIqdoAhNW9m3+4yAsIptU7U5qcM5AwJDpf/FvI=";
};
cargoDeps = rustPlatform.fetchCargoVendor {
inherit (finalAttrs) src;
name = "librsvg-deps-${finalAttrs.version}";
hash = "sha256-Px7H2Z4ShCCuZNskuKj427lE9dvIc6xRo8R1S4fK+ZQ=";
hash = "sha256-9ubfIl9R2BdcAWn7i050KBbb4cMdlakvrKdnjpZCQjA=";
dontConfigure = true;
};

View file

@ -26,6 +26,31 @@ stdenv.mkDerivation (finalAttrs: {
patches = [
# https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1
./CVE-2026-7598.patch
(fetchurl {
name = "CVE-2025-15661.patch";
url = "https://salsa.debian.org/debian/libssh2/-/raw/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/CVE-2025-15661.patch";
hash = "sha256-Rz6i/881CbObUDcZbcPlgVPaKizSp6ZRTdmJNJ9HLHE=";
})
(fetchurl {
name = "CVE-2026-55199.patch";
url = "https://salsa.debian.org/debian/libssh2/-/raw/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/CVE-2026-55199.patch";
hash = "sha256-AFZa5kohha62aE0if5ckmAdJ0TZNcjfP32yDznoEhNo=";
})
(fetchurl {
name = "CVE-2026-55200.patch";
url = "https://salsa.debian.org/debian/libssh2/-/raw/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/CVE-2026-55200.patch";
hash = "sha256-wCAglr8BsBWIhnh3SiFeyKzZmIp8rC5MVfFgoEzp/hE=";
})
# necessary for the fix for CVE-2026-15661
(fetchurl {
name = "libssh-unconst-backport.patch";
url = "https://salsa.debian.org/debian/libssh2/-/raw/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/libssh-unconst-backport.patch";
hash = "sha256-jc01Fb70GbaD9+RYeSjRaLFBtKLiMPTMuXas21aC0Ag=";
})
];
# this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion

View file

@ -0,0 +1,17 @@
https://github.com/stefanberger/libtpms/pull/588
diff --git a/src/tpm2/AlgorithmTests.c b/src/tpm2/AlgorithmTests.c
index eca917d0..8cbc749b 100644
--- a/src/tpm2/AlgorithmTests.c
+++ b/src/tpm2/AlgorithmTests.c
@@ -197,8 +197,8 @@ TestSMAC(
//*** MakeIv()
// Internal function to make the appropriate IV depending on the mode.
static UINT32 MakeIv(TPM_ALG_ID mode, // IN: symmetric mode
- UINT32 size, // IN: block size of the algorithm
- BYTE* iv // OUT: IV to fill in
+ UINT32 size, // IN: block size of the algorithm
+ volatile BYTE* iv // OUT: IV to fill in; 'volatile' for gcc15
)
{
BYTE i;

View file

@ -19,6 +19,8 @@ stdenv.mkDerivation (finalAttrs: {
sha256 = "sha256-UhEpq5f/FT5DmtzQBe/Si414mOq+D4glikgRNK60GKQ=";
};
patches = [ ./0001-fix-march-x86-64-v4.patch ];
hardeningDisable = [ "strictflexarrays3" ];
nativeBuildInputs = [

View file

@ -12,7 +12,7 @@
}:
stdenv.mkDerivation (finalAttrs: {
pname = "libxi";
version = "1.8.2";
version = "1.8.3";
outputs = [
"out"
@ -23,7 +23,7 @@ stdenv.mkDerivation (finalAttrs: {
src = fetchurl {
url = "mirror://xorg/individual/lib/libXi-${finalAttrs.version}.tar.xz";
hash = "sha256-0OBVXlPW4hFOq/pEImuhYtJwhQGiXhjZnPs1wJTGwQQ=";
hash = "sha256-etYAVvAa9PeGz+k7OncHRHcRYm/I2iY3vscakECbq+U=";
};
strictDeps = true;

View file

@ -3,6 +3,7 @@
stdenv,
buildPackages,
fetchFromGitHub,
fetchpatch,
flex,
db4,
gettext,
@ -33,18 +34,25 @@
stdenv.mkDerivation (finalAttrs: {
pname = "linux-pam";
version = "1.7.1";
version = "1.7.2";
src = fetchFromGitHub {
owner = "linux-pam";
repo = "linux-pam";
tag = "v${finalAttrs.version}";
hash = "sha256-kANcwxifQz2tYPSrSBSFiYNTm51Gr10L/zroCqm8ZHQ=";
hash = "sha256-V3XQqolinh+MqUefMDYJF9zP4fBJTHc7YKN+NEGjx1g=";
};
__structuredAttrs = true;
patches = [
(fetchpatch {
name = "secure-opendir-fix-error-handling.patch";
url = "https://github.com/linux-pam/linux-pam/commit/dd62bac17221911106de165607c6925ea54b18d1.patch?full_index=1";
hash = "sha256-ddgDYdVfdXfTaMFV1hO3RJX9w1NHmE7yi3PxsHOdpvY=";
})
];
# patching unix_chkpwd is required as the nix store entry does not have the necessary bits
postPatch = ''
substituteInPlace modules/module-meson.build \
@ -104,6 +112,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonEnable "nis" false)
(lib.mesonBool "xtests" false)
(lib.mesonBool "examples" false)
(lib.mesonOption "vendordir" "${placeholder "out"}/etc")
]
# warning: slower execution due to debug makes VM tests fail!
++ lib.optional debugMode (lib.mesonBool "pam-debug" true);

View file

@ -11,13 +11,13 @@
stdenv.mkDerivation (finalAttrs: {
pname = "llhttp";
version = "9.4.1";
version = "9.4.2";
src = fetchFromGitHub {
owner = "nodejs";
repo = "llhttp";
tag = "release/v${finalAttrs.version}";
hash = "sha256-eQoOsJ3lIIGSIfC4atkbUqCAYzCzs5kzTihYaI4jqz0=";
hash = "sha256-LS8HS8CnXJ3X8WlIvtxBLc0h1wLL/HmTqZWHlvBjTEo=";
};
outputs = [

View file

@ -26,16 +26,14 @@ stdenv.mkDerivation (finalAttrs: {
cmakeFlags = [
(lib.cmakeBool "BUILD_SHARED_LIBS" (!static))
(lib.cmakeBool "MERVE_TESTING" finalAttrs.finalPackage.doCheck)
(lib.cmakeBool "MERVE_USE_SIMDUTF" true)
];
]
++ lib.optional (simdutf != null) (lib.cmakeBool "MERVE_USE_SIMDUTF" true);
nativeBuildInputs = [
cmake
validatePkgConfig
];
buildInputs = [
simdutf
];
buildInputs = lib.optional (simdutf != null) simdutf;
checkInputs = [
gtest
];

View file

@ -2,31 +2,21 @@
lib,
python3Packages,
fetchFromGitHub,
fetchpatch,
versionCheckHook,
}:
python3Packages.buildPythonApplication rec {
pname = "motioneye";
version = "0.43.1";
version = "0.44.0";
pyproject = true;
src = fetchFromGitHub {
owner = "motioneye-project";
repo = "motioneye";
tag = version;
hash = "sha256-ckOgYmOP5irjNutcC3FMZPBexn/CldG0UtFZ+tPYNJ4=";
hash = "sha256-4sXttSSkmMgsoZb7PXEXXh8KNORTSmqq4lYp3JBDmPo=";
};
patches = [
# fix pytest
# https://github.com/motioneye-project/motioneye/pull/3271
(fetchpatch {
url = "https://github.com/motioneye-project/motioneye/commit/41c0727e2872af1b758743c41b529e76dcac6f84.patch";
hash = "sha256-0zDveoAN1T0SuCob0U/9GEGTh7pj2CXH/j4YrjO0VE0=";
includes = [ "conftest.py" ];
})
];
build-system = with python3Packages; [
setuptools
];
@ -38,16 +28,24 @@ python3Packages.buildPythonApplication rec {
pillow
pycurl
tornado
argon2-cffi
];
nativeCheckInputs = with python3Packages; [
pytestCheckHook
];
nativeInstallCheckInputs = [
versionCheckHook
];
pythonImportsCheck = [
"motioneye"
];
versionCheckProgram = "${placeholder "out"}/bin/meyectl";
versionCheckProgramArg = "-v";
meta = {
description = "Web frontend for the motion daemon";
homepage = "https://github.com/motioneye-project/motioneye";

View file

@ -90,7 +90,7 @@ in
stdenv.mkDerivation (finalAttrs: {
pname = "pipewire";
version = "1.6.5";
version = "1.6.6";
outputs = [
"out"
@ -106,7 +106,7 @@ stdenv.mkDerivation (finalAttrs: {
owner = "pipewire";
repo = "pipewire";
tag = finalAttrs.version;
hash = "sha256-ui5VTbSiobHmPUHW4jLguoeMWaKT4f2eTqdo3ZGgvNI=";
hash = "sha256-pyZozhJomFT4QkJv/NKkXpbknmVxjv8hCxZV6RcIHmE=";
};
patches = [

View file

@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-vYjPgvplPaMjFPsikTZAfFyQ+A0XWNj0sJF2eHfY+pY=";
};
patches = lib.optionals (stdenv.hostPlatform.isDarwin) [
patches = [
# Fixes test failure on darwin
(fetchpatch {
url = "https://github.com/RsyncProject/rsync/commit/e1c5f0e93a75dd45f32f3b92ba221ef158ac2e5f.patch";

View file

@ -14,16 +14,16 @@
rustPlatform.buildRustPackage (finalAttrs: {
pname = "rust-cbindgen";
version = "0.29.3";
version = "0.29.4";
src = fetchFromGitHub {
owner = "mozilla";
repo = "cbindgen";
rev = "v${finalAttrs.version}";
hash = "sha256-d0rY7Sk37s8HEZlQq9Sbjj1P+DgygD0Yjx8cXlFKEIA=";
hash = "sha256-leeHOwpzXuzg2cTjXehBnCsS+dvU4eIIFtWKeCee20U=";
};
cargoHash = "sha256-UeierkQpfCiB5ES9ZW9hO+0AcI9Ip8qSJ/Nd+I1xrmQ=";
cargoHash = "sha256-f6YoDoiVoh0BVPYHFO1FsdI4OCsF+LY72QaD57StdIQ=";
nativeCheckInputs = [
cmake

View file

@ -3,6 +3,7 @@
cairo,
cmake,
cups,
fetchpatch,
fetchurl,
fontconfig,
freetype,
@ -39,11 +40,11 @@
stdenv.mkDerivation (finalAttrs: {
pname = "scribus";
version = "1.7.2";
version = "1.7.3";
src = fetchurl {
url = "mirror://sourceforge/scribus/scribus-devel/scribus-${finalAttrs.version}.tar.xz";
hash = "sha256-nY4RzGusLNlsVTnvvXGSIv9/cOHBhZcogNn7MFHhONA=";
hash = "sha256-iC7lXKRJfALE4F8wrMaJ6h9IXC6AI8nrKT9RwsW+Bq0=";
};
nativeBuildInputs = [
@ -96,6 +97,32 @@ stdenv.mkDerivation (finalAttrs: {
cmakeFlags = [ (lib.cmakeBool "WANT_GRAPHICSMAGICK" true) ];
patches = [
(fetchpatch {
name = "fix-build-with-poppler-26.05.0.patch";
url = "https://github.com/scribusproject/scribus/commit/14a287fc1db2a44abfe1743260554447b31b4adf.patch";
hash = "sha256-bhxnyL5zWVCjkfkW67CPykLW/uqDP+n3djnRKGMyhjw=";
})
(fetchpatch {
# required for the next patch to apply cleanly
url = "https://github.com/scribusproject/scribus/commit/3aed8aa40d01d1affd2b55b107b48878d4b06eab.patch";
includes = [ "scribus/plugins/import/pdf/importpdf.cpp" ];
hash = "sha256-tiGXGW8CnG0Tj5YaimngelvNvO3CCSa5eXc3bSKJD54=";
})
(fetchpatch {
name = "fix-build-with-poppler-26.06.0.patch";
url = "https://github.com/scribusproject/scribus/commit/2b9405a00a96a09e0183190ddc9f83d44963d4e0.patch";
hash = "sha256-4v+Ba+JODwNg4YLmwpFeBfIxk1j+RcZdtznPFeQ+H+w=";
})
];
postPatch = ''
# revert non-whitespace changes made by the second patch, i.e.,
# https://github.com/scribusproject/scribus/commit/3aed8aa40d01d1affd2b55b107b48878d4b06eab
substituteInPlace scribus/plugins/import/pdf/importpdf.cpp \
--replace-fail 'QSizeF()' '"Custom"'
'';
preFixup = ''
qtWrapperArgs+=(
--prefix XDG_DATA_DIRS : "${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}"

View file

@ -11,11 +11,11 @@
stdenv.mkDerivation rec {
pname = "socat";
version = "1.8.1.1";
version = "1.8.1.3";
src = fetchurl {
url = "http://www.dest-unreach.org/socat/download/socat-${version}.tar.bz2";
hash = "sha256-Xrxja39CcFP5iAZpZSFlOmFMfgZGSRA1PL9U4jJ63Bs=";
hash = "sha256-JbxkdikrLmFCIJicd7C2/Kh7slJdl0ezGmY5sftgJBg=";
};
postPatch = ''

View file

@ -43,11 +43,11 @@ let
in
stdenv.mkDerivation (finalAttrs: {
pname = "util-linux" + lib.optionalString isMinimal "-minimal";
version = "2.42";
version = "2.42.2";
src = fetchurl {
url = "mirror://kernel/linux/utils/util-linux/v${lib.versions.majorMinor finalAttrs.version}/util-linux-${finalAttrs.version}.tar.xz";
hash = "sha256-NFKyYLuqd11udJrDuyIRF4UAP8H0RJcAJcjaJt+nWOk=";
hash = "sha256-A6BdOt+WAu8Sjy2gW4SzIFzmDDUeVzfANw90AAZ5zoo=";
};
# Note: fetchpatch/fetchpatch2 cause infinite recursion with util-linuxMinimal.
@ -57,38 +57,6 @@ stdenv.mkDerivation (finalAttrs: {
# which isn't valid on NixOS (and a compatibility link on most other modern
# distros anyway).
./rtcwake-search-PATH-for-shutdown.patch
# Fix compile of 2.42+ on Darwin.
# https://lore.kernel.org/util-linux/CAEUYr6ZjVX1bd-xcBGtFN_ZYwQnXDYsw7d1-7sTpF2BbgfrR+g@mail.gmail.com/T/#u
# Different fix than originally proposed; we just don't compile that file on Darwin now and the previous patch was able to be reverted.
# See: https://github.com/util-linux/util-linux/commit/6ccf20d2fd8e45eed70bd1b915c0d16f646bf133
(fetchurl {
name = "pidfd-utils-linux-only.patch";
url = "https://github.com/util-linux/util-linux/commit/afdade4a3d8e4e6070343c5576470c575719b81f.patch";
hash = "sha256-EnHsIhU6jaS4Qm+kQMP2an7Ay08nKbIO0MbU7Y2pwkU=";
})
# Musl does not define AT_HANDLE_FID, hard-code it if left undefined.
# https://github.com/util-linux/util-linux/pull/4203
(fetchurl {
name = "fix-musl-nsenter.patch";
url = "https://github.com/util-linux/util-linux/commit/000aff333e5c3a23967280cb0d6451fbbfc9c91b.patch";
hash = "sha256-6K3jRr2RsAfHnweBOlMn2F0h8hD3xjZobJ1pSlCQHw8=";
})
# `script` is broken with options after non-option args and has new memory leaks
# https://lore.kernel.org/util-linux/adi3573O-5gr9m2q@per.namespace.at/T/#t
# https://github.com/util-linux/util-linux/pull/4201
(fetchurl {
name = "script-fix-backwards-compat.patch";
url = "https://github.com/util-linux/util-linux/commit/70507ab9eaed10b8dd77b77d4ea25c11ee726bed.patch";
hash = "sha256-PpFtv8XOK36npCVSvdgKcxGQmkJtgdyMmlN+4yQuWS8=";
})
(fetchurl {
name = "script-fix-memory-leaks.patch";
url = "https://github.com/util-linux/util-linux/commit/2f1c12a49500ca7ed9c3d5e80664c1622925456b.patch";
hash = "sha256-9ZwA6sZwM1rQDoxV5x1KHLWxsFpI5CGWJqubtdEHj/I=";
})
];
# We separate some of the utilities into their own outputs. This

View file

@ -1,50 +0,0 @@
From ee1b8479cff97ca7e5ed4d51d6aa24ccb47deb8b Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
Date: Sat, 21 Mar 2026 18:34:50 -0400
Subject: [PATCH] gh-146264: Use static HACL deps for static module builds
---
.../next/Build/2026-03-21-18-51-31.gh-issue-146264.Q9Ej4m.rst | 3 +++
configure | 2 +-
configure.ac | 2 +-
3 files changed, 5 insertions(+), 2 deletions(-)
create mode 100644 Misc/NEWS.d/next/Build/2026-03-21-18-51-31.gh-issue-146264.Q9Ej4m.rst
diff --git a/Misc/NEWS.d/next/Build/2026-03-21-18-51-31.gh-issue-146264.Q9Ej4m.rst b/Misc/NEWS.d/next/Build/2026-03-21-18-51-31.gh-issue-146264.Q9Ej4m.rst
new file mode 100644
index 00000000000..1fdafe56043
--- /dev/null
+++ b/Misc/NEWS.d/next/Build/2026-03-21-18-51-31.gh-issue-146264.Q9Ej4m.rst
@@ -0,0 +1,3 @@
+Fix static module builds on non-WASI targets by linking HACL dependencies as
+static libraries when ``MODULE_BUILDTYPE=static``, preventing duplicate
+``_Py_LibHacl_*`` symbol errors at link time.
diff --git a/configure b/configure
index 23f24d51c79..db5c861f601 100755
--- a/configure
+++ b/configure
@@ -33009,7 +33009,7 @@ fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for HACL* library linking type" >&5
printf %s "checking for HACL* library linking type... " >&6; }
-if test "$ac_sys_system" = "WASI"; then
+if test "$ac_sys_system" = "WASI" || test "$MODULE_BUILDTYPE" = "static"; then
LIBHACL_LDEPS_LIBTYPE=STATIC
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: static" >&5
printf "%s\n" "static" >&6; }
diff --git a/configure.ac b/configure.ac
index 635fce3f2e6..59166d63e63 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8171,7 +8171,7 @@ AC_SUBST([LIBHACL_BLAKE2_SIMD256_OBJS])
# HACL*-based cryptographic primitives
AC_MSG_CHECKING([for HACL* library linking type])
-if test "$ac_sys_system" = "WASI"; then
+if test "$ac_sys_system" = "WASI" || test "$MODULE_BUILDTYPE" = "static"; then
LIBHACL_LDEPS_LIBTYPE=STATIC
AC_MSG_RESULT([static])
else
--
2.53.0

View file

@ -133,7 +133,6 @@ let
getLib
optionals
optionalString
replaceStrings
;
withLibxcrypt =
@ -428,15 +427,6 @@ stdenv.mkDerivation (finalAttrs: {
# backport fix for https://github.com/python/cpython/issues/95855
./platform-triplet-detection.patch
]
++ optionals (pythonAtLeast "3.14" && pythonOlder "3.15") [
# https://github.com/python/cpython/issues/146264
# https://github.com/python/cpython/pull/146265
./3.14/hacl-static-ldeps-for-static-modules.patch
]
++ optionals (version == "3.13.10" || version == "3.14.1") [
# https://github.com/python/cpython/issues/142218
./${lib.versions.majorMinor version}/gh-142218.patch
]
++ optionals (stdenv.hostPlatform.isMinGW) (
let
# https://src.fedoraproject.org/rpms/mingw-python3

View file

@ -20,10 +20,10 @@
sourceVersion = {
major = "3";
minor = "13";
patch = "13";
patch = "14";
suffix = "";
};
hash = "sha256-Krkf9AF4PMymT3XRDIgulXvf1g4r9acvhCF5Nym3inE=";
hash = "sha256-Y55DJDxiCjCPloIT354A8vj2IzL3rbqnp+65eDBXxpA=";
};
};
@ -79,10 +79,10 @@
sourceVersion = {
major = "3";
minor = "14";
patch = "4";
patch = "6";
suffix = "";
};
hash = "sha256-2SPFEwPjjiSRNvwb3zVo1W7LAyFO/e9IUWF209f6rvg=";
hash = "sha256-FDsd3e+uw70uIeO4ObNKK3+5hCJyiDxXZCDWBenzDGM=";
inherit passthruFun;
};

View file

@ -48,6 +48,8 @@ let
optionalString
removePrefix
stringLength
all
seq
;
leftPadName =
@ -263,10 +265,10 @@ lib.extendMkDerivation {
checkDrv =
attrName: drv:
if (isPythonModule drv) && (isMismatchedPython drv) then throwMismatch attrName drv else drv;
if isPythonModule drv && isMismatchedPython drv then throwMismatch attrName drv else true;
in
attrName: map (checkDrv attrName);
attrName: inputs: seq (all (checkDrv attrName) inputs) inputs;
isBootstrapInstallPackage = isBootstrapInstallPackage' (finalAttrs.pname or null);

View file

@ -13,11 +13,11 @@
stdenv.mkDerivation rec {
pname = "acl";
version = "2.3.2";
version = "2.4.0";
src = fetchurl {
url = "mirror://savannah/acl/acl-${version}.tar.gz";
hash = "sha256-XyvbrWKXB6p9hcYj+ZSqih0t7FWnPeUgW6wL9gWKL3w=";
hash = "sha256-c8hTw9ROH2k+WpaphvG9GdPQ2sLH1FPnlhd3dLxOX2o=";
};
outputs = [

View file

@ -12,11 +12,11 @@
stdenv.mkDerivation rec {
pname = "attr";
version = "2.5.2";
version = "2.6.0";
src = fetchurl {
url = "mirror://savannah/attr/attr-${version}.tar.gz";
sha256 = "sha256-Ob9nRS+kHQlIwhl2AQU/SLPXigKTiXNDMqYwmmgMbIc=";
hash = "sha256-1C+jdFExgLtIyxGkZpb0iCQOUST/HmrYiwq/9waYVhI=";
};
outputs = [
@ -29,11 +29,6 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ gettext ];
# tools/attr.c: Add missing libgen.h include for basename(3)
# Fixes compilation issue with musl and modern C99 compilers.
# See: https://bugs.gentoo.org/926294
patches = [ ./musl.patch ];
postPatch = ''
for script in install-sh include/install-sh; do
patchShebangs $script

View file

@ -1,27 +0,0 @@
From 8a80d895dfd779373363c3a4b62ecce5a549efb2 Mon Sep 17 00:00:00 2001
From: "Haelwenn (lanodan) Monnier" <contact@hacktivis.me>
Date: Sat, 30 Mar 2024 10:17:10 +0100
Subject: tools/attr.c: Add missing libgen.h include for basename(3)
Fixes compilation issue with musl and modern C99 compilers.
See: https://bugs.gentoo.org/926294
---
tools/attr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/attr.c b/tools/attr.c
index f12e4af..6a3c1e9 100644
--- a/tools/attr.c
+++ b/tools/attr.c
@@ -28,6 +28,7 @@
#include <errno.h>
#include <string.h>
#include <locale.h>
+#include <libgen.h>
#include <attr/attributes.h>
--
cgit v1.1

View file

@ -30,8 +30,8 @@ let
hash = "sha256-DjmW5LeI9OJmPeIh61znAns4+kolxwKguEvKawgxy8I=";
};
v8 = {
version = "8.1.1";
hash = "sha256-WPGfjTZjsgpR5QiANRWF4g6LF2ejGzFQUrLjhzw9cfQ=";
version = "8.1.2";
hash = "sha256-wJ3c8VVo/tK84K7bKYs/UWcln4mSO+tf/w5NLNjKhiI=";
};
in

View file

@ -61,6 +61,13 @@ let
tag = "v${packages.libxml2.version}";
hash = "sha256-fDntZDyITs223by8n7ueOXiO7yyzshtANoWbY0+yeqo=";
};
extraPatches = [
(fetchpatch {
name = "CVE-2026-11979.patch";
url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e.patch";
hash = "sha256-s7hnAW7r4fbb95WnFHhUMZbMJzTynV7umKIqc7Kdp/Q=";
})
];
extraMeta = {
maintainers = with lib.maintainers; [
jtojnar

View file

@ -506,8 +506,8 @@ in
};
openssl_3_6 = common {
version = "3.6.2";
hash = "sha256-qvUaH+BkOE+BHa6utOxNznNA7IvYkwJ+7mdq8x6DoE8=";
version = "3.6.3";
hash = "sha256-JDqGZJz28j7rai/yRW4J5dd92QGKVNPZawxr3Wumx/E=";
patches = [
# Support for NIX_SSL_CERT_FILE, motivation:

View file

@ -55,13 +55,13 @@ let
domain = "gitlab.freedesktop.org";
owner = "poppler";
repo = "test";
rev = "9d5011815a14c157ba25bb160187842fb81579a5";
hash = "sha256-sA5f235IJpzzzHqpwHM3zCZC2Yh0ztA6PZa84j/6tfY=";
rev = "f0068e9c530017ad811d1f28b95f9b7f59264e37";
hash = "sha256-Xf8duSh0r1o09b5BKB7mBvzrMfXYlzTuTOuK2ZCeItc=";
};
in
stdenv.mkDerivation (finalAttrs: {
pname = "poppler-${suffix}";
version = "25.10.0"; # beware: updates often break cups-filters build, check scribus too!
version = "26.06.0"; # beware: updates often break cups-filters build, check scribus too!
outputs = [
"out"
@ -70,7 +70,7 @@ stdenv.mkDerivation (finalAttrs: {
src = fetchurl {
url = "https://poppler.freedesktop.org/poppler-${finalAttrs.version}.tar.xz";
hash = "sha256-a16btk2rsVeHoU2xZ1KRx6+vk4dDjMk6T7f2rsTub+A=";
hash = "sha256-TLTlo9yMte7HUciiPIuhn2H5be3AzQfSruawyOLPa6Q=";
};
nativeBuildInputs = [
@ -129,18 +129,22 @@ stdenv.mkDerivation (finalAttrs: {
(mkFlag qt5Support "QT5")
(mkFlag qt6Support "QT6")
(mkFlag gpgmeSupport "GPGME")
]
++ lib.optionals finalAttrs.finalPackage.doCheck [
"-DTESTDATADIR=${testData}"
];
disallowedReferences = lib.optional finalAttrs.finalPackage.doCheck testData;
dontWrapQtApps = true;
# Workaround #54606
preConfigure = lib.optionalString stdenv.hostPlatform.isDarwin ''
sed -i -e '1i cmake_policy(SET CMP0025 NEW)' CMakeLists.txt
'';
preConfigure =
lib.optionalString finalAttrs.finalPackage.doCheck ''
# The test data directory needs to be writable during the test phase.
mkdir -p $TMPDIR/testdata
cp -r --no-preserve=mode ${testData}/* $TMPDIR/testdata
cmakeFlagsArray+=(-DTESTDATADIR=$TMPDIR/testdata)
''
+ lib.optionalString stdenv.hostPlatform.isDarwin ''
# Workaround #54606
sed -i -e '1i cmake_policy(SET CMP0025 NEW)' CMakeLists.txt
'';
# Work around gpgme trying to write to $HOME during qt5 and qt6 tests:
preCheck = lib.optionalString gpgmeSupport ''

View file

@ -5,22 +5,25 @@
fetchFromGitHub,
pytest-asyncio,
pytestCheckHook,
setuptools,
typing-extensions,
}:
buildPythonPackage rec {
version = "3.11.0";
buildPythonPackage (finalAttrs: {
version = "3.11.1";
pname = "asgiref";
format = "setuptools";
pyproject = true;
src = fetchFromGitHub {
owner = "django";
repo = "asgiref";
tag = version;
hash = "sha256-2ZaUIWGF5cQVNj95b7WiKGsn2wYsoJmJ/CfPhIEZdjc=";
tag = finalAttrs.version;
hash = "sha256-Mhnaowgv5a+O2hN0ZSdtdhCBQx8HoKSwtRC3gHodgKY=";
};
propagatedBuildInputs = [ typing-extensions ];
build-system = [ setuptools ];
dependencies = [ typing-extensions ];
nativeCheckInputs = [
pytestCheckHook
@ -34,10 +37,10 @@ buildPythonPackage rec {
pythonImportsCheck = [ "asgiref" ];
meta = {
changelog = "https://github.com/django/asgiref/blob/${src.tag}/CHANGELOG.txt";
changelog = "https://github.com/django/asgiref/blob/${finalAttrs.src.tag}/CHANGELOG.txt";
description = "Reference ASGI adapters and channel layers";
homepage = "https://github.com/django/asgiref";
license = lib.licenses.bsd3;
maintainers = [ ];
maintainers = with lib.maintainers; [ miniharinn ];
};
}
})

View file

@ -8,14 +8,14 @@
buildPythonPackage rec {
pname = "idna";
version = "3.13";
version = "3.15";
pyproject = true;
src = fetchFromGitHub {
owner = "kjd";
repo = "idna";
tag = "v${version}";
hash = "sha256-D72KUEwiFA/LdU/xE3sN+Abc6NpAsIlGSdB07V1nk68=";
hash = "sha256-z3Nd834inihGzquCAmejUQvRcM0Yn/VmMcWQP3oh4ak=";
};
build-system = [ flit-core ];

View file

@ -16,14 +16,14 @@
buildPythonPackage rec {
pname = "joserfc";
version = "1.6.1";
version = "1.6.9";
pyproject = true;
src = fetchFromGitHub {
owner = "authlib";
repo = "joserfc";
tag = version;
hash = "sha256-druh7ybcQBjTxUFMVLUwknw/aa/fyrUdS4ftS/ftYeA=";
hash = "sha256-Ge1r34GVmpJ9h5GtRkPd0mkV7HuLf7D31ikuPAnpkuY=";
};
build-system = [ setuptools ];

View file

@ -8,14 +8,14 @@
buildPythonPackage rec {
pname = "mistune";
version = "3.2.1";
version = "3.3.2";
pyproject = true;
src = fetchFromGitHub {
owner = "lepture";
repo = "mistune";
tag = "v${version}";
hash = "sha256-8AEEh/SWAk/Esq0jAoZGLw1FIQUw6C5Xq8CgnI2fjv0=";
hash = "sha256-uyOJFtDvVn0Y3VypphOXsSW3pX5XVCcfQ7dtFiL/5qY=";
};
build-system = [ setuptools ];

View file

@ -13,8 +13,10 @@
types-psutil,
types-setuptools,
# propagates
# nativeBuildInputs + propagates
librt,
# propagates
mypy-extensions,
tomli,
typing-extensions,
@ -50,6 +52,10 @@ buildPythonPackage rec {
rev-prefix = "v";
};
nativeBuildInputs = [
librt
];
build-system = [
mypy-extensions
pathspec

View file

@ -42,14 +42,14 @@
buildPythonPackage rec {
pname = "pillow";
version = "12.2.0";
version = "12.3.0";
pyproject = true;
src = fetchFromGitHub {
owner = "python-pillow";
repo = "pillow";
tag = version;
hash = "sha256-7w6FbZLTAoUMvLtSPvafk3wSRv8TrkAAfgZ/dfu3HpA=";
hash = "sha256-kmUlgR+f75Y8DAKKPdEbchLLgg0m95oyVP53WTQni88=";
};
build-system = [

View file

@ -17,7 +17,7 @@
buildPythonPackage rec {
pname = "pygobject";
version = "3.56.2";
version = "3.56.3";
outputs = [
"out"
@ -28,7 +28,7 @@ buildPythonPackage rec {
src = fetchurl {
url = "mirror://gnome/sources/pygobject/${lib.versions.majorMinor version}/pygobject-${version}.tar.gz";
hash = "sha256-uBYJiWlUQIHenuztuUrWrFnHfk1XH+cFHxi+vOwHQxM=";
hash = "sha256-EnYOSg49BLbrleBveifjYsgm1WfqYTNzqSwAO2xw0tY=";
};
depsBuildBuild = [ pkg-config ];

View file

@ -18,16 +18,16 @@
urllib3,
}:
buildPythonPackage rec {
buildPythonPackage (finalAttrs: {
pname = "tornado";
version = "6.5.4";
version = "6.5.7";
pyproject = true;
src = fetchFromGitHub {
owner = "tornadoweb";
repo = "tornado";
tag = "v${version}";
hash = "sha256-d6lKg8yrQqaCeKxdPjQNzv7Nc23U/v8d5x3sE3trRM4=";
tag = "v${finalAttrs.version}";
hash = "sha256-iE0Tf95zmPoZJhw7FDLzTmv8HaWds3ZU5xzZSMvxFH4=";
};
build-system = [ setuptools ];
@ -63,9 +63,10 @@ buildPythonPackage rec {
};
meta = {
changelog = "https://www.tornadoweb.org/en/stable/releases/${finalAttrs.src.tag}.html";
description = "Web framework and asynchronous networking library";
homepage = "https://www.tornadoweb.org/";
license = lib.licenses.asl20;
maintainers = [ ];
};
}
})

View file

@ -144,7 +144,7 @@ let
);
useSharedNBytes = lib.versionAtLeast version (if majorVersion == 24 then "24.14.0" else "25.5");
useSharedLief = lib.versionAtLeast version "25.6";
useSharedMerve = lib.versionAtLeast version (if majorVersion == 24 then "24.14.0" else "25.6.1");
useSharedMerve = lib.versionAtLeast version (if majorVersion == "24" then "24.14.0" else "25.6.1");
useSharedSQLite = lib.versionAtLeast version "22.5";
useSharedTemporal = majorVersion == "26";
useSharedZstd = lib.versionAtLeast version "22.15";
@ -190,7 +190,8 @@ let
inherit nbytes;
})
// (lib.optionalAttrs useSharedMerve {
inherit merve;
# Merve cannot be built with simdutf_6, and upstream also disables simdutf support on the 24.x branch
merve = if majorVersion == "24" then (merve.override { simdutf = null; }) else merve;
})
// (lib.optionalAttrs useSharedZstd {
inherit zstd;
@ -347,9 +348,7 @@ let
dontDisableStatic = true;
configureScript = writeScript "nodejs-configure" ''
exec ${python.executable} configure.py "$@"
'';
configureScript = "${python.interpreter} configure.py";
# In order to support unsupported cross configurations, we copy some intermediate executables
# from a native build and replace all the build-system tools with a script which simply touches
@ -518,12 +517,6 @@ let
"test-tick-processor-arguments"
"test-set-raw-mode-reset-signal"
]
# Apple SDK update broke something related to those tests, so skipping them for now
++ lib.optionals (majorVersion == "24" && stdenv.hostPlatform.isDarwin) [
"test-worker-track-unmanaged-fds"
"test-esm-import-meta-main-eval"
"test-worker-debug"
]
# These network/fetch/inspector tests fail on riscv64
++ lib.optionals (majorVersion == "24" && stdenv.hostPlatform.isRiscV64) [
"test-fetch"
@ -683,6 +676,9 @@ let
done
'';
# reduces build time from ~90 to ~15 minutes on hydra
requiredSystemFeatures = [ "big-parallel" ];
passthru.tests = {
version = testers.testVersion {
package = self;

View file

@ -9,10 +9,16 @@
}:
let
buildNodejs = callPackage ./nodejs.nix {
inherit openssl;
python = python3;
};
buildNodejs = callPackage ./nodejs.nix (
{
inherit openssl;
python = python3;
}
// lib.optionalAttrs stdenv.hostPlatform.isDarwin {
# libcxx21 makes FD tracking unreliable on Darwin. Pinning to libcxx20:
stdenv = buildPackages.llvmPackages_20.libcxxStdenv;
}
);
gypPatches =
if stdenv.buildPlatform.isDarwin then
@ -23,8 +29,8 @@ let
[ ];
in
buildNodejs {
version = "24.16.0";
sha256 = "2ff84a6de70b6165290111b0fc656ded1ad207a799816fe720cc7c31232df30f";
version = "24.18.0";
sha256 = "e94afde24db08e0c564ee7110a2d5aab51ee0059382c9fd8233c54eec47b28f9";
patches =
(
if (stdenv.hostPlatform.emulatorAvailable buildPackages) then
@ -56,13 +62,6 @@ buildNodejs {
./use-correct-env-in-tests.patch
./bin-sh-node-run-v22.patch
./use-nix-codesign.patch
# Patch for nghttp2 1.69 support
(fetchpatch2 {
url = "https://github.com/nodejs/node/commit/4a32c00fb8dbe55c3bcf9ef43343968c9fe449e6.diff?full_index=1";
hash = "sha256-pex8ruwa4b/vWvfGA+nyN3JJP8NOturmwAQe4Rkd6nU=";
excludes = [ "tools/nix/*" ];
})
]
++ gypPatches
++ lib.optionals (!stdenv.buildPlatform.isDarwin) [

View file

@ -1,6 +1,7 @@
{
mkKdeDerivation,
lib,
fetchpatch,
boost,
eigen,
gsl,
@ -26,6 +27,14 @@
mkKdeDerivation {
pname = "calligra";
patches = [
# Fix build with Poppler 26.04
(fetchpatch {
url = "https://invent.kde.org/office/calligra/-/commit/e9aae90db47ca87d639b8f2b17ec75c1b6093e27.patch";
hash = "sha256-V21Bw0xV/E4a9v8Yrt0vZ3AU1LJFHul1k92u+nsp85I=";
})
];
extraBuildInputs = [
boost
eigen

View file

@ -78,5 +78,4 @@ bash.runCommand "${pname}-${version}"
# Install
make -j $NIX_BUILD_CORES install-strip
rm $out/bin/{egrep,fgrep}
''

View file

@ -0,0 +1,52 @@
From 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 16 Apr 2026 12:11:44 -0700
Subject: gzexe: use -C if lacking mktemp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
(Problem reported by Michał Majchrowicz.)
* gzexe.in: If mktemp is needed but not installed,
use set -C to avoid a race when creating a temporary file.
* zdiff.in: Use the same pattern here, even though the old
code was probably OK anyway.
---
gzexe.in | 1 +
zdiff.in | 7 +++----
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/gzexe.in b/gzexe.in
index ea4ef94..f3d46cc 100644
--- a/gzexe.in
+++ b/gzexe.in
@@ -127,6 +127,7 @@ for i do
tmp=`mktemp "${dir}gzexeXXXXXXXXX"`
else
tmp=${dir}gzexe$$
+ (umask 77; set -C; > "$tmp")
fi && { cp -p "$file" "$tmp" 2>/dev/null || cp "$file" "$tmp"; } || {
res=$?
printf >&2 '%s\n' "$0: cannot copy $file"
diff --git a/zdiff.in b/zdiff.in
index 289e466..53266df 100644
--- a/zdiff.in
+++ b/zdiff.in
@@ -156,12 +156,11 @@ case $file2 in
*) TMPDIR=/tmp/;;
esac
if command -v mktemp >/dev/null 2>&1; then
- tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"` ||
- exit 2
+ tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"`
else
- set -C
tmp=${TMPDIR}zdiff$$
- fi
+ (umask 77; set -C; > "$tmp")
+ fi &&
'gzip' -cdfq -- "$file2" > "$tmp" || exit 2
gzip_status=$(
exec 4>&1
--
cgit v1.2.3

View file

@ -0,0 +1,35 @@
From 63dbf6b3b9e6e781df1a6a64e609b10e23969681 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed, 15 Apr 2026 12:00:17 -0700
Subject: gzip: dont mishandle .lzh after .Z
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Problem reported by Michał Majchrowicz.
* unlzh.c (read_c_len): Clear left and right when n == 0.
---
unlzh.c | 6 ++++++
1 file changed, 6 insertions(+)
(limited to 'unlzh.c')
diff --git a/unlzh.c b/unlzh.c
index 3320196..a6cf109 100644
--- a/unlzh.c
+++ b/unlzh.c
@@ -232,6 +232,12 @@ read_c_len ()
c = getbits(CBIT);
for (i = 0; i < NC; i++) c_len[i] = 0;
for (i = 0; i < 4096; i++) c_table[i] = c;
+
+ /* Needed in case LEFT and RIGHT are reused from a previous
+ LZW decompression. It may be overkill to clear all of both
+ arrays, but nobody has had time to analyze this carefully. */
+ memzero(left, (2 * NC - 1) * sizeof *left);
+ memzero(right, (2 * NC - 1) * sizeof *left);
} else {
i = 0;
while (i < n) {
--
cgit v1.3

View file

@ -25,6 +25,11 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-Aae4gb0iC/32Ffl7hxj4C9/T9q3ThbmT3Pbv0U6MCsY=";
};
patches = [
./CVE-2026-41991.patch
./CVE-2026-41992.patch
];
outputs = [
"out"
"man"

View file

@ -73,14 +73,6 @@ mkMesonDerivation (finalAttrs: {
echo $PWD | grep tests/functional
'';
# Test contains invocation of `script` broken by util-linux regression:
# https://github.com/util-linux/util-linux/commit/70507ab9eaed10b8dd77b77d4ea25c11ee726bed
preCheck =
assert util-linux.version == "2.42";
''
echo "exit 77" > ../json.sh
'';
mesonCheckFlags = [
"--print-errorlogs"
];

View file

@ -8,11 +8,11 @@
stdenv.mkDerivation rec {
pname = "gnused";
version = "4.9";
version = "4.10";
src = fetchurl {
url = "mirror://gnu/sed/sed-${version}.tar.xz";
sha256 = "sha256-biJrcy4c1zlGStaGK9Ghq6QteYKSLaelNRljHSSXUYE=";
sha256 = "sha256-uOchgrLslqNXTimYxHt6qmTMIM4ADY6awxPMB87PKMc=";
};
outputs = [