diff --git a/pkgs/applications/graphics/inkscape/default.nix b/pkgs/applications/graphics/inkscape/default.nix index 7a5b12418a12..ccea323f700b 100644 --- a/pkgs/applications/graphics/inkscape/default.nix +++ b/pkgs/applications/graphics/inkscape/default.nix @@ -103,6 +103,14 @@ stdenv.mkDerivation (finalAttrs: { # Fix path to ps2pdf binary inherit ghostscript; }) + # https://gitlab.com/inkscape/inkscape/-/merge_requests/7919 + (fetchpatch { + name = "fix-build-poppler-26.05.0"; + url = "https://gitlab.com/inkscape/inkscape/-/commit/98828255aa0c1212329236b3ff4ac7f41efb4a67.patch"; + hash = "sha256-ujUl0SxZyb/TyJRmq1ETNn5W8lDDNn3JqHQQQPU5klA="; + }) + # https://gitlab.com/inkscape/inkscape/-/merge_requests/7968 + ./fix-build-poppler-26.06.0.patch ]; postPatch = '' diff --git a/pkgs/applications/graphics/inkscape/fix-build-poppler-26.06.0.patch b/pkgs/applications/graphics/inkscape/fix-build-poppler-26.06.0.patch new file mode 100644 index 000000000000..e9af942188db --- /dev/null +++ b/pkgs/applications/graphics/inkscape/fix-build-poppler-26.06.0.patch @@ -0,0 +1,487 @@ +From 35a470d9cbff50467cc700bc17ab2c4e8f5cf0bc Mon Sep 17 00:00:00 2001 +From: KrIr17 +Date: Mon, 8 Jun 2026 20:16:32 +0200 +Subject: [PATCH] Fix Building with Poppler 26.06.0 + +- pdfparser: Some `const PDFRectangle *` to `const PDFRectangle &` [1] +- pdfparser: Some `const GfxColor *` to `const GfxColor &` [2] +- pdf-utils: Add a `getRect(const PDFRectangle &)` alongside `getRect(const + PDFRectangle *)` +- poppler-cairo-font-engine: `getKey()` now returns std::string and not + char[], so change `strcmp` to `std::string(...).compare(...)` [3] +- poppler-utils: `obj->dictGetKey()` etc. were removed; use + `obj->dict()->getKey()` instead (these have also existed in poppler + since the beginning, so shouldn't break any old poppler) [4,5] +- svg-builder: `convertGfxColor` now takes `const GfxColor &` as input. + A convenience function taking `const GfxColor *` (for older poppler) + now calls the new one after confirming `color` is a valid pointer +- svg-builder: `_addStopToGradient` now takes `const GfxColor &` as + input. This was used only in `convertGfxColor` and therefore doesn't + need a helper function for compatibility +- testfiles pdf-utils-test: `` to `<*.h>` (see e3eb1210) +- testfiles pdf-utils-test: Some `const PDFRectangle *` + to `const PDFRectangle &` [1] + +Fixes https://gitlab.com/inkscape/inkscape/-/work_items/6210 + +Upstream Commits: + +[1] https://gitlab.freedesktop.org/poppler/poppler/-/commit/d50a4510 +[2] https://gitlab.freedesktop.org/poppler/poppler/-/commit/0f94f530 +[3] https://gitlab.freedesktop.org/poppler/poppler/-/commit/a3de7f8a +[4] https://gitlab.freedesktop.org/poppler/poppler/-/commit/bb13b0f5 +[5] https://gitlab.freedesktop.org/poppler/poppler/-/commit/8ae0f8e7 +--- + src/extension/internal/pdfinput/pdf-input.cpp | 14 +++++- + .../internal/pdfinput/pdf-parser.cpp | 45 ++++++++++--------- + src/extension/internal/pdfinput/pdf-parser.h | 4 +- + src/extension/internal/pdfinput/pdf-utils.cpp | 5 +++ + src/extension/internal/pdfinput/pdf-utils.h | 1 + + .../pdfinput/poppler-cairo-font-engine.cpp | 2 +- + .../pdfinput/poppler-transition-api.h | 16 +++++++ + .../internal/pdfinput/poppler-utils.cpp | 20 +++++---- + .../internal/pdfinput/svg-builder.cpp | 36 +++++++++------ + src/extension/internal/pdfinput/svg-builder.h | 3 +- + testfiles/src/pdf-utils-test.cpp | 7 +-- + 11 files changed, 100 insertions(+), 53 deletions(-) + +diff --git a/src/extension/internal/pdfinput/pdf-input.cpp b/src/extension/internal/pdfinput/pdf-input.cpp +index aa4285b01d..dc5394c3d8 100644 +--- a/src/extension/internal/pdfinput/pdf-input.cpp ++++ b/src/extension/internal/pdfinput/pdf-input.cpp +@@ -820,7 +820,11 @@ PdfInput::add_builder_page(std::shared_ptrpdf_doc, SvgBuilder *builder, + } + + // Apply crop settings ++#if POPPLER_CHECK_VERSION(26, 2, 0) ++ std::optional clipToBox; ++#else + _POPPLER_CONST PDFRectangle *clipToBox = nullptr; ++#endif + + if (crop_to == "media-box") { + clipToBox = page->getMediaBox(); +@@ -834,8 +838,16 @@ PdfInput::add_builder_page(std::shared_ptrpdf_doc, SvgBuilder *builder, + clipToBox = page->getArtBox(); + } + ++ std::optional cropBox; ++#if POPPLER_CHECK_VERSION(26, 2, 0) ++ cropBox = clipToBox; ++#else ++ if (clipToBox) { ++ cropBox = *clipToBox; ++ } ++#endif + // Create parser (extension/internal/pdfinput/pdf-parser.h) +- auto pdf_parser = PdfParser(pdf_doc, builder, page, clipToBox); ++ auto pdf_parser = PdfParser(pdf_doc, builder, page, cropBox); + + // Set up approximation precision for parser. Used for converting Mesh Gradients into tiles. + if ( color_delta <= 0.0 ) { +diff --git a/src/extension/internal/pdfinput/pdf-parser.cpp b/src/extension/internal/pdfinput/pdf-parser.cpp +index b336c48ce3..86fc51b1f2 100644 +--- a/src/extension/internal/pdfinput/pdf-parser.cpp ++++ b/src/extension/internal/pdfinput/pdf-parser.cpp +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -264,7 +265,7 @@ GfxPatch blankPatch() + //------------------------------------------------------------------------ + + PdfParser::PdfParser(std::shared_ptr pdf_doc, Inkscape::Extension::Internal::SvgBuilder *builderA, Page *page, +- _POPPLER_CONST PDFRectangle *cropBox) ++ const std::optional &cropBox) + : _pdf_doc(pdf_doc) + , xref(pdf_doc->getXRef()) + , builder(builderA) +@@ -307,8 +308,8 @@ PdfParser::PdfParser(std::shared_ptr pdf_doc, Inkscape::Extension::Inter + builder->setMargins(getRect(page->getTrimBox()) * scale, + getRect(page->getArtBox()) * scale, + getRect(page->getBleedBox()) * scale); +- if (cropBox && getRect(cropBox) != page_box) { +- builder->cropPage(getRect(cropBox) * scale); ++ if (cropBox && getRect(*cropBox) != page_box) { ++ builder->cropPage(getRect(*cropBox) * scale); + } + + saveState(); +@@ -331,7 +332,7 @@ PdfParser::PdfParser(XRef *xrefA, Inkscape::Extension::Internal::SvgBuilder *bui + , printCommands(false) + , res(new GfxResources(xref, resDict, nullptr)) + , // start the resource stack +- state(new GfxState(72, 72, box, 0, false)) ++ state(new _POPPLER_GFX_STATE(72, 72, *box, 0, false)) + , fontChanged(gFalse) + , clip(clipNone) + , ignoreUndef(0) +@@ -964,7 +965,7 @@ void PdfParser::opSetFillGray(Object args[], int /*numArgs*/) + state->setFillPattern(nullptr); + state->setFillColorSpace(_POPPLER_CONSUME_UNIQPTR_ARG(std::make_unique())); + color.c[0] = dblToCol(args[0].getNum()); +- state->setFillColor(&color); ++ state->_POPPLER_SET_FILL_COLOR(color); + builder->updateStyle(state); + } + +@@ -976,7 +977,7 @@ void PdfParser::opSetStrokeGray(Object args[], int /*numArgs*/) + state->setStrokePattern(nullptr); + state->setStrokeColorSpace(_POPPLER_CONSUME_UNIQPTR_ARG(std::make_unique())); + color.c[0] = dblToCol(args[0].getNum()); +- state->setStrokeColor(&color); ++ state->_POPPLER_SET_STROKE_COLOR(color); + builder->updateStyle(state); + } + +@@ -991,7 +992,7 @@ void PdfParser::opSetFillCMYKColor(Object args[], int /*numArgs*/) + for (i = 0; i < 4; ++i) { + color.c[i] = dblToCol(args[i].getNum()); + } +- state->setFillColor(&color); ++ state->_POPPLER_SET_FILL_COLOR(color); + builder->updateStyle(state); + } + +@@ -1005,7 +1006,7 @@ void PdfParser::opSetStrokeCMYKColor(Object args[], int /*numArgs*/) + for (int i = 0; i < 4; ++i) { + color.c[i] = dblToCol(args[i].getNum()); + } +- state->setStrokeColor(&color); ++ state->_POPPLER_SET_STROKE_COLOR(color); + builder->updateStyle(state); + } + +@@ -1019,7 +1020,7 @@ void PdfParser::opSetFillRGBColor(Object args[], int /*numArgs*/) + for (int i = 0; i < 3; ++i) { + color.c[i] = dblToCol(args[i].getNum()); + } +- state->setFillColor(&color); ++ state->_POPPLER_SET_FILL_COLOR(color); + builder->updateStyle(state); + } + +@@ -1032,7 +1033,7 @@ void PdfParser::opSetStrokeRGBColor(Object args[], int /*numArgs*/) { + for (int i = 0; i < 3; ++i) { + color.c[i] = dblToCol(args[i].getNum()); + } +- state->setStrokeColor(&color); ++ state->_POPPLER_SET_STROKE_COLOR(color); + builder->updateStyle(state); + } + +@@ -1048,7 +1049,7 @@ void PdfParser::opSetFillColorSpace(Object args[], int numArgs) + GfxColor color; + colorSpace->getDefaultColor(&color); + state->setFillColorSpace(_POPPLER_CONSUME_UNIQPTR_ARG(colorSpace)); +- state->setFillColor(&color); ++ state->_POPPLER_SET_FILL_COLOR(color); + builder->updateStyle(state); + } else { + error(errSyntaxError, getPos(), "Bad color space (fill)"); +@@ -1069,7 +1070,7 @@ void PdfParser::opSetStrokeColorSpace(Object args[], int numArgs) + GfxColor color; + colorSpace->getDefaultColor(&color); + state->setStrokeColorSpace(_POPPLER_CONSUME_UNIQPTR_ARG(colorSpace)); +- state->setStrokeColor(&color); ++ state->_POPPLER_SET_STROKE_COLOR(color); + builder->updateStyle(state); + } else { + error(errSyntaxError, getPos(), "Bad color space (stroke)"); +@@ -1089,7 +1090,7 @@ void PdfParser::opSetFillColor(Object args[], int numArgs) { + for (i = 0; i < numArgs; ++i) { + color.c[i] = dblToCol(args[i].getNum()); + } +- state->setFillColor(&color); ++ state->_POPPLER_SET_FILL_COLOR(color); + builder->updateStyle(state); + } + +@@ -1106,7 +1107,7 @@ void PdfParser::opSetStrokeColor(Object args[], int numArgs) { + for (i = 0; i < numArgs; ++i) { + color.c[i] = dblToCol(args[i].getNum()); + } +- state->setStrokeColor(&color); ++ state->_POPPLER_SET_STROKE_COLOR(color); + builder->updateStyle(state); + } + +@@ -1127,7 +1128,7 @@ void PdfParser::opSetFillColorN(Object args[], int numArgs) { + color.c[i] = dblToCol(args[i].getNum()); + } + } +- state->setFillColor(&color); ++ state->_POPPLER_SET_FILL_COLOR(color); + builder->updateStyle(state); + } + if (auto pattern = lookupPattern(&(args[numArgs - 1]), state)) { +@@ -1146,7 +1147,7 @@ void PdfParser::opSetFillColorN(Object args[], int numArgs) { + color.c[i] = dblToCol(args[i].getNum()); + } + } +- state->setFillColor(&color); ++ state->_POPPLER_SET_FILL_COLOR(color); + builder->updateStyle(state); + } + } +@@ -1170,7 +1171,7 @@ void PdfParser::opSetStrokeColorN(Object args[], int numArgs) { + color.c[i] = dblToCol(args[i].getNum()); + } + } +- state->setStrokeColor(&color); ++ state->_POPPLER_SET_STROKE_COLOR(color); + builder->updateStyle(state); + } + if (auto pattern = lookupPattern(&(args[numArgs - 1]), state)) { +@@ -1189,7 +1190,7 @@ void PdfParser::opSetStrokeColorN(Object args[], int numArgs) { + color.c[i] = dblToCol(args[i].getNum()); + } + } +- state->setStrokeColor(&color); ++ state->_POPPLER_SET_STROKE_COLOR(color); + builder->updateStyle(state); + } + } +@@ -1673,7 +1674,7 @@ void PdfParser::doFunctionShFill1(GfxFunctionShading *shading, + + // use the center color + shading->getColor(xM, yM, &fillColor); +- state->setFillColor(&fillColor); ++ state->_POPPLER_SET_FILL_COLOR(fillColor); + + // fill the rectangle + state->moveTo(x0 * matrix[0] + y0 * matrix[2] + matrix[4], +@@ -1799,7 +1800,7 @@ void PdfParser::gouraudFillTriangle(double x0, double y0, GfxColor *color0, + } + } + if (i == nComps || depth == maxDepths[pdfGouraudTriangleShading-1]) { +- state->setFillColor(color0); ++ state->_POPPLER_SET_FILL_COLOR(*color0); + state->moveTo(x0, y0); + state->lineTo(x1, y1); + state->lineTo(x2, y2); +@@ -1877,7 +1878,7 @@ void PdfParser::fillPatch(_POPPLER_CONST GfxPatch *patch, int nComps, int depth) + color.c[i] = GfxColorComp(patch->color[0][0].c[i]); + } + if (i == nComps || depth == maxDepths[pdfPatchMeshShading-1]) { +- state->setFillColor(&color); ++ state->_POPPLER_SET_FILL_COLOR(color); + state->moveTo(patch->x[0][0], patch->y[0][0]); + state->curveTo(patch->x[0][1], patch->y[0][1], + patch->x[0][2], patch->y[0][2], +diff --git a/src/extension/internal/pdfinput/pdf-parser.h b/src/extension/internal/pdfinput/pdf-parser.h +index 098ff26e26..29dd259167 100644 +--- a/src/extension/internal/pdfinput/pdf-parser.h ++++ b/src/extension/internal/pdfinput/pdf-parser.h +@@ -113,8 +113,8 @@ struct OpHistoryEntry { + class PdfParser { + public: + +- // Constructor for regular output. +- PdfParser(std::shared_ptr pdf_doc, SvgBuilder *builderA, Page *page, _POPPLER_CONST PDFRectangle *cropBox); ++ // Constructor for regular output. ++ PdfParser(std::shared_ptr pdf_doc, SvgBuilder *builderA, Page *page, const std::optional &cropBox); + // Constructor for a sub-page object. + PdfParser(XRef *xrefA, SvgBuilder *builderA, Dict *resDict, _POPPLER_CONST PDFRectangle *box); + +diff --git a/src/extension/internal/pdfinput/pdf-utils.cpp b/src/extension/internal/pdfinput/pdf-utils.cpp +index 22e5df62c8..3aa6c02d3c 100644 +--- a/src/extension/internal/pdfinput/pdf-utils.cpp ++++ b/src/extension/internal/pdfinput/pdf-utils.cpp +@@ -133,6 +133,11 @@ Geom::Rect getRect(_POPPLER_CONST PDFRectangle *box) + return Geom::Rect(box->x1, box->y1, box->x2, box->y2); + } + ++Geom::Rect getRect(const PDFRectangle &box) ++{ ++ return Geom::Rect(box.x1, box.y1, box.x2, box.y2); ++} ++ + Geom::PathVector getPathV(GfxPath *path) + { + if (!path) { +diff --git a/src/extension/internal/pdfinput/pdf-utils.h b/src/extension/internal/pdfinput/pdf-utils.h +index d259a8c2f7..30e9b5bf86 100644 +--- a/src/extension/internal/pdfinput/pdf-utils.h ++++ b/src/extension/internal/pdfinput/pdf-utils.h +@@ -59,6 +59,7 @@ private: + }; + + Geom::Rect getRect(_POPPLER_CONST PDFRectangle *box); ++Geom::Rect getRect(_POPPLER_CONST PDFRectangle &box); + Geom::PathVector getPathV(GfxPath *gPath); + + #endif /* PDF_UTILS_H */ +diff --git a/src/extension/internal/pdfinput/poppler-cairo-font-engine.cpp b/src/extension/internal/pdfinput/poppler-cairo-font-engine.cpp +index 19ebd26693..39ce22af38 100644 +--- a/src/extension/internal/pdfinput/poppler-cairo-font-engine.cpp ++++ b/src/extension/internal/pdfinput/poppler-cairo-font-engine.cpp +@@ -713,7 +713,7 @@ CairoType3Font *CairoType3Font::create(GfxFont *gfxFont, PDFDoc *doc, CairoFontE + codeToGID[i] = 0; + if (charProcs && (name = enc[i])) { + for (int j = 0; j < charProcs->getLength(); j++) { +- if (strcmp(name, charProcs->getKey(j)) == 0) { ++ if (std::string(charProcs->getKey(j)).compare(name) == 0) { + codeToGID[i] = j; + } + } +diff --git a/src/extension/internal/pdfinput/poppler-transition-api.h b/src/extension/internal/pdfinput/poppler-transition-api.h +index d69829d512..23550a3068 100644 +--- a/src/extension/internal/pdfinput/poppler-transition-api.h ++++ b/src/extension/internal/pdfinput/poppler-transition-api.h +@@ -15,6 +15,22 @@ + #include + #include + ++#if POPPLER_CHECK_VERSION(26, 6, 0) ++#define _POPPLER_GET_GRAY(color, gray) getGray(color, gray) ++#define _POPPLER_GET_RGB(color, rgb) getRGB(color, rgb) ++#define _POPPLER_GET_CMYK(color, cmyk) getCMYK(color, cmyk) ++#define _POPPLER_SET_FILL_COLOR(color) setFillColor(color) ++#define _POPPLER_SET_STROKE_COLOR(color) setStrokeColor(color) ++#define _POPPLER_GFX_STATE(h, v, Rect, rotateA, upsideDown) GfxState(h, v, Rect, rotateA, upsideDown) ++#else ++#define _POPPLER_GET_GRAY(color, gray) getGray(&color, gray) ++#define _POPPLER_GET_RGB(color, rgb) getRGB(&color, rgb) ++#define _POPPLER_GET_CMYK(color, cmyk) getCMYK(&color, cmyk) ++#define _POPPLER_SET_FILL_COLOR(color) setFillColor(&color) ++#define _POPPLER_SET_STROKE_COLOR(color) setStrokeColor(&color) ++#define _POPPLER_GFX_STATE(h, v, Rect, rotateA, upsideDown) GfxState(h, v, &Rect, rotateA, upsideDown) ++#endif ++ + #if POPPLER_CHECK_VERSION(26, 2, 0) + #define _POPPLER_WMODE GfxFont::WritingMode + #define _POPPLER_WMODE_HORIZONTAL GfxFont::WritingMode::Horizontal +diff --git a/src/extension/internal/pdfinput/poppler-utils.cpp b/src/extension/internal/pdfinput/poppler-utils.cpp +index 2338dbe2d9..66dcf85e1d 100644 +--- a/src/extension/internal/pdfinput/poppler-utils.cpp ++++ b/src/extension/internal/pdfinput/poppler-utils.cpp +@@ -196,15 +196,17 @@ void InkFontDict::hashFontObject1(const Object *obj, FNVHash *h) + hashFontObject1(&obj2, h); + } + break; +- case objDict: +- h->hash('d'); +- n = obj->dictGetLength(); +- h->hash((char *)&n, sizeof(int)); +- for (i = 0; i < n; ++i) { +- p = obj->dictGetKey(i); +- h->hash(p, (int)strlen(p)); +- const Object &obj2 = obj->dictGetValNF(i); +- hashFontObject1(&obj2, h); ++ case objDict: { ++ h->hash('d'); ++ auto objdict = obj->getDict(); ++ n = objdict->getLength(); ++ h->hash((char *)&n, sizeof(int)); ++ for (i = 0; i < n; ++i) { ++ auto p = std::string(objdict->getKey(i)); ++ h->hash(p.c_str(), p.length()); ++ const Object &obj2 = objdict->getValNF(i); ++ hashFontObject1(&obj2, h); ++ } + } + break; + case objStream: +diff --git a/src/extension/internal/pdfinput/svg-builder.cpp b/src/extension/internal/pdfinput/svg-builder.cpp +index 3dfdfbbed4..bf7ccf1a8b 100644 +--- a/src/extension/internal/pdfinput/svg-builder.cpp ++++ b/src/extension/internal/pdfinput/svg-builder.cpp +@@ -392,7 +392,15 @@ static std::string svgConvertGfxRGB(GfxRGB *color) + return svgConvertRGBToText(r, g, b); + } + +-std::string SvgBuilder::convertGfxColor(const GfxColor *color, GfxColorSpace *space) ++// for poppler < 26.06.0 ++std::string SvgBuilder::convertGfxColor(const GfxColor *color, GfxColorSpace *space) { ++ if (!color) { ++ return ""; ++ } ++ return convertGfxColor(*color, space); ++} ++ ++std::string SvgBuilder::convertGfxColor(const GfxColor &color, GfxColorSpace *space) + { + std::string icc = ""; + switch (space->getMode()) { +@@ -419,7 +427,7 @@ std::string SvgBuilder::convertGfxColor(const GfxColor *color, GfxColorSpace *sp + Inkscape::CSSOStringStream icc_color; + icc_color << rgb_color << " icc-color(" << icc; + for (int i = 0; i < space->getNComps(); ++i) { +- icc_color << ", " << colToDbl((*color).c[i]); ++ icc_color << ", " << colToDbl((color).c[i]); + } + icc_color << ");"; + return icc_color.str(); +@@ -1204,7 +1212,7 @@ gchar *SvgBuilder::_createGradient(GfxShading *shading, const Geom::Affine pat_m + /** + * \brief Adds a stop with the given properties to the gradient's representation + */ +-void SvgBuilder::_addStopToGradient(Inkscape::XML::Node *gradient, double offset, GfxColor *color, GfxColorSpace *space, ++void SvgBuilder::_addStopToGradient(Inkscape::XML::Node *gradient, double offset, GfxColor &color, GfxColorSpace *space, + double opacity) + { + Inkscape::XML::Node *stop = _xml_doc->createElement("svg:stop"); +@@ -1255,8 +1263,8 @@ bool SvgBuilder::_addGradientStops(Inkscape::XML::Node *gradient, GfxShading *sh + if (!svgGetShadingColor(shading, 0.0, &stop1) || !svgGetShadingColor(shading, 1.0, &stop2)) { + return false; + } else { +- _addStopToGradient(gradient, 0.0, &stop1, space, 1.0); +- _addStopToGradient(gradient, 1.0, &stop2, space, 1.0); ++ _addStopToGradient(gradient, 0.0, stop1, space, 1.0); ++ _addStopToGradient(gradient, 1.0, stop2, space, 1.0); + } + } else if (type == _POPPLER_FUNCTION_TYPE_STITCHING) { + auto stitchingFunc = static_cast<_POPPLER_CONST StitchingFunction*>(func); +@@ -1269,7 +1277,7 @@ bool SvgBuilder::_addGradientStops(Inkscape::XML::Node *gradient, GfxShading *sh + // Add stops from all the stitched functions + GfxColor prev_color, color; + svgGetShadingColor(shading, bounds[0], &prev_color); +- _addStopToGradient(gradient, bounds[0], &prev_color, space, 1.0); ++ _addStopToGradient(gradient, bounds[0], prev_color, space, 1.0); + for ( int i = 0 ; i < num_funcs ; i++ ) { + svgGetShadingColor(shading, bounds[i + 1], &color); + // Add stops +@@ -1279,14 +1287,14 @@ bool SvgBuilder::_addGradientStops(Inkscape::XML::Node *gradient, GfxShading *sh + expE = (bounds[i + 1] - bounds[i])/expE; // approximate exponential as a single straight line at x=1 + if (encode[2*i] == 0) { // normal sequence + auto offset = (bounds[i + 1] - expE) / max_bound; +- _addStopToGradient(gradient, offset, &prev_color, space, 1.0); ++ _addStopToGradient(gradient, offset, prev_color, space, 1.0); + } else { // reflected sequence + auto offset = (bounds[i] + expE) / max_bound; +- _addStopToGradient(gradient, offset, &color, space, 1.0); ++ _addStopToGradient(gradient, offset, color, space, 1.0); + } + } + } +- _addStopToGradient(gradient, bounds[i + 1] / max_bound, &color, space, 1.0); ++ _addStopToGradient(gradient, bounds[i + 1] / max_bound, color, space, 1.0); + prev_color = color; + } + } else { // Unsupported function type +diff --git a/src/extension/internal/pdfinput/svg-builder.h b/src/extension/internal/pdfinput/svg-builder.h +index c4b217f58e..348f3a2ce3 100644 +--- a/src/extension/internal/pdfinput/svg-builder.h ++++ b/src/extension/internal/pdfinput/svg-builder.h +@@ -186,7 +186,7 @@ private: + // Pattern creation + gchar *_createPattern(GfxPattern *pattern, GfxState *state, bool is_stroke=false); + gchar *_createGradient(GfxShading *shading, const Geom::Affine pat_matrix, bool for_shading = false); +- void _addStopToGradient(Inkscape::XML::Node *gradient, double offset, GfxColor *color, GfxColorSpace *space, ++ void _addStopToGradient(Inkscape::XML::Node *gradient, double offset, GfxColor &color, GfxColorSpace *space, + double opacity); + bool _addGradientStops(Inkscape::XML::Node *gradient, GfxShading *shading, + _POPPLER_CONST Function *func); +@@ -239,6 +239,7 @@ private: + static bool _attrEqual(Inkscape::XML::Node *a, Inkscape::XML::Node *b, char const *attr); + + // Colors ++ std::string convertGfxColor(const GfxColor &color, GfxColorSpace *space); + std::string convertGfxColor(const GfxColor *color, GfxColorSpace *space); + std::string _getColorProfile(cmsHPROFILE hp); + diff --git a/pkgs/applications/office/libreoffice/default.nix b/pkgs/applications/office/libreoffice/default.nix index 75880b33f528..74eeadee0ef3 100644 --- a/pkgs/applications/office/libreoffice/default.nix +++ b/pkgs/applications/office/libreoffice/default.nix @@ -397,6 +397,34 @@ stdenv.mkDerivation (finalAttrs: { # Don't detect Qt paths from qmake, so our patched-in onese are used ./dont-detect-qt-paths-from-qmake.patch + + # Fix build with Poppler 26.02 + (fetchpatch2 { + url = "https://gitlab.archlinux.org/archlinux/packaging/packages/libreoffice-still/-/raw/25.8.7-2/fix_build_with_poppler_26.02.0.patch"; + hash = "sha256-IInhSoqTemDITB+AtkvVa9eGbodTbUGSpMMpC9N/mmg="; + }) + # Fix build with Poppler 26.04 + (fetchpatch2 { + url = "https://gitlab.archlinux.org/archlinux/packaging/packages/libreoffice-still/-/raw/25.8.7-2/fix_build_with_poppler_26.04.0.patch"; + hash = "sha256-I9owj/NTCTi6ISszuasH410NLlhunPn/Ig22tenu8tw="; + }) + # Fix build with Poppler 26.05 + (fetchpatch2 { + url = "https://gitlab.archlinux.org/archlinux/packaging/packages/libreoffice-still/-/raw/25.8.7-2/fix_build_with_poppler_26.05.0.patch"; + hash = "sha256-7wdiciTf/LrTk0MibBBYGliWRCvK1rtTGESgH7db1I4="; + }) + # Fix build with Poppler 26.06 + (fetchpatch2 { + url = "https://gitlab.archlinux.org/archlinux/packaging/packages/libreoffice-still/-/raw/25.8.7-3/fix_build_with_poppler_26.06.0.patch"; + hash = "sha256-j66IsrzaqQ55MRVzhlw25guuoDtxx1D4XeJsBhgWP2c="; + }) + ] + ++ lib.optionals (variant != "fresh") [ + # Fix build with Poppler 26.01 + (fetchpatch2 { + url = "https://gitlab.archlinux.org/archlinux/packaging/packages/libreoffice-still/-/raw/25.8.7-2/fix_build_with_poppler_26.01.0.patch"; + hash = "sha256-5JTTvJFIV5MG0Gz7y46wAr3q9tWdSVoZ9TJQlMJVqBc="; + }) ] ++ lib.optionals (variant != "collabora" && variant != "collabora-coda") [ # Revert part of https://github.com/LibreOffice/core/commit/6f60670877208612b5ea320b3677480ef6508abb that broke zlib linking diff --git a/pkgs/build-support/build-mozilla-mach/153-cbindgen-0.29.4-compat.patch b/pkgs/build-support/build-mozilla-mach/153-cbindgen-0.29.4-compat.patch new file mode 100644 index 000000000000..84238f025fc6 --- /dev/null +++ b/pkgs/build-support/build-mozilla-mach/153-cbindgen-0.29.4-compat.patch @@ -0,0 +1,36 @@ +commit c4aab1ba6aadd6985fcd271679d2118f094ec876 +Author: Emilio Cobos Álvarez +Date: Tue Jun 9 22:04:44 2026 +0000 + + Bug 2046162 - Remove some redundant pub qualifiers. r=gfx-reviewers,aosmond + + The enum is not public so this doesn't change behavior but a patch I'm + working on in cbindgen gets a bit confused with this. + + Differential Revision: https://phabricator.services.mozilla.com/D305678 + +diff --git a/gfx/wr/webrender/src/texture_cache.rs b/gfx/wr/webrender/src/texture_cache.rs +index e14c26bd3190..77e1f3a312ac 100644 +--- a/gfx/wr/webrender/src/texture_cache.rs ++++ b/gfx/wr/webrender/src/texture_cache.rs +@@ -273,9 +273,9 @@ enum BudgetType { + } + + impl BudgetType { +- pub const COUNT: usize = 7; ++ const COUNT: usize = 7; + +- pub const VALUES: [BudgetType; BudgetType::COUNT] = [ ++ const VALUES: [BudgetType; BudgetType::COUNT] = [ + BudgetType::SharedColor8Linear, + BudgetType::SharedColor8Nearest, + BudgetType::SharedColor8Glyphs, +@@ -285,7 +285,7 @@ impl BudgetType { + BudgetType::Standalone, + ]; + +- pub const PRESSURE_COUNTERS: [usize; BudgetType::COUNT] = [ ++ const PRESSURE_COUNTERS: [usize; BudgetType::COUNT] = [ + profiler::ATLAS_COLOR8_LINEAR_PRESSURE, + profiler::ATLAS_COLOR8_NEAREST_PRESSURE, + profiler::ATLAS_COLOR8_GLYPHS_PRESSURE, diff --git a/pkgs/build-support/build-mozilla-mach/default.nix b/pkgs/build-support/build-mozilla-mach/default.nix index 67312aa0e186..cc18c853dca5 100644 --- a/pkgs/build-support/build-mozilla-mach/default.nix +++ b/pkgs/build-support/build-mozilla-mach/default.nix @@ -340,6 +340,11 @@ buildStdenv.mkDerivation { # https://bugzilla.mozilla.org/show_bug.cgi?id=1985509 ./140-bindgen-string-view.patch ] + ++ lib.optionals (lib.versionAtLeast version "140" && lib.versionOlder version "140.13") [ + # https://github.com/mozilla/cbindgen/issues/1165 + # https://bugzilla.mozilla.org/show_bug.cgi?id=2046162 + ./153-cbindgen-0.29.4-compat.patch + ] ++ extraPatches; postPatch = '' diff --git a/pkgs/by-name/ca/cacert/package.nix b/pkgs/by-name/ca/cacert/package.nix index 8dd727f6ded3..df6b082a92bc 100644 --- a/pkgs/by-name/ca/cacert/package.nix +++ b/pkgs/by-name/ca/cacert/package.nix @@ -20,7 +20,7 @@ let lib.concatStringsSep "\n\n" extraCertificateStrings ); - version = "3.123"; + version = "3.125"; meta = { homepage = "https://firefox-source-docs.mozilla.org/security/nss/runbooks/rootstore.html#root-store-consumers"; description = "Bundle of X.509 certificates of public Certificate Authorities (CA)"; @@ -52,7 +52,7 @@ stdenv.mkDerivation { "https://hg-edge.mozilla.org/projects/nss/raw-file/${tag}/${file}" "https://raw.githubusercontent.com/nss-dev/nss/refs/tags/${tag}/${file}" ]; - hash = "sha256-dxMO+RITdyhEVh+9OqMdQTslwqx/V2/qO8O7/375NIk="; + hash = "sha256-5XkSgI2u97Kw+k3yzPF+R66vJsg5o4+Fx2AD66/YZr0="; }; unpackPhase = '' diff --git a/pkgs/by-name/ca/cargo-auditable/builder.nix b/pkgs/by-name/ca/cargo-auditable/builder.nix index 348ff29ef61a..da652a61fcad 100644 --- a/pkgs/by-name/ca/cargo-auditable/builder.nix +++ b/pkgs/by-name/ca/cargo-auditable/builder.nix @@ -16,11 +16,14 @@ lib.extendMkDerivation { auditable ? true, hash ? "", cargoHash ? "", + passthru ? { }, ... }: { inherit auditable pname; + __structuredAttrs = true; + src = fetchFromGitHub { owner = "rust-secure-code"; repo = "cargo-auditable"; @@ -45,7 +48,9 @@ lib.extendMkDerivation { installManPage cargo-auditable/cargo-auditable.1 ''; - passthru.bootstrap = auditable-bootstrap; + passthru = passthru // { + bootstrap = auditable-bootstrap; + }; meta = { description = "Tool to make production Rust binaries auditable"; diff --git a/pkgs/by-name/ca/cargo-auditable/package.nix b/pkgs/by-name/ca/cargo-auditable/package.nix index b74e0abbd515..064df430d374 100644 --- a/pkgs/by-name/ca/cargo-auditable/package.nix +++ b/pkgs/by-name/ca/cargo-auditable/package.nix @@ -2,6 +2,7 @@ buildPackages, callPackage, makeRustPlatform, + nix-update-script, }: let # Need to use the build platform rustc and Cargo so that @@ -18,9 +19,9 @@ let auditable-bootstrap = bootstrap; }; - version = "0.7.2"; - hash = "sha256-hR6PjTOps8JSM7UbfGlCoZmmwtWExVqYwh4lxDiFWdc="; - cargoHash = "sha256-JEfnUJ9J6Xak3AOCwQCnu+v+3Wl3QbXX20qVFWB6040="; + version = "0.7.5"; + hash = "sha256-0VONJCv/msLcGenItWMLJ7DH79RTD6vsU9gX/nphh1g="; + cargoHash = "sha256-/iAYib+xDQSJ8B559/V7b994ErSUGsPSDx64jFF5B6I="; # cargo-auditable cannot be built with cargo-auditable until cargo-auditable is built bootstrap = auditableBuilder { @@ -32,4 +33,5 @@ in auditableBuilder { inherit version hash cargoHash; auditable = true; + passthru.updateScript = nix-update-script { }; } diff --git a/pkgs/by-name/cm/cmake/package.nix b/pkgs/by-name/cm/cmake/package.nix index 3f099d56c7f9..327c593e6522 100644 --- a/pkgs/by-name/cm/cmake/package.nix +++ b/pkgs/by-name/cm/cmake/package.nix @@ -50,11 +50,11 @@ stdenv.mkDerivation (finalAttrs: { + lib.optionalString isMinimalBuild "-minimal" + lib.optionalString cursesUI "-cursesUI" + lib.optionalString qt5UI "-qt5UI"; - version = "4.1.2"; + version = "4.1.6"; src = fetchurl { url = "https://cmake.org/files/v${lib.versions.majorMinor finalAttrs.version}/cmake-${finalAttrs.version}.tar.gz"; - hash = "sha256-ZD8EGCt7oyOrMfUm94UTT7ecujGIqFIgbvBHP+4oKhU="; + hash = "sha256-UTOEifT7rjWgpptZQW9RLcnHVxKXWaSHxHsz39IVUg4="; }; patches = [ diff --git a/pkgs/by-name/cu/curlMinimal/package.nix b/pkgs/by-name/cu/curlMinimal/package.nix index dc50ca16529f..13376cdab89a 100644 --- a/pkgs/by-name/cu/curlMinimal/package.nix +++ b/pkgs/by-name/cu/curlMinimal/package.nix @@ -6,6 +6,8 @@ perl, nixosTests, autoreconfHook, + buildPackages, + runtimeShellPackage, brotliSupport ? false, brotli, c-aresSupport ? false, @@ -82,6 +84,9 @@ assert ]) > 1 ); +let + isCross = !lib.systems.equals stdenv.buildPlatform stdenv.hostPlatform; +in stdenv.mkDerivation (finalAttrs: { pname = "curl"; version = "8.20.0"; @@ -248,7 +253,20 @@ stdenv.mkDerivation (finalAttrs: { ln $out/lib/libcurl${stdenv.hostPlatform.extensions.sharedLibrary} $out/lib/libcurl-gnutls${stdenv.hostPlatform.extensions.sharedLibrary} ln $out/lib/libcurl${stdenv.hostPlatform.extensions.sharedLibrary} $out/lib/libcurl-gnutls${stdenv.hostPlatform.extensions.sharedLibrary}.4 ln $out/lib/libcurl${stdenv.hostPlatform.extensions.sharedLibrary} $out/lib/libcurl-gnutls${stdenv.hostPlatform.extensions.sharedLibrary}.4.4.0 + '' + # The wcurl shell script found in `''${!outputBin}/bin`, is located in the + # source along with all the scripts patched in `postPatch` above. + # `patchShebangs` at that stage causes the host intended wcurl script to get + # the buildPlatform's runtimeShell shebang, instead of the hostPlatform's. To + # make sure this doesn't happen we disallow it, and fix it above in the + # postInstall, and also with the conditional hostPlatform's + # runtimeShellPackage added in buildInputs. + + lib.optionalString isCross '' + patchShebangs --update --host "''${!outputBin}/bin" ''; + outputChecks.bin.disallowedReferences = lib.optional isCross buildPackages.runtimeShellPackage; + outputChecks.out.disallowedReferences = lib.optional isCross buildPackages.runtimeShellPackage; + buildInputs = lib.optional isCross runtimeShellPackage; passthru = let diff --git a/pkgs/by-name/ex/expat/package.nix b/pkgs/by-name/ex/expat/package.nix index 78ff9e9253b0..72459e1c2ac6 100644 --- a/pkgs/by-name/ex/expat/package.nix +++ b/pkgs/by-name/ex/expat/package.nix @@ -18,7 +18,7 @@ # files. let - version = "2.8.1"; + version = "2.8.2"; tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}"; in stdenv.mkDerivation (finalAttrs: { @@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: { url = with finalAttrs; "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz"; - hash = "sha256-ELGV7ngWCpCDiBgKj+NgPU6aEvR1X79fOBayOp11DaA="; + hash = "sha256-OtibhYjmZEvU5JmBSA1IshKJ7rvNTwoaSvscKfmbarQ="; }; strictDeps = true; diff --git a/pkgs/by-name/gd/gdb/package.nix b/pkgs/by-name/gd/gdb/package.nix index 95769211d8c2..b7aef9c38772 100644 --- a/pkgs/by-name/gd/gdb/package.nix +++ b/pkgs/by-name/gd/gdb/package.nix @@ -5,7 +5,6 @@ # Build time fetchurl, - fetchpatch, pkg-config, perl, texinfo, @@ -68,11 +67,11 @@ in stdenv.mkDerivation (finalAttrs: { inherit pname; - version = "17.1"; + version = "17.2"; src = fetchurl { url = "mirror://gnu/gdb/gdb-${finalAttrs.version}.tar.xz"; - hash = "sha256-FJlvX3TJ9o9aVD/cRbyngAIH+R+SrupsLnkYIsfG2HY="; + hash = "sha256-HANsDXLks9H7XJTIhjKt1vnXb018TS6nk8EqnxmjIow="; }; postPatch = @@ -90,17 +89,6 @@ stdenv.mkDerivation (finalAttrs: { patches = [ ./debug-info-from-env.patch - - (fetchurl { - name = "musl.patch"; - url = "https://inbox.sourceware.org/gdb-patches/20260324164527.1446549-2-sunilkumar.dora@windriver.com/raw"; - hash = "sha256-FC4DDVS4wtE/HXtbUqvkxu9+e7nE3DYi1zIuQP9yQO8="; - }) - (fetchpatch { - name = "musl-aarch64.patch"; - url = "https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=1ccc3f6a2e28fa1f3357826374cba165b3ba3ff7"; - hash = "sha256-Q2oTo2b+9yNN3PSsxqgxV4/9/05uFE/JMLe1CPs9Y7I="; - }) ] ++ optionals stdenv.hostPlatform.isDarwin [ ./darwin-target-match.patch diff --git a/pkgs/by-name/gn/gnutar/acl-2.4.0-name-conflicts.patch b/pkgs/by-name/gn/gnutar/acl-2.4.0-name-conflicts.patch new file mode 100644 index 000000000000..c871551bc772 --- /dev/null +++ b/pkgs/by-name/gn/gnutar/acl-2.4.0-name-conflicts.patch @@ -0,0 +1,85 @@ +diff --git a/src/xattrs.c b/src/xattrs.c +index 86a7e59cbc..c872ae308d 100644 +--- a/src/xattrs.c ++++ b/src/xattrs.c +@@ -139,13 +139,13 @@ + #ifdef HAVE_POSIX_ACLS + + /* acl-at wrappers, TODO: move to gnulib in future? */ +-static acl_t acl_get_file_at (int, const char *, acl_type_t); +-static int acl_set_file_at (int, const char *, acl_type_t, acl_t); ++static acl_t tar_acl_get_file_at (int, const char *, acl_type_t); ++static int tar_acl_set_file_at (int, const char *, acl_type_t, acl_t); + static int file_has_acl_at (int, char const *, struct stat const *); +-static int acl_delete_def_file_at (int, char const *); ++static int tar_acl_delete_def_file_at (int, char const *); + +-/* acl_get_file_at */ +-#define AT_FUNC_NAME acl_get_file_at ++/* tar_acl_get_file_at */ ++#define AT_FUNC_NAME tar_acl_get_file_at + #define AT_FUNC_RESULT acl_t + #define AT_FUNC_FAIL (acl_t)NULL + #define AT_FUNC_F1 acl_get_file +@@ -159,8 +159,8 @@ + #undef AT_FUNC_POST_FILE_PARAM_DECLS + #undef AT_FUNC_POST_FILE_ARGS + +-/* acl_set_file_at */ +-#define AT_FUNC_NAME acl_set_file_at ++/* tar_acl_set_file_at */ ++#define AT_FUNC_NAME tar_acl_set_file_at + #define AT_FUNC_F1 acl_set_file + #define AT_FUNC_POST_FILE_PARAM_DECLS , acl_type_t type, acl_t acl + #define AT_FUNC_POST_FILE_ARGS , type, acl +@@ -170,8 +170,8 @@ + #undef AT_FUNC_POST_FILE_PARAM_DECLS + #undef AT_FUNC_POST_FILE_ARGS + +-/* acl_delete_def_file_at */ +-#define AT_FUNC_NAME acl_delete_def_file_at ++/* tar_acl_delete_def_file_at */ ++#define AT_FUNC_NAME tar_acl_delete_def_file_at + #define AT_FUNC_F1 acl_delete_def_file + #define AT_FUNC_POST_FILE_PARAM_DECLS + #define AT_FUNC_POST_FILE_ARGS +@@ -299,10 +299,10 @@ + /* No "default" IEEE 1003.1e ACL set for directory. At this moment, + FILE_NAME may already have inherited default acls from parent + directory; clean them up. */ +- if (acl_delete_def_file_at (chdir_fd, file_name)) ++ if (tar_acl_delete_def_file_at (chdir_fd, file_name)) + WARNOPT (WARN_XATTR_WRITE, + (0, errno, +- _("acl_delete_def_file_at: Cannot drop default POSIX ACLs " ++ _("tar_acl_delete_def_file_at: Cannot drop default POSIX ACLs " + "for file '%s'"), + file_name)); + return; +@@ -316,11 +316,11 @@ + return; + } + +- if (acl_set_file_at (chdir_fd, file_name, type, acl) == -1) ++ if (tar_acl_set_file_at (chdir_fd, file_name, type, acl) == -1) + /* warn even if filesystem does not support acls */ + WARNOPT (WARN_XATTR_WRITE, + (0, errno, +- _ ("acl_set_file_at: Cannot set POSIX ACLs for file '%s'"), ++ _ ("tar_acl_set_file_at: Cannot set POSIX ACLs for file '%s'"), + file_name)); + + acl_free (acl); +@@ -357,10 +357,10 @@ + char *val = NULL; + acl_t acl; + +- if (!(acl = acl_get_file_at (parentfd, file_name, type))) ++ if (!(acl = tar_acl_get_file_at (parentfd, file_name, type))) + { + if (errno != ENOTSUP) +- call_arg_warn ("acl_get_file_at", file_name); ++ call_arg_warn ("tar_acl_get_file_at", file_name); + return; + } + diff --git a/pkgs/by-name/gn/gnutar/package.nix b/pkgs/by-name/gn/gnutar/package.nix index 51344245c45f..f887901e2761 100644 --- a/pkgs/by-name/gn/gnutar/package.nix +++ b/pkgs/by-name/gn/gnutar/package.nix @@ -24,9 +24,17 @@ stdenv.mkDerivation (finalAttrs: { sha256 = "sha256-TWL/NzQux67XSFNTI5MMfPlKz3HDWRiCsmp+pQ8+3BY="; }; - # GNU tar fails to link libiconv even though the configure script detects it. - # https://savannah.gnu.org/bugs/index.php?64441 - patches = [ ./link-libiconv.patch ]; + patches = [ + # GNU tar fails to link libiconv even though the configure script detects it. + # https://savannah.gnu.org/bugs/index.php?64441 + ./link-libiconv.patch + + # acl 2.4.0 adds functions that have name conflicts with internal + # (`static`) functions from GNU tar. we prefix `tar_` to these names to + # avoid this, matching the approach from + # https://lists.gnu.org/archive/html/bug-tar/2026-06/msg00013.html + ./acl-2.4.0-name-conflicts.patch + ]; # gnutar tries to call into gettext between `fork` and `exec`, # which is not safe on darwin. diff --git a/pkgs/by-name/im/imagemagick/package.nix b/pkgs/by-name/im/imagemagick/package.nix index 27f0acd0d16f..5f41fb32d203 100644 --- a/pkgs/by-name/im/imagemagick/package.nix +++ b/pkgs/by-name/im/imagemagick/package.nix @@ -88,13 +88,13 @@ in stdenv.mkDerivation (finalAttrs: { pname = "imagemagick"; - version = "7.1.2-24"; + version = "7.1.2-27"; src = fetchFromGitHub { owner = "ImageMagick"; repo = "ImageMagick"; tag = finalAttrs.version; - hash = "sha256-oSH0dsQ3cuFNYJIIr6LHbv82FbFxxcmkjQ5csTNsYCA="; + hash = "sha256-QCC2CO2zkhwlEWymwF739uSNuS7QCqqGIJnF/LtYzVc="; }; outputs = [ @@ -206,7 +206,7 @@ stdenv.mkDerivation (finalAttrs: { meta = { homepage = "http://www.imagemagick.org/"; - changelog = "https://github.com/ImageMagick/Website/blob/main/ChangeLog.md"; + changelog = "https://github.com/ImageMagick/Website/blob/main/docs/changelog/index.md"; description = "Software suite to create, edit, compose, or convert bitmap images"; pkgConfigModules = [ "ImageMagick" diff --git a/pkgs/by-name/jq/jq/CVE-2026-32316.patch b/pkgs/by-name/jq/jq/CVE-2026-32316.patch deleted file mode 100644 index 29d08c9adcd7..000000000000 --- a/pkgs/by-name/jq/jq/CVE-2026-32316.patch +++ /dev/null @@ -1,49 +0,0 @@ -From e47e56d226519635768e6aab2f38f0ab037c09e5 Mon Sep 17 00:00:00 2001 -From: itchyny -Date: Thu, 12 Mar 2026 20:28:43 +0900 -Subject: [PATCH] Fix heap buffer overflow in `jvp_string_append` and - `jvp_string_copy_replace_bad` - -In `jvp_string_append`, the allocation size `(currlen + len) * 2` could -overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small -allocation followed by a large `memcpy`. - -In `jvp_string_copy_replace_bad`, the output buffer size calculation -`length * 3 + 1` could overflow `uint32_t`, again resulting in a small -allocation followed by a large write. - -Add overflow checks to both functions to return an error for strings -that would exceed `INT_MAX` in length. Fixes CVE-2026-32316. ---- - src/jv.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/jv.c b/src/jv.c -index 722a539391..2a62b48419 100644 ---- a/src/jv.c -+++ b/src/jv.c -@@ -1114,7 +1114,12 @@ static jv jvp_string_copy_replace_bad(const char* data, uint32_t length) { - const char* end = data + length; - const char* i = data; - -- uint32_t maxlength = length * 3 + 1; // worst case: all bad bytes, each becomes a 3-byte U+FFFD -+ // worst case: all bad bytes, each becomes a 3-byte U+FFFD -+ uint64_t maxlength = (uint64_t)length * 3 + 1; -+ if (maxlength >= INT_MAX) { -+ return jv_invalid_with_msg(jv_string("String too long")); -+ } -+ - jvp_string* s = jvp_string_alloc(maxlength); - char* out = s->data; - int c = 0; -@@ -1174,6 +1179,10 @@ static uint32_t jvp_string_remaining_space(jvp_string* s) { - static jv jvp_string_append(jv string, const char* data, uint32_t len) { - jvp_string* s = jvp_string_ptr(string); - uint32_t currlen = jvp_string_length(s); -+ if ((uint64_t)currlen + len >= INT_MAX) { -+ jv_free(string); -+ return jv_invalid_with_msg(jv_string("String too long")); -+ } - - if (jvp_refcnt_unshared(string.u.ptr) && - jvp_string_remaining_space(s) >= len) { diff --git a/pkgs/by-name/jq/jq/CVE-2026-33947.patch b/pkgs/by-name/jq/jq/CVE-2026-33947.patch deleted file mode 100644 index 9f31fd82b057..000000000000 --- a/pkgs/by-name/jq/jq/CVE-2026-33947.patch +++ /dev/null @@ -1,66 +0,0 @@ -From fb59f1491058d58bdc3e8dd28f1773d1ac690a1f Mon Sep 17 00:00:00 2001 -From: itchyny -Date: Mon, 13 Apr 2026 11:23:40 +0900 -Subject: [PATCH] Limit path depth to prevent stack overflow - -Deeply nested path arrays can cause unbounded recursion in -`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to -stack overflow. Add a depth limit of 10000 to match the -existing `tojson` depth limit. This fixes CVE-2026-33947. ---- - src/jv_aux.c | 21 +++++++++++++++++++++ - 2 files changed, 46 insertions(+) - -diff --git a/src/jv_aux.c b/src/jv_aux.c -index 018f380b10..fd5ff96684 100644 ---- a/src/jv_aux.c -+++ b/src/jv_aux.c -@@ -365,6 +365,10 @@ static jv jv_dels(jv t, jv keys) { - return t; - } - -+#ifndef MAX_PATH_DEPTH -+#define MAX_PATH_DEPTH (10000) -+#endif -+ - jv jv_setpath(jv root, jv path, jv value) { - if (jv_get_kind(path) != JV_KIND_ARRAY) { - jv_free(value); -@@ -372,6 +376,12 @@ jv jv_setpath(jv root, jv path, jv value) { - jv_free(path); - return jv_invalid_with_msg(jv_string("Path must be specified as an array")); - } -+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) { -+ jv_free(value); -+ jv_free(root); -+ jv_free(path); -+ return jv_invalid_with_msg(jv_string("Path too deep")); -+ } - if (!jv_is_valid(root)){ - jv_free(value); - jv_free(path); -@@ -424,6 +434,11 @@ jv jv_getpath(jv root, jv path) { - jv_free(path); - return jv_invalid_with_msg(jv_string("Path must be specified as an array")); - } -+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) { -+ jv_free(root); -+ jv_free(path); -+ return jv_invalid_with_msg(jv_string("Path too deep")); -+ } - if (!jv_is_valid(root)) { - jv_free(path); - return root; -@@ -502,6 +517,12 @@ jv jv_delpaths(jv object, jv paths) { - jv_free(elem); - return err; - } -+ if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) { -+ jv_free(object); -+ jv_free(paths); -+ jv_free(elem); -+ return jv_invalid_with_msg(jv_string("Path too deep")); -+ } - jv_free(elem); - } - if (jv_array_length(jv_copy(paths)) == 0) { diff --git a/pkgs/by-name/jq/jq/CVE-2026-33948.patch b/pkgs/by-name/jq/jq/CVE-2026-33948.patch deleted file mode 100644 index 5b6497e1469d..000000000000 --- a/pkgs/by-name/jq/jq/CVE-2026-33948.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b Mon Sep 17 00:00:00 2001 -From: itchyny -Date: Mon, 13 Apr 2026 08:46:11 +0900 -Subject: [PATCH] Fix NUL truncation in the JSON parser - -This fixes CVE-2026-33948. ---- - src/util.c | 8 +------- - tests/shtest | 6 ++++++ - 2 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/util.c b/src/util.c -index fdfdb96d88..80d65fc808 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -312,13 +312,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) { - if (p != NULL) - state->current_line++; - -- if (p == NULL && state->parser != NULL) { -- /* -- * There should be no NULs in JSON texts (but JSON text -- * sequences are another story). -- */ -- state->buf_valid_len = strlen(state->buf); -- } else if (p == NULL && feof(state->current_input)) { -+ if (p == NULL && feof(state->current_input)) { - size_t i; - - /* -diff --git a/tests/shtest b/tests/shtest -index cb88745277..370f7b7c69 100755 ---- a/tests/shtest -+++ b/tests/shtest -@@ -880,4 +880,10 @@ $JQ -nf $d/prog.jq 2> $d/out && { - } - diff $d/out $d/expected - -+# CVE-2026-33948: No NUL truncation in the JSON parser -+if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then -+ printf 'Error expected but jq exited successfully\n' 1>&2 -+ exit 1 -+fi -+ - exit 0 diff --git a/pkgs/by-name/jq/jq/CVE-2026-39979.patch b/pkgs/by-name/jq/jq/CVE-2026-39979.patch deleted file mode 100644 index cc0c3d17f77f..000000000000 --- a/pkgs/by-name/jq/jq/CVE-2026-39979.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 2f09060afab23fe9390cce7cb860b10416e1bf5f Mon Sep 17 00:00:00 2001 -From: itchyny -Date: Mon, 13 Apr 2026 11:04:52 +0900 -Subject: [PATCH] Fix out-of-bounds read in jv_parse_sized() - -This fixes CVE-2026-39979. - -Co-authored-by: Mattias Wadman ---- - src/jv_parse.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/jv_parse.c b/src/jv_parse.c -index aa2054cc09..56847b5eaa 100644 ---- a/src/jv_parse.c -+++ b/src/jv_parse.c -@@ -893,8 +893,9 @@ jv jv_parse_sized_custom_flags(const char* string, int length, int flags) { - - if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) { - jv msg = jv_invalid_get_msg(value); -- value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')", -+ value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')", - jv_string_value(msg), -+ length, - string)); - jv_free(msg); - } diff --git a/pkgs/by-name/jq/jq/CVE-2026-40164.patch b/pkgs/by-name/jq/jq/CVE-2026-40164.patch deleted file mode 100644 index 483316f64b4b..000000000000 --- a/pkgs/by-name/jq/jq/CVE-2026-40164.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 Mon Sep 17 00:00:00 2001 -From: itchyny -Date: Mon, 13 Apr 2026 08:53:26 +0900 -Subject: [PATCH] Randomize hash seed to mitigate hash collision DoS attacks - -The hash function used a fixed seed, allowing attackers to craft colliding keys -and cause O(n^2) object parsing performance. Initialize the seed from a random -source at process startup to prevent the attack. This fixes CVE-2026-40164. - -Co-authored-by: Asaf Meizner ---- - configure.ac | 2 ++ - src/jv.c | 34 ++++++++++++++++++++++++++++++++-- - 2 files changed, 34 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 5dac42655a..f7067a4341 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -149,6 +149,8 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [AC_DEFINE([HAVE_TM_TM_GMT_OFF],1,[Define - AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])], - [], [[#include ]]) - AC_FIND_FUNC([setlocale], [c], [#include ], [0,0]) -+AC_FIND_FUNC([arc4random], [c], [#include ], []) -+AC_FIND_FUNC([getentropy], [c], [#include ], [0, 0]) - - dnl Figure out if we have the pthread functions we actually need - AC_FIND_FUNC_NO_LIBS([pthread_key_create], [], [#include ], [NULL, NULL]) -diff --git a/src/jv.c b/src/jv.c -index 2a62b48419..607ac174f7 100644 ---- a/src/jv.c -+++ b/src/jv.c -@@ -40,6 +40,10 @@ - #include - #include - #include -+#include -+#include -+#include -+#include - - #include "jv_alloc.h" - #include "jv.h" -@@ -1206,7 +1210,33 @@ static jv jvp_string_append(jv string, const char* data, uint32_t len) { - } - } - --static const uint32_t HASH_SEED = 0x432A9843; -+static uint32_t hash_seed; -+static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT; -+ -+static void jvp_hash_seed_init(void) { -+ uint32_t seed; -+#if defined(HAVE_ARC4RANDOM) -+ seed = arc4random(); -+#elif defined(HAVE_GETENTROPY) -+ if (getentropy(&seed, sizeof(seed)) != 0) -+ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); -+#else -+ int fd = open("/dev/urandom", O_RDONLY); -+ if (fd >= 0) { -+ if (read(fd, &seed, sizeof(seed)) != 4) -+ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); -+ close(fd); -+ } else { -+ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); -+ } -+#endif -+ hash_seed = seed; -+} -+ -+static uint32_t jvp_hash_seed(void) { -+ pthread_once(&hash_seed_once, jvp_hash_seed_init); -+ return hash_seed; -+} - - static uint32_t rotl32 (uint32_t x, int8_t r){ - return (x << r) | (x >> (32 - r)); -@@ -1225,7 +1255,7 @@ static uint32_t jvp_string_hash(jv jstr) { - int len = (int)jvp_string_length(str); - const int nblocks = len / 4; - -- uint32_t h1 = HASH_SEED; -+ uint32_t h1 = jvp_hash_seed(); - - const uint32_t c1 = 0xcc9e2d51; - const uint32_t c2 = 0x1b873593; diff --git a/pkgs/by-name/jq/jq/musl.patch b/pkgs/by-name/jq/jq/musl.patch deleted file mode 100644 index 3632899882e7..000000000000 --- a/pkgs/by-name/jq/jq/musl.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 63e9449a8142ce30c83fcd7e9396e5de9843774e Mon Sep 17 00:00:00 2001 -From: Alyssa Ross -Date: Thu, 3 Jul 2025 11:00:13 +0200 -Subject: [PATCH] jq.test: drop non-portable %F test - -%F is a non-portable GNU extension, not supported by all strptime -implementations (for example musl's). - -Link: https://github.com/jqlang/jq/pull/3365 ---- - tests/jq.test | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/tests/jq.test b/tests/jq.test -index 4ecf72f..6bfb6f8 100644 ---- a/tests/jq.test -+++ b/tests/jq.test -@@ -1848,10 +1848,6 @@ try ["OK", strflocaltime({})] catch ["KO", .] - "2015-03-05T23:51:47Z" - [[2015,2,5,23,51,47,4,63],1425599507] - --[strptime("%FT%T")|(.,mktime)] --"2025-06-07T08:09:10" --[[2025,5,7,8,9,10,6,157],1749283750] -- - # Check day-of-week and day of year computations - # (should trip an assert if this fails) - last(range(365 * 67)|("1970-03-01T01:02:03Z"|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime) + (86400 * .)|strftime("%Y-%m-%dT%H:%M:%SZ")|strptime("%Y-%m-%dT%H:%M:%SZ")) --- -2.49.0 - diff --git a/pkgs/by-name/jq/jq/package.nix b/pkgs/by-name/jq/jq/package.nix index 31633d27ba03..e6a28fc5248d 100644 --- a/pkgs/by-name/jq/jq/package.nix +++ b/pkgs/by-name/jq/jq/package.nix @@ -14,12 +14,12 @@ stdenv.mkDerivation (finalAttrs: { pname = "jq"; - version = "1.8.1"; + version = "1.8.2"; # Note: do not use fetchpatch or fetchFromGitHub to keep this package available in __bootPackages src = fetchurl { url = "https://github.com/jqlang/jq/releases/download/jq-${finalAttrs.version}/jq-${finalAttrs.version}.tar.gz"; - hash = "sha256-K+ZOcSnOyxHVkGKQ66EK9pT7nj5/n8IIoxHcM8qDfrA="; + hash = "sha256-cbjW6PX+gfbG0NEQ44kiUfbOdu0JWr0xXibm4Rk6868="; }; outputs = [ @@ -30,15 +30,7 @@ stdenv.mkDerivation (finalAttrs: { "out" ]; - patches = [ - ./musl.patch - ./CVE-2026-32316.patch - ./CVE-2026-33947.patch - ./CVE-2026-33948.patch - ./CVE-2026-39979.patch - ./CVE-2026-40164.patch - ] - ++ lib.optionals stdenv.hostPlatform.is32bit [ + patches = lib.optionals stdenv.hostPlatform.is32bit [ # needed because epoch conversion test here is right at the end of 32 bit integer space # See also: https://github.com/jqlang/jq/blob/859a8073ee8a21f2133154eea7c2bd5e0d60837f/tests/optional.test#L15-L18 # "-D_TIME_BITS=64 -D_FILE_OFFSET_BITS=64" would be preferrable, but breaks with dynamic linking, diff --git a/pkgs/by-name/kr/krb5/CVE-2026-11850.patch b/pkgs/by-name/kr/krb5/CVE-2026-11850.patch new file mode 100644 index 000000000000..3c7dde29df3f --- /dev/null +++ b/pkgs/by-name/kr/krb5/CVE-2026-11850.patch @@ -0,0 +1,33 @@ +From 2a5fd83d4436583f2ddc0e193269a4d800ee45c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebasti=C3=A1n=20Alba?= +Date: Wed, 8 Apr 2026 18:32:25 -0400 +Subject: [PATCH] Prevent read overrun in libkdb_ldap + +In berval2tl_data(), reject inputs of length less than 2 to prevent an +integer underflow and subsequent read overrun. (The security impact +is negligible as the attacker would have to control the KDB LDAP +server.) + +[ghudson@mit.edu: wrote commit message] + +ticket: 9206 (new) +tags: pullup +target_version: 1.22-next +--- + plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +index 418d253d17..9aa68bacd7 100644 +--- a/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ++++ b/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -80,6 +80,9 @@ getstringtime(krb5_timestamp); + krb5_error_code + berval2tl_data(struct berval *in, krb5_tl_data **out) + { ++ if (in->bv_len < 2) ++ return EINVAL; ++ + *out = (krb5_tl_data *) malloc (sizeof (krb5_tl_data)); + if (*out == NULL) + return ENOMEM; diff --git a/pkgs/by-name/kr/krb5/package.nix b/pkgs/by-name/kr/krb5/package.nix index c4e35061d41a..4e97e9867190 100644 --- a/pkgs/by-name/kr/krb5/package.nix +++ b/pkgs/by-name/kr/krb5/package.nix @@ -44,6 +44,8 @@ stdenv.mkDerivation (finalAttrs: { }; patches = [ + # https://github.com/krb5/krb5/pull/1505 + ./CVE-2026-11850.patch # https://github.com/krb5/krb5/pull/1506 ./CVE-2026-40355-and-CVE-2026-40356.patch ] diff --git a/pkgs/by-name/ld/ldns/package.nix b/pkgs/by-name/ld/ldns/package.nix index 4078cdfd5372..f40ea684be96 100644 --- a/pkgs/by-name/ld/ldns/package.nix +++ b/pkgs/by-name/ld/ldns/package.nix @@ -11,11 +11,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "ldns"; - version = "1.9.0"; + version = "1.9.2"; src = fetchurl { url = "https://www.nlnetlabs.nl/downloads/ldns/ldns-${finalAttrs.version}.tar.gz"; - sha256 = "sha256-q67tKFj76oSk65gz4Z59IzgMwPPZtlSLlivkInb/3LM="; + sha256 = "sha256-tST6IZlLboNCAM64wn8bhL2lmC/jVwbwWBlsB525TV0="; }; postPatch = '' diff --git a/pkgs/by-name/li/libadwaita/package.nix b/pkgs/by-name/li/libadwaita/package.nix index 8f289c6e4977..fdad6431655b 100644 --- a/pkgs/by-name/li/libadwaita/package.nix +++ b/pkgs/by-name/li/libadwaita/package.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libadwaita"; - version = "1.9.1"; + version = "1.9.2"; outputs = [ "out" @@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "GNOME"; repo = "libadwaita"; tag = finalAttrs.version; - hash = "sha256-Oy3WcsymNbbmAacm5hEOrorI1wKXjSp063mh4jCJRAE="; + hash = "sha256-XKKjnZz4CII6w9fKFptPK3aTNa5eMfyE7rcerbgaDco="; }; depsBuildBuild = [ diff --git a/pkgs/by-name/li/libarchive/package.nix b/pkgs/by-name/li/libarchive/package.nix index 8f9f756a2ee9..fe81d018859c 100644 --- a/pkgs/by-name/li/libarchive/package.nix +++ b/pkgs/by-name/li/libarchive/package.nix @@ -32,13 +32,13 @@ assert xarSupport -> libxml2 != null; stdenv.mkDerivation (finalAttrs: { pname = "libarchive"; - version = "3.8.7"; + version = "3.8.8"; src = fetchFromGitHub { owner = "libarchive"; repo = "libarchive"; rev = "v${finalAttrs.version}"; - hash = "sha256-LpD+lE+0PZi/3nYDVPXhBQL9A7mvqelOzRLskVtg9Y0="; + hash = "sha256-l8xh+z6lP7VnxMIf9tfoSByerjwN6Z4dE3JNA9zS3LM="; }; outputs = [ diff --git a/pkgs/by-name/li/libheif/package.nix b/pkgs/by-name/li/libheif/package.nix index 42171d469f5a..940c3015dfb5 100644 --- a/pkgs/by-name/li/libheif/package.nix +++ b/pkgs/by-name/li/libheif/package.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libheif"; - version = "1.23.0"; + version = "1.23.1"; outputs = [ "bin" @@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "strukturag"; repo = "libheif"; rev = "v${finalAttrs.version}"; - hash = "sha256-+LbYwDSxixy4TaraUCN2LiCnn32dkMppCA8EOFXbvtg="; + hash = "sha256-o+gQCv/lpRx+IaqpjHACh8ysgl/N4Mo/9zbAI/cnWas="; }; nativeBuildInputs = [ diff --git a/pkgs/by-name/li/libidn/package.nix b/pkgs/by-name/li/libidn/package.nix index d36eedac8fe9..071b7f08f15d 100644 --- a/pkgs/by-name/li/libidn/package.nix +++ b/pkgs/by-name/li/libidn/package.nix @@ -8,11 +8,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "libidn"; - version = "1.43"; + version = "1.44"; src = fetchurl { url = "mirror://gnu/libidn/libidn-${finalAttrs.version}.tar.gz"; - sha256 = "sha256-vcZiwS0EGyU50OY486bnQRMM2zOmRO80lpY6RDSC0WQ="; + sha256 = "sha256-SZYIurOmVlCg6lKIjBOo3uvj9xQI4xms2exS4C6xOVk="; }; outputs = [ @@ -30,6 +30,7 @@ stdenv.mkDerivation (finalAttrs: { passthru.tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage; meta = { + changelog = "https://codeberg.org/libidn/libidn/src/tag/v${finalAttrs.version}/NEWS"; homepage = "https://www.gnu.org/software/libidn/"; description = "Library for internationalized domain names"; diff --git a/pkgs/by-name/li/librsvg/package.nix b/pkgs/by-name/li/librsvg/package.nix index 333015e1927c..297c1a0eae32 100644 --- a/pkgs/by-name/li/librsvg/package.nix +++ b/pkgs/by-name/li/librsvg/package.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "librsvg"; - version = "2.62.1"; + version = "2.62.3"; outputs = [ "out" @@ -62,13 +62,13 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://gnome/sources/librsvg/${lib.versions.majorMinor finalAttrs.version}/librsvg-${finalAttrs.version}.tar.xz"; - hash = "sha256-tByoQgYkL93YJqK/djSNfN9SwQUMv6BguGboGiUhRcM="; + hash = "sha256-frRJsnIqdoAhNW9m3+4yAsIptU7U5qcM5AwJDpf/FvI="; }; cargoDeps = rustPlatform.fetchCargoVendor { inherit (finalAttrs) src; name = "librsvg-deps-${finalAttrs.version}"; - hash = "sha256-Px7H2Z4ShCCuZNskuKj427lE9dvIc6xRo8R1S4fK+ZQ="; + hash = "sha256-9ubfIl9R2BdcAWn7i050KBbb4cMdlakvrKdnjpZCQjA="; dontConfigure = true; }; diff --git a/pkgs/by-name/li/libssh2/package.nix b/pkgs/by-name/li/libssh2/package.nix index 71ed533d7a74..1e987379f73c 100644 --- a/pkgs/by-name/li/libssh2/package.nix +++ b/pkgs/by-name/li/libssh2/package.nix @@ -26,6 +26,31 @@ stdenv.mkDerivation (finalAttrs: { patches = [ # https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1 ./CVE-2026-7598.patch + + (fetchurl { + name = "CVE-2025-15661.patch"; + url = "https://salsa.debian.org/debian/libssh2/-/raw/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/CVE-2025-15661.patch"; + hash = "sha256-Rz6i/881CbObUDcZbcPlgVPaKizSp6ZRTdmJNJ9HLHE="; + }) + + (fetchurl { + name = "CVE-2026-55199.patch"; + url = "https://salsa.debian.org/debian/libssh2/-/raw/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/CVE-2026-55199.patch"; + hash = "sha256-AFZa5kohha62aE0if5ckmAdJ0TZNcjfP32yDznoEhNo="; + }) + + (fetchurl { + name = "CVE-2026-55200.patch"; + url = "https://salsa.debian.org/debian/libssh2/-/raw/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/CVE-2026-55200.patch"; + hash = "sha256-wCAglr8BsBWIhnh3SiFeyKzZmIp8rC5MVfFgoEzp/hE="; + }) + + # necessary for the fix for CVE-2026-15661 + (fetchurl { + name = "libssh-unconst-backport.patch"; + url = "https://salsa.debian.org/debian/libssh2/-/raw/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/libssh-unconst-backport.patch"; + hash = "sha256-jc01Fb70GbaD9+RYeSjRaLFBtKLiMPTMuXas21aC0Ag="; + }) ]; # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion diff --git a/pkgs/by-name/li/libtpms/0001-fix-march-x86-64-v4.patch b/pkgs/by-name/li/libtpms/0001-fix-march-x86-64-v4.patch new file mode 100644 index 000000000000..7feb37e0c417 --- /dev/null +++ b/pkgs/by-name/li/libtpms/0001-fix-march-x86-64-v4.patch @@ -0,0 +1,17 @@ +https://github.com/stefanberger/libtpms/pull/588 + +diff --git a/src/tpm2/AlgorithmTests.c b/src/tpm2/AlgorithmTests.c +index eca917d0..8cbc749b 100644 +--- a/src/tpm2/AlgorithmTests.c ++++ b/src/tpm2/AlgorithmTests.c +@@ -197,8 +197,8 @@ TestSMAC( + //*** MakeIv() + // Internal function to make the appropriate IV depending on the mode. + static UINT32 MakeIv(TPM_ALG_ID mode, // IN: symmetric mode +- UINT32 size, // IN: block size of the algorithm +- BYTE* iv // OUT: IV to fill in ++ UINT32 size, // IN: block size of the algorithm ++ volatile BYTE* iv // OUT: IV to fill in; 'volatile' for gcc15 + ) + { + BYTE i; diff --git a/pkgs/by-name/li/libtpms/package.nix b/pkgs/by-name/li/libtpms/package.nix index f658b8d23f6c..b793bb798f54 100644 --- a/pkgs/by-name/li/libtpms/package.nix +++ b/pkgs/by-name/li/libtpms/package.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation (finalAttrs: { sha256 = "sha256-UhEpq5f/FT5DmtzQBe/Si414mOq+D4glikgRNK60GKQ="; }; + patches = [ ./0001-fix-march-x86-64-v4.patch ]; + hardeningDisable = [ "strictflexarrays3" ]; nativeBuildInputs = [ diff --git a/pkgs/by-name/li/libxi/package.nix b/pkgs/by-name/li/libxi/package.nix index 3cbac22c36f3..0475ba395175 100644 --- a/pkgs/by-name/li/libxi/package.nix +++ b/pkgs/by-name/li/libxi/package.nix @@ -12,7 +12,7 @@ }: stdenv.mkDerivation (finalAttrs: { pname = "libxi"; - version = "1.8.2"; + version = "1.8.3"; outputs = [ "out" @@ -23,7 +23,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://xorg/individual/lib/libXi-${finalAttrs.version}.tar.xz"; - hash = "sha256-0OBVXlPW4hFOq/pEImuhYtJwhQGiXhjZnPs1wJTGwQQ="; + hash = "sha256-etYAVvAa9PeGz+k7OncHRHcRYm/I2iY3vscakECbq+U="; }; strictDeps = true; diff --git a/pkgs/by-name/li/linux-pam/package.nix b/pkgs/by-name/li/linux-pam/package.nix index 5e1fdfd4a7ce..0da213b857c0 100644 --- a/pkgs/by-name/li/linux-pam/package.nix +++ b/pkgs/by-name/li/linux-pam/package.nix @@ -3,6 +3,7 @@ stdenv, buildPackages, fetchFromGitHub, + fetchpatch, flex, db4, gettext, @@ -33,18 +34,25 @@ stdenv.mkDerivation (finalAttrs: { pname = "linux-pam"; - version = "1.7.1"; + version = "1.7.2"; src = fetchFromGitHub { owner = "linux-pam"; repo = "linux-pam"; tag = "v${finalAttrs.version}"; - hash = "sha256-kANcwxifQz2tYPSrSBSFiYNTm51Gr10L/zroCqm8ZHQ="; - + hash = "sha256-V3XQqolinh+MqUefMDYJF9zP4fBJTHc7YKN+NEGjx1g="; }; __structuredAttrs = true; + patches = [ + (fetchpatch { + name = "secure-opendir-fix-error-handling.patch"; + url = "https://github.com/linux-pam/linux-pam/commit/dd62bac17221911106de165607c6925ea54b18d1.patch?full_index=1"; + hash = "sha256-ddgDYdVfdXfTaMFV1hO3RJX9w1NHmE7yi3PxsHOdpvY="; + }) + ]; + # patching unix_chkpwd is required as the nix store entry does not have the necessary bits postPatch = '' substituteInPlace modules/module-meson.build \ @@ -104,6 +112,7 @@ stdenv.mkDerivation (finalAttrs: { (lib.mesonEnable "nis" false) (lib.mesonBool "xtests" false) (lib.mesonBool "examples" false) + (lib.mesonOption "vendordir" "${placeholder "out"}/etc") ] # warning: slower execution due to debug makes VM tests fail! ++ lib.optional debugMode (lib.mesonBool "pam-debug" true); diff --git a/pkgs/by-name/ll/llhttp/package.nix b/pkgs/by-name/ll/llhttp/package.nix index 6f9115c07dc4..4487a4518360 100644 --- a/pkgs/by-name/ll/llhttp/package.nix +++ b/pkgs/by-name/ll/llhttp/package.nix @@ -11,13 +11,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "llhttp"; - version = "9.4.1"; + version = "9.4.2"; src = fetchFromGitHub { owner = "nodejs"; repo = "llhttp"; tag = "release/v${finalAttrs.version}"; - hash = "sha256-eQoOsJ3lIIGSIfC4atkbUqCAYzCzs5kzTihYaI4jqz0="; + hash = "sha256-LS8HS8CnXJ3X8WlIvtxBLc0h1wLL/HmTqZWHlvBjTEo="; }; outputs = [ diff --git a/pkgs/by-name/me/merve/package.nix b/pkgs/by-name/me/merve/package.nix index e8a210d551e6..066ac8fd351d 100644 --- a/pkgs/by-name/me/merve/package.nix +++ b/pkgs/by-name/me/merve/package.nix @@ -26,16 +26,14 @@ stdenv.mkDerivation (finalAttrs: { cmakeFlags = [ (lib.cmakeBool "BUILD_SHARED_LIBS" (!static)) (lib.cmakeBool "MERVE_TESTING" finalAttrs.finalPackage.doCheck) - (lib.cmakeBool "MERVE_USE_SIMDUTF" true) - ]; + ] + ++ lib.optional (simdutf != null) (lib.cmakeBool "MERVE_USE_SIMDUTF" true); nativeBuildInputs = [ cmake validatePkgConfig ]; - buildInputs = [ - simdutf - ]; + buildInputs = lib.optional (simdutf != null) simdutf; checkInputs = [ gtest ]; diff --git a/pkgs/by-name/mo/motioneye/package.nix b/pkgs/by-name/mo/motioneye/package.nix index 7a5ee72311ef..a947a722d8c1 100644 --- a/pkgs/by-name/mo/motioneye/package.nix +++ b/pkgs/by-name/mo/motioneye/package.nix @@ -2,31 +2,21 @@ lib, python3Packages, fetchFromGitHub, - fetchpatch, + versionCheckHook, }: python3Packages.buildPythonApplication rec { pname = "motioneye"; - version = "0.43.1"; + version = "0.44.0"; pyproject = true; src = fetchFromGitHub { owner = "motioneye-project"; repo = "motioneye"; tag = version; - hash = "sha256-ckOgYmOP5irjNutcC3FMZPBexn/CldG0UtFZ+tPYNJ4="; + hash = "sha256-4sXttSSkmMgsoZb7PXEXXh8KNORTSmqq4lYp3JBDmPo="; }; - patches = [ - # fix pytest - # https://github.com/motioneye-project/motioneye/pull/3271 - (fetchpatch { - url = "https://github.com/motioneye-project/motioneye/commit/41c0727e2872af1b758743c41b529e76dcac6f84.patch"; - hash = "sha256-0zDveoAN1T0SuCob0U/9GEGTh7pj2CXH/j4YrjO0VE0="; - includes = [ "conftest.py" ]; - }) - ]; - build-system = with python3Packages; [ setuptools ]; @@ -38,16 +28,24 @@ python3Packages.buildPythonApplication rec { pillow pycurl tornado + argon2-cffi ]; nativeCheckInputs = with python3Packages; [ pytestCheckHook ]; + nativeInstallCheckInputs = [ + versionCheckHook + ]; + pythonImportsCheck = [ "motioneye" ]; + versionCheckProgram = "${placeholder "out"}/bin/meyectl"; + versionCheckProgramArg = "-v"; + meta = { description = "Web frontend for the motion daemon"; homepage = "https://github.com/motioneye-project/motioneye"; diff --git a/pkgs/by-name/pi/pipewire/package.nix b/pkgs/by-name/pi/pipewire/package.nix index 7a9de59f709d..3929f392ee6a 100644 --- a/pkgs/by-name/pi/pipewire/package.nix +++ b/pkgs/by-name/pi/pipewire/package.nix @@ -90,7 +90,7 @@ in stdenv.mkDerivation (finalAttrs: { pname = "pipewire"; - version = "1.6.5"; + version = "1.6.6"; outputs = [ "out" @@ -106,7 +106,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "pipewire"; repo = "pipewire"; tag = finalAttrs.version; - hash = "sha256-ui5VTbSiobHmPUHW4jLguoeMWaKT4f2eTqdo3ZGgvNI="; + hash = "sha256-pyZozhJomFT4QkJv/NKkXpbknmVxjv8hCxZV6RcIHmE="; }; patches = [ diff --git a/pkgs/by-name/rs/rsync/package.nix b/pkgs/by-name/rs/rsync/package.nix index a102ff36cc15..2a6cdd676a9f 100644 --- a/pkgs/by-name/rs/rsync/package.nix +++ b/pkgs/by-name/rs/rsync/package.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-vYjPgvplPaMjFPsikTZAfFyQ+A0XWNj0sJF2eHfY+pY="; }; - patches = lib.optionals (stdenv.hostPlatform.isDarwin) [ + patches = [ # Fixes test failure on darwin (fetchpatch { url = "https://github.com/RsyncProject/rsync/commit/e1c5f0e93a75dd45f32f3b92ba221ef158ac2e5f.patch"; diff --git a/pkgs/by-name/ru/rust-cbindgen/package.nix b/pkgs/by-name/ru/rust-cbindgen/package.nix index 88bb855e800b..c6e5427f80c2 100644 --- a/pkgs/by-name/ru/rust-cbindgen/package.nix +++ b/pkgs/by-name/ru/rust-cbindgen/package.nix @@ -14,16 +14,16 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "rust-cbindgen"; - version = "0.29.3"; + version = "0.29.4"; src = fetchFromGitHub { owner = "mozilla"; repo = "cbindgen"; rev = "v${finalAttrs.version}"; - hash = "sha256-d0rY7Sk37s8HEZlQq9Sbjj1P+DgygD0Yjx8cXlFKEIA="; + hash = "sha256-leeHOwpzXuzg2cTjXehBnCsS+dvU4eIIFtWKeCee20U="; }; - cargoHash = "sha256-UeierkQpfCiB5ES9ZW9hO+0AcI9Ip8qSJ/Nd+I1xrmQ="; + cargoHash = "sha256-f6YoDoiVoh0BVPYHFO1FsdI4OCsF+LY72QaD57StdIQ="; nativeCheckInputs = [ cmake diff --git a/pkgs/by-name/sc/scribus/package.nix b/pkgs/by-name/sc/scribus/package.nix index ea6dbf56309e..d8a55eb8e7d3 100644 --- a/pkgs/by-name/sc/scribus/package.nix +++ b/pkgs/by-name/sc/scribus/package.nix @@ -3,6 +3,7 @@ cairo, cmake, cups, + fetchpatch, fetchurl, fontconfig, freetype, @@ -39,11 +40,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "scribus"; - version = "1.7.2"; + version = "1.7.3"; src = fetchurl { url = "mirror://sourceforge/scribus/scribus-devel/scribus-${finalAttrs.version}.tar.xz"; - hash = "sha256-nY4RzGusLNlsVTnvvXGSIv9/cOHBhZcogNn7MFHhONA="; + hash = "sha256-iC7lXKRJfALE4F8wrMaJ6h9IXC6AI8nrKT9RwsW+Bq0="; }; nativeBuildInputs = [ @@ -96,6 +97,32 @@ stdenv.mkDerivation (finalAttrs: { cmakeFlags = [ (lib.cmakeBool "WANT_GRAPHICSMAGICK" true) ]; + patches = [ + (fetchpatch { + name = "fix-build-with-poppler-26.05.0.patch"; + url = "https://github.com/scribusproject/scribus/commit/14a287fc1db2a44abfe1743260554447b31b4adf.patch"; + hash = "sha256-bhxnyL5zWVCjkfkW67CPykLW/uqDP+n3djnRKGMyhjw="; + }) + (fetchpatch { + # required for the next patch to apply cleanly + url = "https://github.com/scribusproject/scribus/commit/3aed8aa40d01d1affd2b55b107b48878d4b06eab.patch"; + includes = [ "scribus/plugins/import/pdf/importpdf.cpp" ]; + hash = "sha256-tiGXGW8CnG0Tj5YaimngelvNvO3CCSa5eXc3bSKJD54="; + }) + (fetchpatch { + name = "fix-build-with-poppler-26.06.0.patch"; + url = "https://github.com/scribusproject/scribus/commit/2b9405a00a96a09e0183190ddc9f83d44963d4e0.patch"; + hash = "sha256-4v+Ba+JODwNg4YLmwpFeBfIxk1j+RcZdtznPFeQ+H+w="; + }) + ]; + + postPatch = '' + # revert non-whitespace changes made by the second patch, i.e., + # https://github.com/scribusproject/scribus/commit/3aed8aa40d01d1affd2b55b107b48878d4b06eab + substituteInPlace scribus/plugins/import/pdf/importpdf.cpp \ + --replace-fail 'QSizeF()' '"Custom"' + ''; + preFixup = '' qtWrapperArgs+=( --prefix XDG_DATA_DIRS : "${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}" diff --git a/pkgs/by-name/so/socat/package.nix b/pkgs/by-name/so/socat/package.nix index 40f1308046a3..40cf1ef10dcc 100644 --- a/pkgs/by-name/so/socat/package.nix +++ b/pkgs/by-name/so/socat/package.nix @@ -11,11 +11,11 @@ stdenv.mkDerivation rec { pname = "socat"; - version = "1.8.1.1"; + version = "1.8.1.3"; src = fetchurl { url = "http://www.dest-unreach.org/socat/download/socat-${version}.tar.bz2"; - hash = "sha256-Xrxja39CcFP5iAZpZSFlOmFMfgZGSRA1PL9U4jJ63Bs="; + hash = "sha256-JbxkdikrLmFCIJicd7C2/Kh7slJdl0ezGmY5sftgJBg="; }; postPatch = '' diff --git a/pkgs/by-name/ut/util-linux/package.nix b/pkgs/by-name/ut/util-linux/package.nix index 0c9c7542a23c..f11d004bb0cf 100644 --- a/pkgs/by-name/ut/util-linux/package.nix +++ b/pkgs/by-name/ut/util-linux/package.nix @@ -43,11 +43,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "util-linux" + lib.optionalString isMinimal "-minimal"; - version = "2.42"; + version = "2.42.2"; src = fetchurl { url = "mirror://kernel/linux/utils/util-linux/v${lib.versions.majorMinor finalAttrs.version}/util-linux-${finalAttrs.version}.tar.xz"; - hash = "sha256-NFKyYLuqd11udJrDuyIRF4UAP8H0RJcAJcjaJt+nWOk="; + hash = "sha256-A6BdOt+WAu8Sjy2gW4SzIFzmDDUeVzfANw90AAZ5zoo="; }; # Note: fetchpatch/fetchpatch2 cause infinite recursion with util-linuxMinimal. @@ -57,38 +57,6 @@ stdenv.mkDerivation (finalAttrs: { # which isn't valid on NixOS (and a compatibility link on most other modern # distros anyway). ./rtcwake-search-PATH-for-shutdown.patch - - # Fix compile of 2.42+ on Darwin. - # https://lore.kernel.org/util-linux/CAEUYr6ZjVX1bd-xcBGtFN_ZYwQnXDYsw7d1-7sTpF2BbgfrR+g@mail.gmail.com/T/#u - # Different fix than originally proposed; we just don't compile that file on Darwin now and the previous patch was able to be reverted. - # See: https://github.com/util-linux/util-linux/commit/6ccf20d2fd8e45eed70bd1b915c0d16f646bf133 - (fetchurl { - name = "pidfd-utils-linux-only.patch"; - url = "https://github.com/util-linux/util-linux/commit/afdade4a3d8e4e6070343c5576470c575719b81f.patch"; - hash = "sha256-EnHsIhU6jaS4Qm+kQMP2an7Ay08nKbIO0MbU7Y2pwkU="; - }) - - # Musl does not define AT_HANDLE_FID, hard-code it if left undefined. - # https://github.com/util-linux/util-linux/pull/4203 - (fetchurl { - name = "fix-musl-nsenter.patch"; - url = "https://github.com/util-linux/util-linux/commit/000aff333e5c3a23967280cb0d6451fbbfc9c91b.patch"; - hash = "sha256-6K3jRr2RsAfHnweBOlMn2F0h8hD3xjZobJ1pSlCQHw8="; - }) - - # `script` is broken with options after non-option args and has new memory leaks - # https://lore.kernel.org/util-linux/adi3573O-5gr9m2q@per.namespace.at/T/#t - # https://github.com/util-linux/util-linux/pull/4201 - (fetchurl { - name = "script-fix-backwards-compat.patch"; - url = "https://github.com/util-linux/util-linux/commit/70507ab9eaed10b8dd77b77d4ea25c11ee726bed.patch"; - hash = "sha256-PpFtv8XOK36npCVSvdgKcxGQmkJtgdyMmlN+4yQuWS8="; - }) - (fetchurl { - name = "script-fix-memory-leaks.patch"; - url = "https://github.com/util-linux/util-linux/commit/2f1c12a49500ca7ed9c3d5e80664c1622925456b.patch"; - hash = "sha256-9ZwA6sZwM1rQDoxV5x1KHLWxsFpI5CGWJqubtdEHj/I="; - }) ]; # We separate some of the utilities into their own outputs. This diff --git a/pkgs/development/interpreters/python/cpython/3.14/hacl-static-ldeps-for-static-modules.patch b/pkgs/development/interpreters/python/cpython/3.14/hacl-static-ldeps-for-static-modules.patch deleted file mode 100644 index 8501ab38a940..000000000000 --- a/pkgs/development/interpreters/python/cpython/3.14/hacl-static-ldeps-for-static-modules.patch +++ /dev/null @@ -1,50 +0,0 @@ -From ee1b8479cff97ca7e5ed4d51d6aa24ccb47deb8b Mon Sep 17 00:00:00 2001 -From: Ihar Hrachyshka -Date: Sat, 21 Mar 2026 18:34:50 -0400 -Subject: [PATCH] gh-146264: Use static HACL deps for static module builds - ---- - .../next/Build/2026-03-21-18-51-31.gh-issue-146264.Q9Ej4m.rst | 3 +++ - configure | 2 +- - configure.ac | 2 +- - 3 files changed, 5 insertions(+), 2 deletions(-) - create mode 100644 Misc/NEWS.d/next/Build/2026-03-21-18-51-31.gh-issue-146264.Q9Ej4m.rst - -diff --git a/Misc/NEWS.d/next/Build/2026-03-21-18-51-31.gh-issue-146264.Q9Ej4m.rst b/Misc/NEWS.d/next/Build/2026-03-21-18-51-31.gh-issue-146264.Q9Ej4m.rst -new file mode 100644 -index 00000000000..1fdafe56043 ---- /dev/null -+++ b/Misc/NEWS.d/next/Build/2026-03-21-18-51-31.gh-issue-146264.Q9Ej4m.rst -@@ -0,0 +1,3 @@ -+Fix static module builds on non-WASI targets by linking HACL dependencies as -+static libraries when ``MODULE_BUILDTYPE=static``, preventing duplicate -+``_Py_LibHacl_*`` symbol errors at link time. -diff --git a/configure b/configure -index 23f24d51c79..db5c861f601 100755 ---- a/configure -+++ b/configure -@@ -33009,7 +33009,7 @@ fi - - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for HACL* library linking type" >&5 - printf %s "checking for HACL* library linking type... " >&6; } --if test "$ac_sys_system" = "WASI"; then -+if test "$ac_sys_system" = "WASI" || test "$MODULE_BUILDTYPE" = "static"; then - LIBHACL_LDEPS_LIBTYPE=STATIC - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: static" >&5 - printf "%s\n" "static" >&6; } -diff --git a/configure.ac b/configure.ac -index 635fce3f2e6..59166d63e63 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -8171,7 +8171,7 @@ AC_SUBST([LIBHACL_BLAKE2_SIMD256_OBJS]) - # HACL*-based cryptographic primitives - - AC_MSG_CHECKING([for HACL* library linking type]) --if test "$ac_sys_system" = "WASI"; then -+if test "$ac_sys_system" = "WASI" || test "$MODULE_BUILDTYPE" = "static"; then - LIBHACL_LDEPS_LIBTYPE=STATIC - AC_MSG_RESULT([static]) - else --- -2.53.0 - diff --git a/pkgs/development/interpreters/python/cpython/default.nix b/pkgs/development/interpreters/python/cpython/default.nix index 88e234d40cf9..dd984d488b00 100644 --- a/pkgs/development/interpreters/python/cpython/default.nix +++ b/pkgs/development/interpreters/python/cpython/default.nix @@ -133,7 +133,6 @@ let getLib optionals optionalString - replaceStrings ; withLibxcrypt = @@ -428,15 +427,6 @@ stdenv.mkDerivation (finalAttrs: { # backport fix for https://github.com/python/cpython/issues/95855 ./platform-triplet-detection.patch ] - ++ optionals (pythonAtLeast "3.14" && pythonOlder "3.15") [ - # https://github.com/python/cpython/issues/146264 - # https://github.com/python/cpython/pull/146265 - ./3.14/hacl-static-ldeps-for-static-modules.patch - ] - ++ optionals (version == "3.13.10" || version == "3.14.1") [ - # https://github.com/python/cpython/issues/142218 - ./${lib.versions.majorMinor version}/gh-142218.patch - ] ++ optionals (stdenv.hostPlatform.isMinGW) ( let # https://src.fedoraproject.org/rpms/mingw-python3 diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index 53e73fa79c49..c8d9b5940083 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -20,10 +20,10 @@ sourceVersion = { major = "3"; minor = "13"; - patch = "13"; + patch = "14"; suffix = ""; }; - hash = "sha256-Krkf9AF4PMymT3XRDIgulXvf1g4r9acvhCF5Nym3inE="; + hash = "sha256-Y55DJDxiCjCPloIT354A8vj2IzL3rbqnp+65eDBXxpA="; }; }; @@ -79,10 +79,10 @@ sourceVersion = { major = "3"; minor = "14"; - patch = "4"; + patch = "6"; suffix = ""; }; - hash = "sha256-2SPFEwPjjiSRNvwb3zVo1W7LAyFO/e9IUWF209f6rvg="; + hash = "sha256-FDsd3e+uw70uIeO4ObNKK3+5hCJyiDxXZCDWBenzDGM="; inherit passthruFun; }; diff --git a/pkgs/development/interpreters/python/mk-python-derivation.nix b/pkgs/development/interpreters/python/mk-python-derivation.nix index 6dd3651bfa30..bc44a7de7178 100644 --- a/pkgs/development/interpreters/python/mk-python-derivation.nix +++ b/pkgs/development/interpreters/python/mk-python-derivation.nix @@ -48,6 +48,8 @@ let optionalString removePrefix stringLength + all + seq ; leftPadName = @@ -263,10 +265,10 @@ lib.extendMkDerivation { checkDrv = attrName: drv: - if (isPythonModule drv) && (isMismatchedPython drv) then throwMismatch attrName drv else drv; + if isPythonModule drv && isMismatchedPython drv then throwMismatch attrName drv else true; in - attrName: map (checkDrv attrName); + attrName: inputs: seq (all (checkDrv attrName) inputs) inputs; isBootstrapInstallPackage = isBootstrapInstallPackage' (finalAttrs.pname or null); diff --git a/pkgs/development/libraries/acl/default.nix b/pkgs/development/libraries/acl/default.nix index 9bba05fd90bf..99b12db67122 100644 --- a/pkgs/development/libraries/acl/default.nix +++ b/pkgs/development/libraries/acl/default.nix @@ -13,11 +13,11 @@ stdenv.mkDerivation rec { pname = "acl"; - version = "2.3.2"; + version = "2.4.0"; src = fetchurl { url = "mirror://savannah/acl/acl-${version}.tar.gz"; - hash = "sha256-XyvbrWKXB6p9hcYj+ZSqih0t7FWnPeUgW6wL9gWKL3w="; + hash = "sha256-c8hTw9ROH2k+WpaphvG9GdPQ2sLH1FPnlhd3dLxOX2o="; }; outputs = [ diff --git a/pkgs/development/libraries/attr/default.nix b/pkgs/development/libraries/attr/default.nix index f2e057a33058..10891ece56a8 100644 --- a/pkgs/development/libraries/attr/default.nix +++ b/pkgs/development/libraries/attr/default.nix @@ -12,11 +12,11 @@ stdenv.mkDerivation rec { pname = "attr"; - version = "2.5.2"; + version = "2.6.0"; src = fetchurl { url = "mirror://savannah/attr/attr-${version}.tar.gz"; - sha256 = "sha256-Ob9nRS+kHQlIwhl2AQU/SLPXigKTiXNDMqYwmmgMbIc="; + hash = "sha256-1C+jdFExgLtIyxGkZpb0iCQOUST/HmrYiwq/9waYVhI="; }; outputs = [ @@ -29,11 +29,6 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ gettext ]; - # tools/attr.c: Add missing libgen.h include for basename(3) - # Fixes compilation issue with musl and modern C99 compilers. - # See: https://bugs.gentoo.org/926294 - patches = [ ./musl.patch ]; - postPatch = '' for script in install-sh include/install-sh; do patchShebangs $script diff --git a/pkgs/development/libraries/attr/musl.patch b/pkgs/development/libraries/attr/musl.patch deleted file mode 100644 index 818161f15243..000000000000 --- a/pkgs/development/libraries/attr/musl.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 8a80d895dfd779373363c3a4b62ecce5a549efb2 Mon Sep 17 00:00:00 2001 -From: "Haelwenn (lanodan) Monnier" -Date: Sat, 30 Mar 2024 10:17:10 +0100 -Subject: tools/attr.c: Add missing libgen.h include for basename(3) - -Fixes compilation issue with musl and modern C99 compilers. - -See: https://bugs.gentoo.org/926294 ---- - tools/attr.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tools/attr.c b/tools/attr.c -index f12e4af..6a3c1e9 100644 ---- a/tools/attr.c -+++ b/tools/attr.c -@@ -28,6 +28,7 @@ - #include - #include - #include -+#include - - #include - --- -cgit v1.1 - diff --git a/pkgs/development/libraries/ffmpeg/default.nix b/pkgs/development/libraries/ffmpeg/default.nix index 5baddb0c34e2..ba90e4832369 100644 --- a/pkgs/development/libraries/ffmpeg/default.nix +++ b/pkgs/development/libraries/ffmpeg/default.nix @@ -30,8 +30,8 @@ let hash = "sha256-DjmW5LeI9OJmPeIh61znAns4+kolxwKguEvKawgxy8I="; }; v8 = { - version = "8.1.1"; - hash = "sha256-WPGfjTZjsgpR5QiANRWF4g6LF2ejGzFQUrLjhzw9cfQ="; + version = "8.1.2"; + hash = "sha256-wJ3c8VVo/tK84K7bKYs/UWcln4mSO+tf/w5NLNjKhiI="; }; in diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix index af86f01f877d..b19728125580 100644 --- a/pkgs/development/libraries/libxml2/default.nix +++ b/pkgs/development/libraries/libxml2/default.nix @@ -61,6 +61,13 @@ let tag = "v${packages.libxml2.version}"; hash = "sha256-fDntZDyITs223by8n7ueOXiO7yyzshtANoWbY0+yeqo="; }; + extraPatches = [ + (fetchpatch { + name = "CVE-2026-11979.patch"; + url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e.patch"; + hash = "sha256-s7hnAW7r4fbb95WnFHhUMZbMJzTynV7umKIqc7Kdp/Q="; + }) + ]; extraMeta = { maintainers = with lib.maintainers; [ jtojnar diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 13d4d2b5358a..7b9a221cc2d1 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -506,8 +506,8 @@ in }; openssl_3_6 = common { - version = "3.6.2"; - hash = "sha256-qvUaH+BkOE+BHa6utOxNznNA7IvYkwJ+7mdq8x6DoE8="; + version = "3.6.3"; + hash = "sha256-JDqGZJz28j7rai/yRW4J5dd92QGKVNPZawxr3Wumx/E="; patches = [ # Support for NIX_SSL_CERT_FILE, motivation: diff --git a/pkgs/development/libraries/poppler/default.nix b/pkgs/development/libraries/poppler/default.nix index 686d4a3715e3..0b1b6a76df2f 100644 --- a/pkgs/development/libraries/poppler/default.nix +++ b/pkgs/development/libraries/poppler/default.nix @@ -55,13 +55,13 @@ let domain = "gitlab.freedesktop.org"; owner = "poppler"; repo = "test"; - rev = "9d5011815a14c157ba25bb160187842fb81579a5"; - hash = "sha256-sA5f235IJpzzzHqpwHM3zCZC2Yh0ztA6PZa84j/6tfY="; + rev = "f0068e9c530017ad811d1f28b95f9b7f59264e37"; + hash = "sha256-Xf8duSh0r1o09b5BKB7mBvzrMfXYlzTuTOuK2ZCeItc="; }; in stdenv.mkDerivation (finalAttrs: { pname = "poppler-${suffix}"; - version = "25.10.0"; # beware: updates often break cups-filters build, check scribus too! + version = "26.06.0"; # beware: updates often break cups-filters build, check scribus too! outputs = [ "out" @@ -70,7 +70,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "https://poppler.freedesktop.org/poppler-${finalAttrs.version}.tar.xz"; - hash = "sha256-a16btk2rsVeHoU2xZ1KRx6+vk4dDjMk6T7f2rsTub+A="; + hash = "sha256-TLTlo9yMte7HUciiPIuhn2H5be3AzQfSruawyOLPa6Q="; }; nativeBuildInputs = [ @@ -129,18 +129,22 @@ stdenv.mkDerivation (finalAttrs: { (mkFlag qt5Support "QT5") (mkFlag qt6Support "QT6") (mkFlag gpgmeSupport "GPGME") - ] - ++ lib.optionals finalAttrs.finalPackage.doCheck [ - "-DTESTDATADIR=${testData}" ]; disallowedReferences = lib.optional finalAttrs.finalPackage.doCheck testData; dontWrapQtApps = true; - # Workaround #54606 - preConfigure = lib.optionalString stdenv.hostPlatform.isDarwin '' - sed -i -e '1i cmake_policy(SET CMP0025 NEW)' CMakeLists.txt - ''; + preConfigure = + lib.optionalString finalAttrs.finalPackage.doCheck '' + # The test data directory needs to be writable during the test phase. + mkdir -p $TMPDIR/testdata + cp -r --no-preserve=mode ${testData}/* $TMPDIR/testdata + cmakeFlagsArray+=(-DTESTDATADIR=$TMPDIR/testdata) + '' + + lib.optionalString stdenv.hostPlatform.isDarwin '' + # Workaround #54606 + sed -i -e '1i cmake_policy(SET CMP0025 NEW)' CMakeLists.txt + ''; # Work around gpgme trying to write to $HOME during qt5 and qt6 tests: preCheck = lib.optionalString gpgmeSupport '' diff --git a/pkgs/development/python-modules/asgiref/default.nix b/pkgs/development/python-modules/asgiref/default.nix index 727587c610cd..516fb48f8b5f 100644 --- a/pkgs/development/python-modules/asgiref/default.nix +++ b/pkgs/development/python-modules/asgiref/default.nix @@ -5,22 +5,25 @@ fetchFromGitHub, pytest-asyncio, pytestCheckHook, + setuptools, typing-extensions, }: -buildPythonPackage rec { - version = "3.11.0"; +buildPythonPackage (finalAttrs: { + version = "3.11.1"; pname = "asgiref"; - format = "setuptools"; + pyproject = true; src = fetchFromGitHub { owner = "django"; repo = "asgiref"; - tag = version; - hash = "sha256-2ZaUIWGF5cQVNj95b7WiKGsn2wYsoJmJ/CfPhIEZdjc="; + tag = finalAttrs.version; + hash = "sha256-Mhnaowgv5a+O2hN0ZSdtdhCBQx8HoKSwtRC3gHodgKY="; }; - propagatedBuildInputs = [ typing-extensions ]; + build-system = [ setuptools ]; + + dependencies = [ typing-extensions ]; nativeCheckInputs = [ pytestCheckHook @@ -34,10 +37,10 @@ buildPythonPackage rec { pythonImportsCheck = [ "asgiref" ]; meta = { - changelog = "https://github.com/django/asgiref/blob/${src.tag}/CHANGELOG.txt"; + changelog = "https://github.com/django/asgiref/blob/${finalAttrs.src.tag}/CHANGELOG.txt"; description = "Reference ASGI adapters and channel layers"; homepage = "https://github.com/django/asgiref"; license = lib.licenses.bsd3; - maintainers = [ ]; + maintainers = with lib.maintainers; [ miniharinn ]; }; -} +}) diff --git a/pkgs/development/python-modules/idna/default.nix b/pkgs/development/python-modules/idna/default.nix index 9d4cbee7e5a1..c6c917852319 100644 --- a/pkgs/development/python-modules/idna/default.nix +++ b/pkgs/development/python-modules/idna/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "idna"; - version = "3.13"; + version = "3.15"; pyproject = true; src = fetchFromGitHub { owner = "kjd"; repo = "idna"; tag = "v${version}"; - hash = "sha256-D72KUEwiFA/LdU/xE3sN+Abc6NpAsIlGSdB07V1nk68="; + hash = "sha256-z3Nd834inihGzquCAmejUQvRcM0Yn/VmMcWQP3oh4ak="; }; build-system = [ flit-core ]; diff --git a/pkgs/development/python-modules/joserfc/default.nix b/pkgs/development/python-modules/joserfc/default.nix index 342a93b6bd00..a31a8bc44e94 100644 --- a/pkgs/development/python-modules/joserfc/default.nix +++ b/pkgs/development/python-modules/joserfc/default.nix @@ -16,14 +16,14 @@ buildPythonPackage rec { pname = "joserfc"; - version = "1.6.1"; + version = "1.6.9"; pyproject = true; src = fetchFromGitHub { owner = "authlib"; repo = "joserfc"; tag = version; - hash = "sha256-druh7ybcQBjTxUFMVLUwknw/aa/fyrUdS4ftS/ftYeA="; + hash = "sha256-Ge1r34GVmpJ9h5GtRkPd0mkV7HuLf7D31ikuPAnpkuY="; }; build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/mistune/default.nix b/pkgs/development/python-modules/mistune/default.nix index 8cdfa4023ded..99f3922ee0fa 100644 --- a/pkgs/development/python-modules/mistune/default.nix +++ b/pkgs/development/python-modules/mistune/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "mistune"; - version = "3.2.1"; + version = "3.3.2"; pyproject = true; src = fetchFromGitHub { owner = "lepture"; repo = "mistune"; tag = "v${version}"; - hash = "sha256-8AEEh/SWAk/Esq0jAoZGLw1FIQUw6C5Xq8CgnI2fjv0="; + hash = "sha256-uyOJFtDvVn0Y3VypphOXsSW3pX5XVCcfQ7dtFiL/5qY="; }; build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/mypy/default.nix b/pkgs/development/python-modules/mypy/default.nix index bbbbb99d5e96..9040eab9ebf8 100644 --- a/pkgs/development/python-modules/mypy/default.nix +++ b/pkgs/development/python-modules/mypy/default.nix @@ -13,8 +13,10 @@ types-psutil, types-setuptools, - # propagates + # nativeBuildInputs + propagates librt, + + # propagates mypy-extensions, tomli, typing-extensions, @@ -50,6 +52,10 @@ buildPythonPackage rec { rev-prefix = "v"; }; + nativeBuildInputs = [ + librt + ]; + build-system = [ mypy-extensions pathspec diff --git a/pkgs/development/python-modules/pillow/default.nix b/pkgs/development/python-modules/pillow/default.nix index e2c0b2eb75ad..e19a87b695eb 100644 --- a/pkgs/development/python-modules/pillow/default.nix +++ b/pkgs/development/python-modules/pillow/default.nix @@ -42,14 +42,14 @@ buildPythonPackage rec { pname = "pillow"; - version = "12.2.0"; + version = "12.3.0"; pyproject = true; src = fetchFromGitHub { owner = "python-pillow"; repo = "pillow"; tag = version; - hash = "sha256-7w6FbZLTAoUMvLtSPvafk3wSRv8TrkAAfgZ/dfu3HpA="; + hash = "sha256-kmUlgR+f75Y8DAKKPdEbchLLgg0m95oyVP53WTQni88="; }; build-system = [ diff --git a/pkgs/development/python-modules/pygobject/3.nix b/pkgs/development/python-modules/pygobject/3.nix index b912d6b04bb8..c728dbbbd82c 100644 --- a/pkgs/development/python-modules/pygobject/3.nix +++ b/pkgs/development/python-modules/pygobject/3.nix @@ -17,7 +17,7 @@ buildPythonPackage rec { pname = "pygobject"; - version = "3.56.2"; + version = "3.56.3"; outputs = [ "out" @@ -28,7 +28,7 @@ buildPythonPackage rec { src = fetchurl { url = "mirror://gnome/sources/pygobject/${lib.versions.majorMinor version}/pygobject-${version}.tar.gz"; - hash = "sha256-uBYJiWlUQIHenuztuUrWrFnHfk1XH+cFHxi+vOwHQxM="; + hash = "sha256-EnYOSg49BLbrleBveifjYsgm1WfqYTNzqSwAO2xw0tY="; }; depsBuildBuild = [ pkg-config ]; diff --git a/pkgs/development/python-modules/tornado/default.nix b/pkgs/development/python-modules/tornado/default.nix index 4327db46ac9e..2cd462786b20 100644 --- a/pkgs/development/python-modules/tornado/default.nix +++ b/pkgs/development/python-modules/tornado/default.nix @@ -18,16 +18,16 @@ urllib3, }: -buildPythonPackage rec { +buildPythonPackage (finalAttrs: { pname = "tornado"; - version = "6.5.4"; + version = "6.5.7"; pyproject = true; src = fetchFromGitHub { owner = "tornadoweb"; repo = "tornado"; - tag = "v${version}"; - hash = "sha256-d6lKg8yrQqaCeKxdPjQNzv7Nc23U/v8d5x3sE3trRM4="; + tag = "v${finalAttrs.version}"; + hash = "sha256-iE0Tf95zmPoZJhw7FDLzTmv8HaWds3ZU5xzZSMvxFH4="; }; build-system = [ setuptools ]; @@ -63,9 +63,10 @@ buildPythonPackage rec { }; meta = { + changelog = "https://www.tornadoweb.org/en/stable/releases/${finalAttrs.src.tag}.html"; description = "Web framework and asynchronous networking library"; homepage = "https://www.tornadoweb.org/"; license = lib.licenses.asl20; maintainers = [ ]; }; -} +}) diff --git a/pkgs/development/web/nodejs/nodejs.nix b/pkgs/development/web/nodejs/nodejs.nix index 5fd5eeac6919..49dfe5d15d40 100644 --- a/pkgs/development/web/nodejs/nodejs.nix +++ b/pkgs/development/web/nodejs/nodejs.nix @@ -144,7 +144,7 @@ let ); useSharedNBytes = lib.versionAtLeast version (if majorVersion == 24 then "24.14.0" else "25.5"); useSharedLief = lib.versionAtLeast version "25.6"; - useSharedMerve = lib.versionAtLeast version (if majorVersion == 24 then "24.14.0" else "25.6.1"); + useSharedMerve = lib.versionAtLeast version (if majorVersion == "24" then "24.14.0" else "25.6.1"); useSharedSQLite = lib.versionAtLeast version "22.5"; useSharedTemporal = majorVersion == "26"; useSharedZstd = lib.versionAtLeast version "22.15"; @@ -190,7 +190,8 @@ let inherit nbytes; }) // (lib.optionalAttrs useSharedMerve { - inherit merve; + # Merve cannot be built with simdutf_6, and upstream also disables simdutf support on the 24.x branch + merve = if majorVersion == "24" then (merve.override { simdutf = null; }) else merve; }) // (lib.optionalAttrs useSharedZstd { inherit zstd; @@ -347,9 +348,7 @@ let dontDisableStatic = true; - configureScript = writeScript "nodejs-configure" '' - exec ${python.executable} configure.py "$@" - ''; + configureScript = "${python.interpreter} configure.py"; # In order to support unsupported cross configurations, we copy some intermediate executables # from a native build and replace all the build-system tools with a script which simply touches @@ -518,12 +517,6 @@ let "test-tick-processor-arguments" "test-set-raw-mode-reset-signal" ] - # Apple SDK update broke something related to those tests, so skipping them for now - ++ lib.optionals (majorVersion == "24" && stdenv.hostPlatform.isDarwin) [ - "test-worker-track-unmanaged-fds" - "test-esm-import-meta-main-eval" - "test-worker-debug" - ] # These network/fetch/inspector tests fail on riscv64 ++ lib.optionals (majorVersion == "24" && stdenv.hostPlatform.isRiscV64) [ "test-fetch" @@ -683,6 +676,9 @@ let done ''; + # reduces build time from ~90 to ~15 minutes on hydra + requiredSystemFeatures = [ "big-parallel" ]; + passthru.tests = { version = testers.testVersion { package = self; diff --git a/pkgs/development/web/nodejs/v24.nix b/pkgs/development/web/nodejs/v24.nix index 914ab1479370..3388b484ebe8 100644 --- a/pkgs/development/web/nodejs/v24.nix +++ b/pkgs/development/web/nodejs/v24.nix @@ -9,10 +9,16 @@ }: let - buildNodejs = callPackage ./nodejs.nix { - inherit openssl; - python = python3; - }; + buildNodejs = callPackage ./nodejs.nix ( + { + inherit openssl; + python = python3; + } + // lib.optionalAttrs stdenv.hostPlatform.isDarwin { + # libcxx21 makes FD tracking unreliable on Darwin. Pinning to libcxx20: + stdenv = buildPackages.llvmPackages_20.libcxxStdenv; + } + ); gypPatches = if stdenv.buildPlatform.isDarwin then @@ -23,8 +29,8 @@ let [ ]; in buildNodejs { - version = "24.16.0"; - sha256 = "2ff84a6de70b6165290111b0fc656ded1ad207a799816fe720cc7c31232df30f"; + version = "24.18.0"; + sha256 = "e94afde24db08e0c564ee7110a2d5aab51ee0059382c9fd8233c54eec47b28f9"; patches = ( if (stdenv.hostPlatform.emulatorAvailable buildPackages) then @@ -56,13 +62,6 @@ buildNodejs { ./use-correct-env-in-tests.patch ./bin-sh-node-run-v22.patch ./use-nix-codesign.patch - - # Patch for nghttp2 1.69 support - (fetchpatch2 { - url = "https://github.com/nodejs/node/commit/4a32c00fb8dbe55c3bcf9ef43343968c9fe449e6.diff?full_index=1"; - hash = "sha256-pex8ruwa4b/vWvfGA+nyN3JJP8NOturmwAQe4Rkd6nU="; - excludes = [ "tools/nix/*" ]; - }) ] ++ gypPatches ++ lib.optionals (!stdenv.buildPlatform.isDarwin) [ diff --git a/pkgs/kde/gear/calligra/default.nix b/pkgs/kde/gear/calligra/default.nix index 4e816b99551e..cbd17e8fc688 100644 --- a/pkgs/kde/gear/calligra/default.nix +++ b/pkgs/kde/gear/calligra/default.nix @@ -1,6 +1,7 @@ { mkKdeDerivation, lib, + fetchpatch, boost, eigen, gsl, @@ -26,6 +27,14 @@ mkKdeDerivation { pname = "calligra"; + patches = [ + # Fix build with Poppler 26.04 + (fetchpatch { + url = "https://invent.kde.org/office/calligra/-/commit/e9aae90db47ca87d639b8f2b17ec75c1b6093e27.patch"; + hash = "sha256-V21Bw0xV/E4a9v8Yrt0vZ3AU1LJFHul1k92u+nsp85I="; + }) + ]; + extraBuildInputs = [ boost eigen diff --git a/pkgs/os-specific/linux/minimal-bootstrap/gnugrep/static.nix b/pkgs/os-specific/linux/minimal-bootstrap/gnugrep/static.nix index 69f8dadd22ab..749d2d68e8a5 100644 --- a/pkgs/os-specific/linux/minimal-bootstrap/gnugrep/static.nix +++ b/pkgs/os-specific/linux/minimal-bootstrap/gnugrep/static.nix @@ -78,5 +78,4 @@ bash.runCommand "${pname}-${version}" # Install make -j $NIX_BUILD_CORES install-strip - rm $out/bin/{egrep,fgrep} '' diff --git a/pkgs/tools/compression/gzip/CVE-2026-41991.patch b/pkgs/tools/compression/gzip/CVE-2026-41991.patch new file mode 100644 index 000000000000..657d8553bcd2 --- /dev/null +++ b/pkgs/tools/compression/gzip/CVE-2026-41991.patch @@ -0,0 +1,52 @@ +From 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Thu, 16 Apr 2026 12:11:44 -0700 +Subject: gzexe: use -C if lacking mktemp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +(Problem reported by Michał Majchrowicz.) +* gzexe.in: If mktemp is needed but not installed, +use ‘set -C’ to avoid a race when creating a temporary file. +* zdiff.in: Use the same pattern here, even though the old +code was probably OK anyway. +--- + gzexe.in | 1 + + zdiff.in | 7 +++---- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/gzexe.in b/gzexe.in +index ea4ef94..f3d46cc 100644 +--- a/gzexe.in ++++ b/gzexe.in +@@ -127,6 +127,7 @@ for i do + tmp=`mktemp "${dir}gzexeXXXXXXXXX"` + else + tmp=${dir}gzexe$$ ++ (umask 77; set -C; > "$tmp") + fi && { cp -p "$file" "$tmp" 2>/dev/null || cp "$file" "$tmp"; } || { + res=$? + printf >&2 '%s\n' "$0: cannot copy $file" +diff --git a/zdiff.in b/zdiff.in +index 289e466..53266df 100644 +--- a/zdiff.in ++++ b/zdiff.in +@@ -156,12 +156,11 @@ case $file2 in + *) TMPDIR=/tmp/;; + esac + if command -v mktemp >/dev/null 2>&1; then +- tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"` || +- exit 2 ++ tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"` + else +- set -C + tmp=${TMPDIR}zdiff$$ +- fi ++ (umask 77; set -C; > "$tmp") ++ fi && + 'gzip' -cdfq -- "$file2" > "$tmp" || exit 2 + gzip_status=$( + exec 4>&1 +-- +cgit v1.2.3 diff --git a/pkgs/tools/compression/gzip/CVE-2026-41992.patch b/pkgs/tools/compression/gzip/CVE-2026-41992.patch new file mode 100644 index 000000000000..f7576a2b7872 --- /dev/null +++ b/pkgs/tools/compression/gzip/CVE-2026-41992.patch @@ -0,0 +1,35 @@ +From 63dbf6b3b9e6e781df1a6a64e609b10e23969681 Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Wed, 15 Apr 2026 12:00:17 -0700 +Subject: gzip: don’t mishandle .lzh after .Z +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Problem reported by Michał Majchrowicz. +* unlzh.c (read_c_len): Clear left and right when n == 0. +--- + unlzh.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +(limited to 'unlzh.c') + +diff --git a/unlzh.c b/unlzh.c +index 3320196..a6cf109 100644 +--- a/unlzh.c ++++ b/unlzh.c +@@ -232,6 +232,12 @@ read_c_len () + c = getbits(CBIT); + for (i = 0; i < NC; i++) c_len[i] = 0; + for (i = 0; i < 4096; i++) c_table[i] = c; ++ ++ /* Needed in case LEFT and RIGHT are reused from a previous ++ LZW decompression. It may be overkill to clear all of both ++ arrays, but nobody has had time to analyze this carefully. */ ++ memzero(left, (2 * NC - 1) * sizeof *left); ++ memzero(right, (2 * NC - 1) * sizeof *left); + } else { + i = 0; + while (i < n) { +-- +cgit v1.3 diff --git a/pkgs/tools/compression/gzip/default.nix b/pkgs/tools/compression/gzip/default.nix index 446e5fab0af8..6aafcf6481df 100644 --- a/pkgs/tools/compression/gzip/default.nix +++ b/pkgs/tools/compression/gzip/default.nix @@ -25,6 +25,11 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-Aae4gb0iC/32Ffl7hxj4C9/T9q3ThbmT3Pbv0U6MCsY="; }; + patches = [ + ./CVE-2026-41991.patch + ./CVE-2026-41992.patch + ]; + outputs = [ "out" "man" diff --git a/pkgs/tools/package-management/nix/modular/tests/functional/package.nix b/pkgs/tools/package-management/nix/modular/tests/functional/package.nix index b8bf89d99f7f..597c89f08c4d 100644 --- a/pkgs/tools/package-management/nix/modular/tests/functional/package.nix +++ b/pkgs/tools/package-management/nix/modular/tests/functional/package.nix @@ -73,14 +73,6 @@ mkMesonDerivation (finalAttrs: { echo $PWD | grep tests/functional ''; - # Test contains invocation of `script` broken by util-linux regression: - # https://github.com/util-linux/util-linux/commit/70507ab9eaed10b8dd77b77d4ea25c11ee726bed - preCheck = - assert util-linux.version == "2.42"; - '' - echo "exit 77" > ../json.sh - ''; - mesonCheckFlags = [ "--print-errorlogs" ]; diff --git a/pkgs/tools/text/gnused/default.nix b/pkgs/tools/text/gnused/default.nix index 6effd6d9f41d..7f1cfe514425 100644 --- a/pkgs/tools/text/gnused/default.nix +++ b/pkgs/tools/text/gnused/default.nix @@ -8,11 +8,11 @@ stdenv.mkDerivation rec { pname = "gnused"; - version = "4.9"; + version = "4.10"; src = fetchurl { url = "mirror://gnu/sed/sed-${version}.tar.xz"; - sha256 = "sha256-biJrcy4c1zlGStaGK9Ghq6QteYKSLaelNRljHSSXUYE="; + sha256 = "sha256-uOchgrLslqNXTimYxHt6qmTMIM4ADY6awxPMB87PKMc="; }; outputs = [