diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index bbd0a093b998d..5eb43ecd33007 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -211,7 +211,6 @@ sub pciCheck { ($device eq "0xfd3e" || $device eq "0x7d1d" || $device eq "0xad1d" || $device eq "0x643e" || $device eq "0xb03e")) { - push @imports, "(modulesPath + \"/hardware/cpu/intel-npu.nix\")"; push @attrs, "hardware.cpu.intel.npu.enable = true;"; } diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index f5ae844da21f9..f61c91f02db8e 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -685,12 +685,14 @@ sub getEfiTarget { efi => '$', devices => '$', efiMountPoint => '$', + grub => '$', + grubEfi => '$', extraGrubInstallArgs => '@', }); # If you add something to the state file, only add it to the end # because it is read line-by-line. sub readGrubState { - my $defaultGrubState = GrubState->new(name => "", version => "", efi => "", devices => "", efiMountPoint => "", extraGrubInstallArgs => () ); + my $defaultGrubState = GrubState->new(name => "", version => "", efi => "", devices => "", efiMountPoint => "", grub => "", grubEfi => "", extraGrubInstallArgs => () ); open my $fh, "<", "$bootPath/grub/state" or return $defaultGrubState; local $/ = "\n"; my $name = <$fh>; @@ -721,8 +723,10 @@ sub readGrubState { } my %jsonState = %{decode_json($jsonStateLine)}; my @extraGrubInstallArgs = exists($jsonState{'extraGrubInstallArgs'}) ? @{$jsonState{'extraGrubInstallArgs'}} : (); + my $grubValue = exists($jsonState{'grub'}) ? $jsonState{'grub'} : ""; + my $grubEfiValue = exists($jsonState{'grubEfi'}) ? $jsonState{'grubEfi'} : ""; close $fh; - my $grubState = GrubState->new(name => $name, version => $version, efi => $efi, devices => $devices, efiMountPoint => $efiMountPoint, extraGrubInstallArgs => \@extraGrubInstallArgs ); + my $grubState = GrubState->new(name => $name, version => $version, efi => $efi, devices => $devices, efiMountPoint => $efiMountPoint, extraGrubInstallArgs => \@extraGrubInstallArgs, grub => $grubValue, grubEfi => $grubEfiValue ); return $grubState } @@ -734,15 +738,16 @@ sub readGrubState { my $devicesDiffer = scalar (List::Compare->new( '-u', '-a', \@deviceTargets, \@prevDeviceTargets)->get_symmetric_difference()); my $extraGrubInstallArgsDiffer = scalar (List::Compare->new( '-u', '-a', \@extraGrubInstallArgs, \@prevExtraGrubInstallArgs)->get_symmetric_difference()); -my $nameDiffer = get("fullName") ne $prevGrubState->name; -my $versionDiffer = get("fullVersion") ne $prevGrubState->version; my $efiDiffer = $efiTarget ne $prevGrubState->efi; my $efiMountPointDiffer = $efiSysMountPoint ne $prevGrubState->efiMountPoint; +# re-installing grub once the package store path changes is necessary, because +# introducing patches or adjusting builds does not always bump the version number +my $grubStorePathsDiffer = ($grub ne $prevGrubState->grub) || ($grubEfi ne $prevGrubState->grubEfi); if (($ENV{'NIXOS_INSTALL_GRUB'} // "") eq "1") { warn "NIXOS_INSTALL_GRUB env var deprecated, use NIXOS_INSTALL_BOOTLOADER"; $ENV{'NIXOS_INSTALL_BOOTLOADER'} = "1"; } -my $requireNewInstall = $devicesDiffer || $extraGrubInstallArgsDiffer || $nameDiffer || $versionDiffer || $efiDiffer || $efiMountPointDiffer || (($ENV{'NIXOS_INSTALL_BOOTLOADER'} // "") eq "1"); +my $requireNewInstall = $devicesDiffer || $extraGrubInstallArgsDiffer || $efiDiffer || $efiMountPointDiffer || $grubStorePathsDiffer || (($ENV{'NIXOS_INSTALL_BOOTLOADER'} // "") eq "1"); # install a symlink so that grub can detect the boot drive my $tmpDir = File::Temp::tempdir(CLEANUP => 1) or die "Failed to create temporary space: $!"; @@ -795,7 +800,9 @@ sub readGrubState { print $fh join( ",", @deviceTargets ), "\n" or die; print $fh $efiSysMountPoint, "\n" or die; my %jsonState = ( - extraGrubInstallArgs => \@extraGrubInstallArgs + extraGrubInstallArgs => \@extraGrubInstallArgs, + grub => $grub, + grubEfi => $grubEfi ); my $jsonStateLine = encode_json(\%jsonState); print $fh $jsonStateLine, "\n" or die; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 3c827c3d6627c..7ee68146c650c 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -741,6 +741,10 @@ in path = [ pkgs.util-linux ]; overrideStrategy = "asDropin"; }; + systemd.services."modprobe@" = { + restartIfChanged = false; + serviceConfig.ExecSearchPath = lib.makeBinPath [ pkgs.kmod ]; + }; systemd.services.systemd-random-seed.restartIfChanged = false; systemd.services.systemd-remount-fs.restartIfChanged = false; systemd.services.systemd-update-utmp.restartIfChanged = false; diff --git a/nixos/tests/systemd-misc.nix b/nixos/tests/systemd-misc.nix index 2623f78add63b..30f9fe720059f 100644 --- a/nixos/tests/systemd-misc.nix +++ b/nixos/tests/systemd-misc.nix @@ -60,5 +60,10 @@ in machine.succeed("systemctl status example.service | grep 'Active: active'") machine.succeed("systemctl show --property TasksMax --value user-1000.slice | grep 100") + + with subtest("modprobe@ services work"): + modprobe_service_status = machine.succeed("systemctl show --property ExecMainStatus modprobe@configfs.service") + print(modprobe_service_status) + t.assertEqual("ExecMainStatus=0\n", modprobe_service_status) ''; } diff --git a/nixos/tests/timezone.nix b/nixos/tests/timezone.nix index b5d2f6779338f..938c6bed95342 100644 --- a/nixos/tests/timezone.nix +++ b/nixos/tests/timezone.nix @@ -44,6 +44,18 @@ print(date_result) assert date_result == "1970-01-01 09:00:00\n", "Timezone was not adjusted" + # Stop systemd-timedated.service to clear /etc/localtime read cache + node_nulltz.systemctl("stop systemd-timedated.service") + timedatectl_result = node_nulltz.succeed("timedatectl status") + print(timedatectl_result) + assert "Asia/Tokyo" in timedatectl_result, "'timedatectl status' output is missing 'Asia/Tokyo'" + + with subtest("imperative - Ensure /etc/localtime symlink includes '/zoneinfo/' like icu expects"): + # https://github.com/unicode-org/icu/blob/release-78.3/icu4c/source/common/putil.cpp#L686-L695 + readlink_result = node_nulltz.succeed("readlink --no-newline /etc/localtime") + print(readlink_result) + assert "/zoneinfo/" in readlink_result, f"/etc/localtime symlink is missing '/zoneinfo/': {readlink_result}" + with subtest("imperative - Ensure timezone adjustment persists across reboot"): # Adjustment should persist across a reboot node_nulltz.shutdown() diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix index f5f18a30568e4..e34d28ccd3028 100644 --- a/pkgs/applications/editors/vim/common.nix +++ b/pkgs/applications/editors/vim/common.nix @@ -1,6 +1,6 @@ { lib, fetchFromGitHub }: rec { - version = "9.1.2148"; + version = "9.2.0340"; outputs = [ "out" @@ -11,7 +11,7 @@ rec { owner = "vim"; repo = "vim"; rev = "v${version}"; - hash = "sha256-4ZEbfpffPp6kqSQRp7NFioWGRdG+JsVf7unU0Hqn/Xk="; + hash = "sha256-jCnOVIafx+0o1nlHv7QJQrmxs1IAxh9BBshDOFdZdCM="; }; enableParallelBuilding = true; diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix index 804d858bf078e..8114fac32fe78 100644 --- a/pkgs/applications/graphics/ImageMagick/default.nix +++ b/pkgs/applications/graphics/ImageMagick/default.nix @@ -85,13 +85,13 @@ in stdenv.mkDerivation (finalAttrs: { pname = "imagemagick"; - version = "7.1.2-18"; + version = "7.1.2-19"; src = fetchFromGitHub { owner = "ImageMagick"; repo = "ImageMagick"; tag = finalAttrs.version; - hash = "sha256-bt8PlCeEWaRsdMe/FP4HSgmzi1OATjH2Kx233OgleyI="; + hash = "sha256-4uASM+GRTe0ES6FdshUMMkVof4IlLV+CMm2l+v5qZN0="; }; outputs = [ diff --git a/pkgs/applications/networking/mailreaders/thunderbird/packages.nix b/pkgs/applications/networking/mailreaders/thunderbird/packages.nix index 0b839ab9d9fbb..6ea375646a63d 100644 --- a/pkgs/applications/networking/mailreaders/thunderbird/packages.nix +++ b/pkgs/applications/networking/mailreaders/thunderbird/packages.nix @@ -73,8 +73,8 @@ rec { thunderbird = thunderbird-latest; thunderbird-latest = common { - version = "150.0"; - sha512 = "6e0770de0aeabdd9372b491ae0a6d20238ff154b70982de21c73b903003398f36d8f56c679ca893a1e5646a25add9e9e126ae1b6ee1f836290104b61eb09dac1"; + version = "150.0.1"; + sha512 = "bf3d33357965cd144decef7c8865b6c18043502aea8d090d93fe29555379b924e3925d58276411f38fdcdc87b54ab3ae7d6aa6619feec9b856f8f227225cb375"; updateScript = callPackage ./update.nix { attrPath = "thunderbirdPackages.thunderbird-latest"; diff --git a/pkgs/by-name/aw/aws-c-event-stream/package.nix b/pkgs/by-name/aw/aws-c-event-stream/package.nix index 7d61c6a35e310..ef411f92124b7 100644 --- a/pkgs/by-name/aw/aws-c-event-stream/package.nix +++ b/pkgs/by-name/aw/aws-c-event-stream/package.nix @@ -15,13 +15,13 @@ stdenv.mkDerivation rec { pname = "aws-c-event-stream"; # nixpkgs-update: no auto update - version = "0.5.7"; + version = "0.7.0"; src = fetchFromGitHub { owner = "awslabs"; repo = "aws-c-event-stream"; - rev = "v${version}"; - hash = "sha256-JvjUrIj1bh5WZEzkauLSLIolxrT8CKIMjO7p1c35XZI="; + tag = "v${version}"; + hash = "sha256-jMtLJjKC7TuNZ0c0Nc3+KRh226RBl0omkiKNXXBltoc="; }; nativeBuildInputs = [ cmake ]; diff --git a/pkgs/by-name/ca/cacert/package.nix b/pkgs/by-name/ca/cacert/package.nix index 61c9fcded8c6b..31e0ebd808882 100644 --- a/pkgs/by-name/ca/cacert/package.nix +++ b/pkgs/by-name/ca/cacert/package.nix @@ -20,7 +20,7 @@ let lib.concatStringsSep "\n\n" extraCertificateStrings ); - version = "3.121"; + version = "3.123"; meta = { homepage = "https://firefox-source-docs.mozilla.org/security/nss/runbooks/rootstore.html#root-store-consumers"; description = "Bundle of X.509 certificates of public Certificate Authorities (CA)"; @@ -48,7 +48,7 @@ stdenv.mkDerivation { "https://hg-edge.mozilla.org/projects/nss/raw-file/${tag}/${file}" "https://raw.githubusercontent.com/nss-dev/nss/refs/tags/${tag}/${file}" ]; - hash = "sha256-O5jU4/9XoybZWHwzYzA5yMOpzwtV98pYHXWY/zKesfM="; + hash = "sha256-dxMO+RITdyhEVh+9OqMdQTslwqx/V2/qO8O7/375NIk="; }; unpackPhase = '' diff --git a/pkgs/by-name/ce/ceph/package.nix b/pkgs/by-name/ce/ceph/package.nix index 0da840296dec6..a39b06cb62a48 100644 --- a/pkgs/by-name/ce/ceph/package.nix +++ b/pkgs/by-name/ce/ceph/package.nix @@ -282,6 +282,7 @@ let inherit version; hash = "sha256-hBSYub7GFiOxtsR+u8AjZ8B9YODhlfGXkIF/EMyNsLc="; }; + patches = [ ]; # those two CVE patches do not apply (!) disabledTests = old.disabledTests or [ ] ++ [ "test_export_md5_digest" ]; diff --git a/pkgs/by-name/cr/cryptsetup/package.nix b/pkgs/by-name/cr/cryptsetup/package.nix index 79a0af738ce08..0e1f0cf718807 100644 --- a/pkgs/by-name/cr/cryptsetup/package.nix +++ b/pkgs/by-name/cr/cryptsetup/package.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "cryptsetup"; - version = "2.8.4"; + version = "2.8.6"; outputs = [ "bin" @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { url = "mirror://kernel/linux/utils/cryptsetup/v${lib.versions.majorMinor finalAttrs.version}/" + "cryptsetup-${finalAttrs.version}.tar.xz"; - hash = "sha256-RD5G+JZMmsx4D0Va+7jiOqDo7X7FBM/FngT0BvoeioM="; + hash = "sha256-gAQmX9mTiF0I97Yz2+BWhR3hohAwdhOk693HQ/zO/lo="; }; patches = [ diff --git a/pkgs/by-name/da/dash/package.nix b/pkgs/by-name/da/dash/package.nix index 030968dbc9040..6235e5193f8a1 100644 --- a/pkgs/by-name/da/dash/package.nix +++ b/pkgs/by-name/da/dash/package.nix @@ -15,11 +15,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "dash"; - version = "0.5.13.1"; + version = "0.5.13.2"; src = fetchurl { url = "http://gondor.apana.org.au/~herbert/dash/files/dash-${finalAttrs.version}.tar.gz"; - hash = "sha256-2ScbzgnBJ9mGbiXAEVgt3HWrmIlYoEvE2FU6O48w43A="; + hash = "sha256-5xNoJrHu1s4xk+iv+i9wsbK5Fo3ZH/p9209G6eYgVP4="; }; strictDeps = true; diff --git a/pkgs/by-name/jq/jq/CVE-2026-32316.patch b/pkgs/by-name/jq/jq/CVE-2026-32316.patch new file mode 100644 index 0000000000000..29d08c9adcd79 --- /dev/null +++ b/pkgs/by-name/jq/jq/CVE-2026-32316.patch @@ -0,0 +1,49 @@ +From e47e56d226519635768e6aab2f38f0ab037c09e5 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Thu, 12 Mar 2026 20:28:43 +0900 +Subject: [PATCH] Fix heap buffer overflow in `jvp_string_append` and + `jvp_string_copy_replace_bad` + +In `jvp_string_append`, the allocation size `(currlen + len) * 2` could +overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small +allocation followed by a large `memcpy`. + +In `jvp_string_copy_replace_bad`, the output buffer size calculation +`length * 3 + 1` could overflow `uint32_t`, again resulting in a small +allocation followed by a large write. + +Add overflow checks to both functions to return an error for strings +that would exceed `INT_MAX` in length. Fixes CVE-2026-32316. +--- + src/jv.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/jv.c b/src/jv.c +index 722a539391..2a62b48419 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -1114,7 +1114,12 @@ static jv jvp_string_copy_replace_bad(const char* data, uint32_t length) { + const char* end = data + length; + const char* i = data; + +- uint32_t maxlength = length * 3 + 1; // worst case: all bad bytes, each becomes a 3-byte U+FFFD ++ // worst case: all bad bytes, each becomes a 3-byte U+FFFD ++ uint64_t maxlength = (uint64_t)length * 3 + 1; ++ if (maxlength >= INT_MAX) { ++ return jv_invalid_with_msg(jv_string("String too long")); ++ } ++ + jvp_string* s = jvp_string_alloc(maxlength); + char* out = s->data; + int c = 0; +@@ -1174,6 +1179,10 @@ static uint32_t jvp_string_remaining_space(jvp_string* s) { + static jv jvp_string_append(jv string, const char* data, uint32_t len) { + jvp_string* s = jvp_string_ptr(string); + uint32_t currlen = jvp_string_length(s); ++ if ((uint64_t)currlen + len >= INT_MAX) { ++ jv_free(string); ++ return jv_invalid_with_msg(jv_string("String too long")); ++ } + + if (jvp_refcnt_unshared(string.u.ptr) && + jvp_string_remaining_space(s) >= len) { diff --git a/pkgs/by-name/jq/jq/CVE-2026-33947.patch b/pkgs/by-name/jq/jq/CVE-2026-33947.patch new file mode 100644 index 0000000000000..9f31fd82b0574 --- /dev/null +++ b/pkgs/by-name/jq/jq/CVE-2026-33947.patch @@ -0,0 +1,66 @@ +From fb59f1491058d58bdc3e8dd28f1773d1ac690a1f Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 13 Apr 2026 11:23:40 +0900 +Subject: [PATCH] Limit path depth to prevent stack overflow + +Deeply nested path arrays can cause unbounded recursion in +`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to +stack overflow. Add a depth limit of 10000 to match the +existing `tojson` depth limit. This fixes CVE-2026-33947. +--- + src/jv_aux.c | 21 +++++++++++++++++++++ + 2 files changed, 46 insertions(+) + +diff --git a/src/jv_aux.c b/src/jv_aux.c +index 018f380b10..fd5ff96684 100644 +--- a/src/jv_aux.c ++++ b/src/jv_aux.c +@@ -365,6 +365,10 @@ static jv jv_dels(jv t, jv keys) { + return t; + } + ++#ifndef MAX_PATH_DEPTH ++#define MAX_PATH_DEPTH (10000) ++#endif ++ + jv jv_setpath(jv root, jv path, jv value) { + if (jv_get_kind(path) != JV_KIND_ARRAY) { + jv_free(value); +@@ -372,6 +376,12 @@ jv jv_setpath(jv root, jv path, jv value) { + jv_free(path); + return jv_invalid_with_msg(jv_string("Path must be specified as an array")); + } ++ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) { ++ jv_free(value); ++ jv_free(root); ++ jv_free(path); ++ return jv_invalid_with_msg(jv_string("Path too deep")); ++ } + if (!jv_is_valid(root)){ + jv_free(value); + jv_free(path); +@@ -424,6 +434,11 @@ jv jv_getpath(jv root, jv path) { + jv_free(path); + return jv_invalid_with_msg(jv_string("Path must be specified as an array")); + } ++ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) { ++ jv_free(root); ++ jv_free(path); ++ return jv_invalid_with_msg(jv_string("Path too deep")); ++ } + if (!jv_is_valid(root)) { + jv_free(path); + return root; +@@ -502,6 +517,12 @@ jv jv_delpaths(jv object, jv paths) { + jv_free(elem); + return err; + } ++ if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) { ++ jv_free(object); ++ jv_free(paths); ++ jv_free(elem); ++ return jv_invalid_with_msg(jv_string("Path too deep")); ++ } + jv_free(elem); + } + if (jv_array_length(jv_copy(paths)) == 0) { diff --git a/pkgs/by-name/jq/jq/CVE-2026-33948.patch b/pkgs/by-name/jq/jq/CVE-2026-33948.patch new file mode 100644 index 0000000000000..5b6497e1469df --- /dev/null +++ b/pkgs/by-name/jq/jq/CVE-2026-33948.patch @@ -0,0 +1,45 @@ +From 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 13 Apr 2026 08:46:11 +0900 +Subject: [PATCH] Fix NUL truncation in the JSON parser + +This fixes CVE-2026-33948. +--- + src/util.c | 8 +------- + tests/shtest | 6 ++++++ + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/util.c b/src/util.c +index fdfdb96d88..80d65fc808 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -312,13 +312,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) { + if (p != NULL) + state->current_line++; + +- if (p == NULL && state->parser != NULL) { +- /* +- * There should be no NULs in JSON texts (but JSON text +- * sequences are another story). +- */ +- state->buf_valid_len = strlen(state->buf); +- } else if (p == NULL && feof(state->current_input)) { ++ if (p == NULL && feof(state->current_input)) { + size_t i; + + /* +diff --git a/tests/shtest b/tests/shtest +index cb88745277..370f7b7c69 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -880,4 +880,10 @@ $JQ -nf $d/prog.jq 2> $d/out && { + } + diff $d/out $d/expected + ++# CVE-2026-33948: No NUL truncation in the JSON parser ++if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then ++ printf 'Error expected but jq exited successfully\n' 1>&2 ++ exit 1 ++fi ++ + exit 0 diff --git a/pkgs/by-name/jq/jq/CVE-2026-39979.patch b/pkgs/by-name/jq/jq/CVE-2026-39979.patch new file mode 100644 index 0000000000000..cc0c3d17f77f6 --- /dev/null +++ b/pkgs/by-name/jq/jq/CVE-2026-39979.patch @@ -0,0 +1,27 @@ +From 2f09060afab23fe9390cce7cb860b10416e1bf5f Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 13 Apr 2026 11:04:52 +0900 +Subject: [PATCH] Fix out-of-bounds read in jv_parse_sized() + +This fixes CVE-2026-39979. + +Co-authored-by: Mattias Wadman +--- + src/jv_parse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/jv_parse.c b/src/jv_parse.c +index aa2054cc09..56847b5eaa 100644 +--- a/src/jv_parse.c ++++ b/src/jv_parse.c +@@ -893,8 +893,9 @@ jv jv_parse_sized_custom_flags(const char* string, int length, int flags) { + + if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) { + jv msg = jv_invalid_get_msg(value); +- value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')", ++ value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')", + jv_string_value(msg), ++ length, + string)); + jv_free(msg); + } diff --git a/pkgs/by-name/jq/jq/CVE-2026-40164.patch b/pkgs/by-name/jq/jq/CVE-2026-40164.patch new file mode 100644 index 0000000000000..483316f64b4bb --- /dev/null +++ b/pkgs/by-name/jq/jq/CVE-2026-40164.patch @@ -0,0 +1,87 @@ +From 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 13 Apr 2026 08:53:26 +0900 +Subject: [PATCH] Randomize hash seed to mitigate hash collision DoS attacks + +The hash function used a fixed seed, allowing attackers to craft colliding keys +and cause O(n^2) object parsing performance. Initialize the seed from a random +source at process startup to prevent the attack. This fixes CVE-2026-40164. + +Co-authored-by: Asaf Meizner +--- + configure.ac | 2 ++ + src/jv.c | 34 ++++++++++++++++++++++++++++++++-- + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 5dac42655a..f7067a4341 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -149,6 +149,8 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [AC_DEFINE([HAVE_TM_TM_GMT_OFF],1,[Define + AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])], + [], [[#include ]]) + AC_FIND_FUNC([setlocale], [c], [#include ], [0,0]) ++AC_FIND_FUNC([arc4random], [c], [#include ], []) ++AC_FIND_FUNC([getentropy], [c], [#include ], [0, 0]) + + dnl Figure out if we have the pthread functions we actually need + AC_FIND_FUNC_NO_LIBS([pthread_key_create], [], [#include ], [NULL, NULL]) +diff --git a/src/jv.c b/src/jv.c +index 2a62b48419..607ac174f7 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -40,6 +40,10 @@ + #include + #include + #include ++#include ++#include ++#include ++#include + + #include "jv_alloc.h" + #include "jv.h" +@@ -1206,7 +1210,33 @@ static jv jvp_string_append(jv string, const char* data, uint32_t len) { + } + } + +-static const uint32_t HASH_SEED = 0x432A9843; ++static uint32_t hash_seed; ++static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT; ++ ++static void jvp_hash_seed_init(void) { ++ uint32_t seed; ++#if defined(HAVE_ARC4RANDOM) ++ seed = arc4random(); ++#elif defined(HAVE_GETENTROPY) ++ if (getentropy(&seed, sizeof(seed)) != 0) ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++#else ++ int fd = open("/dev/urandom", O_RDONLY); ++ if (fd >= 0) { ++ if (read(fd, &seed, sizeof(seed)) != 4) ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++ close(fd); ++ } else { ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++ } ++#endif ++ hash_seed = seed; ++} ++ ++static uint32_t jvp_hash_seed(void) { ++ pthread_once(&hash_seed_once, jvp_hash_seed_init); ++ return hash_seed; ++} + + static uint32_t rotl32 (uint32_t x, int8_t r){ + return (x << r) | (x >> (32 - r)); +@@ -1225,7 +1255,7 @@ static uint32_t jvp_string_hash(jv jstr) { + int len = (int)jvp_string_length(str); + const int nblocks = len / 4; + +- uint32_t h1 = HASH_SEED; ++ uint32_t h1 = jvp_hash_seed(); + + const uint32_t c1 = 0xcc9e2d51; + const uint32_t c2 = 0x1b873593; diff --git a/pkgs/by-name/jq/jq/package.nix b/pkgs/by-name/jq/jq/package.nix index b2a0941a79fe4..31633d27ba033 100644 --- a/pkgs/by-name/jq/jq/package.nix +++ b/pkgs/by-name/jq/jq/package.nix @@ -32,6 +32,11 @@ stdenv.mkDerivation (finalAttrs: { patches = [ ./musl.patch + ./CVE-2026-32316.patch + ./CVE-2026-33947.patch + ./CVE-2026-33948.patch + ./CVE-2026-39979.patch + ./CVE-2026-40164.patch ] ++ lib.optionals stdenv.hostPlatform.is32bit [ # needed because epoch conversion test here is right at the end of 32 bit integer space diff --git a/pkgs/by-name/kn/knot-resolver_6/package.nix b/pkgs/by-name/kn/knot-resolver_6/package.nix index 14021cc706795..3585e918e57ef 100644 --- a/pkgs/by-name/kn/knot-resolver_6/package.nix +++ b/pkgs/by-name/kn/knot-resolver_6/package.nix @@ -36,11 +36,11 @@ let # TODO: we could cut the `let` short here, but it would de-indent everything. unwrapped = stdenv.mkDerivation (finalAttrs: { pname = "knot-resolver_6"; - version = "6.2.0"; + version = "6.3.0"; src = fetchurl { url = "https://secure.nic.cz/files/knot-resolver/knot-resolver-${finalAttrs.version}.tar.xz"; - hash = "sha256-tEYzvIQxgMC8fHfPexX+VxJDrpkrTdt0r97kz6gDcBs="; + hash = "sha256-uHMGGX90NrSQecYzNkvF33GjkyNvsl6fzn0ESAvHUY4="; }; outputs = [ diff --git a/pkgs/by-name/li/libarchive/package.nix b/pkgs/by-name/li/libarchive/package.nix index 0c9dfead431d1..3b847df96d82b 100644 --- a/pkgs/by-name/li/libarchive/package.nix +++ b/pkgs/by-name/li/libarchive/package.nix @@ -31,13 +31,13 @@ assert xarSupport -> libxml2 != null; stdenv.mkDerivation (finalAttrs: { pname = "libarchive"; - version = "3.8.6"; + version = "3.8.7"; src = fetchFromGitHub { owner = "libarchive"; repo = "libarchive"; rev = "v${finalAttrs.version}"; - hash = "sha256-XNFw0h++7B3ODnEi50zd7q/j1bYQzL1IKB2q3p4IzB4="; + hash = "sha256-LpD+lE+0PZi/3nYDVPXhBQL9A7mvqelOzRLskVtg9Y0="; }; outputs = [ diff --git a/pkgs/by-name/li/libde265/package.nix b/pkgs/by-name/li/libde265/package.nix index a9c4b5d9dacd2..51e24c6ed5ac2 100644 --- a/pkgs/by-name/li/libde265/package.nix +++ b/pkgs/by-name/li/libde265/package.nix @@ -15,14 +15,14 @@ }: stdenv.mkDerivation (finalAttrs: { - version = "1.0.16"; + version = "1.0.18"; pname = "libde265"; src = fetchFromGitHub { owner = "strukturag"; repo = "libde265"; tag = "v${finalAttrs.version}"; - hash = "sha256-4Y7tuVeDLoONU6/R/47QhGtzBiM9mtl4O++CN+KCUn4="; + hash = "sha256-N6K82ElrzrMSNKfPTDsc5onrxucIJ8niwFgbaEPPd2I="; }; nativeBuildInputs = [ diff --git a/pkgs/by-name/li/libgudev/package.nix b/pkgs/by-name/li/libgudev/package.nix index 1db56931abc0c..5a673586c4832 100644 --- a/pkgs/by-name/li/libgudev/package.nix +++ b/pkgs/by-name/li/libgudev/package.nix @@ -74,6 +74,11 @@ stdenv.mkDerivation (finalAttrs: { (lib.mesonEnable "tests" finalAttrs.finalPackage.doCheck) ]; + # https://gitlab.gnome.org/GNOME/libgudev/-/issues/10 + preCheck = '' + mesonCheckFlagsArray=( $(meson test --list | grep -v test-gudevdevice) ) + ''; + passthru = { updateScript = gnome.updateScript { packageName = "libgudev"; diff --git a/pkgs/by-name/li/libjpeg_turbo/package.nix b/pkgs/by-name/li/libjpeg_turbo/package.nix index e30ee22edbd5e..5156d1f87d5c6 100644 --- a/pkgs/by-name/li/libjpeg_turbo/package.nix +++ b/pkgs/by-name/li/libjpeg_turbo/package.nix @@ -32,13 +32,13 @@ assert !(enableJpeg7 && enableJpeg8); # pick only one or none, not both stdenv.mkDerivation (finalAttrs: { pname = "libjpeg-turbo"; - version = "3.1.2"; + version = "3.1.4"; src = fetchFromGitHub { owner = "libjpeg-turbo"; repo = "libjpeg-turbo"; tag = finalAttrs.version; - hash = "sha256-tmeWLJxieV42f9ljSpKJoLER4QOYQLsLFC7jW54YZAk="; + hash = "sha256-mxmJejgUqS6OC0U0gHsHHe74X0MTVBY5OCbqxIyWa3Q="; }; patches = diff --git a/pkgs/by-name/li/libopenmpt/package.nix b/pkgs/by-name/li/libopenmpt/package.nix index 2bef845c342ad..6aa838d55fa3b 100644 --- a/pkgs/by-name/li/libopenmpt/package.nix +++ b/pkgs/by-name/li/libopenmpt/package.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { pname = "libopenmpt"; - version = "0.8.5"; + version = "0.8.6"; outputs = [ "out" @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-${version}+release.autotools.tar.gz"; - hash = "sha256-9oCuq7P4TDcWna2H8V7YPymm67x/aJ+RLU2r7P8OMyQ="; + hash = "sha256-yqL6lZ44n0N02eLfOvXGM0UsEt2ARCy6LonLf/K5PFs="; }; enableParallelBuilding = true; diff --git a/pkgs/by-name/li/libxpm/package.nix b/pkgs/by-name/li/libxpm/package.nix index 8ffd2d3fd203b..09336f30f9300 100644 --- a/pkgs/by-name/li/libxpm/package.nix +++ b/pkgs/by-name/li/libxpm/package.nix @@ -15,7 +15,7 @@ }: stdenv.mkDerivation (finalAttrs: { pname = "libxpm"; - version = "3.5.17"; + version = "3.5.19"; outputs = [ "bin" @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://xorg/individual/lib/libXpm-${finalAttrs.version}.tar.xz"; - hash = "sha256-ZLMfgQGefTiMgisLKK+NUcRiK4Px8Mtvo/yV4nEibkM="; + hash = "sha256-rTV21okiGjncco8ODcAsp7tqDXJMmnf9G/oemvg76QA="; }; strictDeps = true; diff --git a/pkgs/by-name/mi/mimir/package.nix b/pkgs/by-name/mi/mimir/package.nix index 55267f83054f1..ba5e0d5907ffa 100644 --- a/pkgs/by-name/mi/mimir/package.nix +++ b/pkgs/by-name/mi/mimir/package.nix @@ -7,13 +7,13 @@ }: buildGoModule (finalAttrs: { pname = "mimir"; - version = "3.0.4"; + version = "3.0.6"; src = fetchFromGitHub { rev = "mimir-${finalAttrs.version}"; owner = "grafana"; repo = "mimir"; - hash = "sha256-AVH2hY9BhQ6R8WCw6DcdkUSBzm5cTWyBL1pbqnRMVdE="; + hash = "sha256-rz1Wzsnxt8eGf0rkI8pvhpft+EhTUsdFK4s+9QVn7dg="; }; vendorHash = null; @@ -39,7 +39,7 @@ buildGoModule (finalAttrs: { updateScript = nix-update-script { extraArgs = [ "--version-regex" - "mimir-([0-9.]+)" + "mimir-(3\\.[0-9.]+)" ]; }; tests = { diff --git a/pkgs/by-name/mu/mupdf/package.nix b/pkgs/by-name/mu/mupdf/package.nix index cd1bea612afa1..80c24c63290ab 100644 --- a/pkgs/by-name/mu/mupdf/package.nix +++ b/pkgs/by-name/mu/mupdf/package.nix @@ -51,11 +51,11 @@ let src = fetchFromGitHub { owner = "ArtifexSoftware"; repo = "thirdparty-freeglut"; - rev = "13ae6aa2c2f9a7b4266fc2e6116c876237f40477"; - hash = "sha256-0fuE0lm9rlAaok2Qe0V1uUrgP4AjMWgp3eTbw8G6PMM="; + rev = "d5e2256d571b3ef66fb60716c99e35e9d3e570a2"; + hash = "sha256-yVnVFh2KMpkRB0Emr1iiUwg8ZcPn/k4fnBtBsnv6jX0="; }; - patches = [ ]; + patches = [ ]; # the current patches won't apply # cmake 4 compatibility, upstream is dead postPatch = '' @@ -65,12 +65,12 @@ let }); in stdenv.mkDerivation rec { - version = "1.26.10"; + version = "1.27.2"; pname = "mupdf"; src = fetchurl { url = "https://mupdf.com/downloads/archive/${pname}-${version}-source.tar.gz"; - hash = "sha256-FlPzW9j72XDwVSPv3H+G5B6XKOJWSjKVKW4Dz1mlFDc="; + hash = "sha256-VThnsTUwPcTCWrZ8XyNNjpAKDjbmboSE2ZrcBf4ehzc="; }; patches = [ @@ -80,19 +80,6 @@ stdenv.mkDerivation rec { # Upstream C++ wrap script only defines fixed-sized integers on macOS but # this is required on aarch64-linux too. ./fix-cpp-build.patch - ] - # fix compatibility with Clang >= 20 - ++ lib.optionals enableCxx [ - (fetchpatch { - name = "scripts-wrap-parse.py-get_args-improve-caching-of-re.patch"; - url = "https://github.com/ArtifexSoftware/mupdf/commit/559e45ac8c134712cd8eaee01536ea3841e3a449.patch"; - hash = "sha256-gI3hzrNo6jj9eqQ9E/BJ3jxXi/sl1C5WRyYlkG3Gkfg="; - }) - (fetchpatch { - name = "scripts-wrap-parse.py-get_args-fix-for-libclang-20.patch"; - url = "https://github.com/ArtifexSoftware/mupdf/commit/4bbf411898341d3ba30f521a6c137a788793cd45.patch"; - hash = "sha256-cxKNziAGjpDwEw/9ZQHslMeJbiqYo80899BDkUOIX8g="; - }) ]; postPatch = '' diff --git a/pkgs/by-name/ng/nghttp2/package.nix b/pkgs/by-name/ng/nghttp2/package.nix index a3a62ffa0e5c4..d82a8bc6ce4be 100644 --- a/pkgs/by-name/ng/nghttp2/package.nix +++ b/pkgs/by-name/ng/nghttp2/package.nix @@ -22,7 +22,6 @@ jemalloc, enablePython ? false, python3, - ncurses, # Unit tests ; we have to set TZDIR, which is a GNUism. enableTests ? stdenv.hostPlatform.isGnu, @@ -45,11 +44,11 @@ assert enableJemalloc -> enableApp; stdenv.mkDerivation rec { pname = "nghttp2"; - version = "1.67.1"; + version = "1.68.1"; src = fetchurl { url = "https://github.com/nghttp2/nghttp2/releases/download/v${version}/nghttp2-${version}.tar.bz2"; - hash = "sha256-37cg1CQ6eVBYn6JjI3i+te6a1ELpS3lLO44soowdfio="; + hash = "sha256-t2G1PLZJFmV+qEQ3lz1Qj9Z16Wuy/rlZOh5D0ZWavpU="; }; outputs = [ diff --git a/pkgs/by-name/ng/nghttp3/package.nix b/pkgs/by-name/ng/nghttp3/package.nix index cff35f454d3a4..d4dfa3d20d705 100644 --- a/pkgs/by-name/ng/nghttp3/package.nix +++ b/pkgs/by-name/ng/nghttp3/package.nix @@ -8,11 +8,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "nghttp3"; - version = "1.12.0"; + version = "1.15.0"; src = fetchurl { url = "https://github.com/ngtcp2/nghttp3/releases/download/v${finalAttrs.version}/nghttp3-${finalAttrs.version}.tar.bz2"; - hash = "sha256-KFl4NTevIT1npc5Cd923nIlBrUXtv6XM3VLZz0/6Qi0="; + hash = "sha256-xsSRpSgEgUCY5EZjDm78RZr8DT2nlS/+bL3As/mbK2I="; }; outputs = [ diff --git a/pkgs/by-name/ut/util-linux/package.nix b/pkgs/by-name/ut/util-linux/package.nix index 0b1cb579bfd34..2b49ddc54ff20 100644 --- a/pkgs/by-name/ut/util-linux/package.nix +++ b/pkgs/by-name/ut/util-linux/package.nix @@ -35,24 +35,35 @@ nixosTests, }: +# lastlog requires PAM, or else it's broken. +assert withLastlog -> pamSupport; + let isMinimal = cryptsetupSupport == false && !nlsSupport && !ncursesSupport && !systemdSupport; in stdenv.mkDerivation (finalAttrs: { pname = "util-linux" + lib.optionalString isMinimal "-minimal"; - version = "2.41.3"; + version = "2.41.4"; src = fetchurl { url = "mirror://kernel/linux/utils/util-linux/v${lib.versions.majorMinor finalAttrs.version}/util-linux-${finalAttrs.version}.tar.xz"; - hash = "sha256-MzDYc/D861VguJp9wU5PMoi72IDpaQPtm1DsK1eZ5Ys="; + hash = "sha256-qMITzAYEiGJgKkKy0pmzQAAfbQXEQHtUnz4DUh34Nog="; }; patches = [ + # Search $PATH for the shutdown binary instead of hard-coding /sbin/shutdown, + # which isn't valid on NixOS (and a compatibility link on most other modern + # distros anyway). ./rtcwake-search-PATH-for-shutdown.patch + + # pam_lastlog2: link with libpam + # see https://github.com/NixOS/nixpkgs/issues/493934 + ./pam_lastlog2-add-lpam-to-Makemodule.am.patch + (fetchurl { - name = "bits-only-build-when-cpu_set_t-is-available.patch"; - url = "https://lore.kernel.org/util-linux/20250501075806.88759-1-hi@alyssa.is/raw"; - hash = "sha256-G7Cdv8636wJEjgt9am7PaDI8bpSF8sO9bFWEIiAL25A="; + name = "CVE-2026-3184.patch"; + url = "https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984.patch"; + hash = "sha256-bCITNB/k3CPcAYK4BXYFr1RWOsQ09PpgQw16SDZJES4="; }) ]; @@ -197,7 +208,6 @@ stdenv.mkDerivation (finalAttrs: { moveToOutput "bin/lastlog2" "$lastlog" ln -svf "$lastlog/bin/"* $bin/bin/ - '' + lib.optionalString (withLastlog && systemdSupport) '' moveToOutput "lib/systemd/system/lastlog2-import.service" "$lastlog" diff --git a/pkgs/by-name/ut/util-linux/pam_lastlog2-add-lpam-to-Makemodule.am.patch b/pkgs/by-name/ut/util-linux/pam_lastlog2-add-lpam-to-Makemodule.am.patch new file mode 100644 index 0000000000000..3ffb12387bb69 --- /dev/null +++ b/pkgs/by-name/ut/util-linux/pam_lastlog2-add-lpam-to-Makemodule.am.patch @@ -0,0 +1,52 @@ +From c8e620c6bcd044786c59f822810fc973090dbfa2 Mon Sep 17 00:00:00 2001 +From: Morgan Jones +Date: Mon, 2 Mar 2026 11:03:39 -0800 +Subject: [PATCH] pam_lastlog2: add -lpam to Makemodule.am + +If we don't add this, we don't actually link with PAM; compare the +before and after of `lib/security/pam_lastlog2.so`. + +``` +Dynamic section at offset 0x2ce8 contains 31 entries: + Tag Type Name/Value + 0x0000000000000001 (NEEDED) Shared library: [liblastlog2.so.2] + 0x0000000000000001 (NEEDED) Shared library: [libsqlite3.so] + 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] + 0x000000000000000e (SONAME) Library soname: [pam_lastlog2.so] +``` + +``` +Dynamic section at offset 0x2cd8 contains 32 entries: + Tag Type Name/Value + 0x0000000000000001 (NEEDED) Shared library: [libpam.so.0] + 0x0000000000000001 (NEEDED) Shared library: [liblastlog2.so.2] + 0x0000000000000001 (NEEDED) Shared library: [libsqlite3.so] + 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] + 0x000000000000000e (SONAME) Library soname: [pam_lastlog2.so] +``` + +This causes issues like https://github.com/NixOS/nixpkgs/issues/493934 +where the library has trouble linking with PAM symbols because it is not +linked. + +Signed-off-by: Morgan Jones +--- + pam_lastlog2/src/Makemodule.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pam_lastlog2/src/Makemodule.am b/pam_lastlog2/src/Makemodule.am +index 40d597c58..629930853 100644 +--- a/pam_lastlog2/src/Makemodule.am ++++ b/pam_lastlog2/src/Makemodule.am +@@ -13,7 +13,7 @@ pam_lastlog2_la_CFLAGS = \ + + pam_lastlog2_la_LIBADD = liblastlog2.la + +-pam_lastlog2_la_LDFLAGS = $(SOLIB_LDFLAGS) -module -avoid-version -shared ++pam_lastlog2_la_LDFLAGS = $(SOLIB_LDFLAGS) -lpam -module -avoid-version -shared + if HAVE_VSCRIPT + pam_lastlog2_la_LDFLAGS += $(VSCRIPT_LDFLAGS),$(top_srcdir)/pam_lastlog2/src/pam_lastlog2.sym + endif +-- +2.50.1 + diff --git a/pkgs/by-name/wo/wolfssl/package.nix b/pkgs/by-name/wo/wolfssl/package.nix index 8418be4e39d4a..9712703a5935f 100644 --- a/pkgs/by-name/wo/wolfssl/package.nix +++ b/pkgs/by-name/wo/wolfssl/package.nix @@ -17,13 +17,13 @@ }: stdenv.mkDerivation (finalAttrs: { pname = "wolfssl-${variant}"; - version = "5.9.0"; + version = "5.9.1"; src = fetchFromGitHub { owner = "wolfSSL"; repo = "wolfssl"; tag = "v${finalAttrs.version}-stable"; - hash = "sha256-Ov59Zt0UskADQThdzr9wni2junSpy3jiABWpiGr8xtg="; + hash = "sha256-FyEb94hsO2BaTEi1CJRfCsUiT1xyWCzu7Uys81g2CBE="; }; postPatch = '' diff --git a/pkgs/by-name/xd/xdg-user-dirs/package.nix b/pkgs/by-name/xd/xdg-user-dirs/package.nix index c0423a044442b..772c5873fa044 100644 --- a/pkgs/by-name/xd/xdg-user-dirs/package.nix +++ b/pkgs/by-name/xd/xdg-user-dirs/package.nix @@ -46,6 +46,10 @@ stdenv.mkDerivation (finalAttrs: { substituteInPlace "$out/lib/systemd/user/xdg-user-dirs.service" \ --replace-fail "/usr/bin/xdg-user-dirs-update" "$out/bin/xdg-user-dirs-update" + + # Autostart, because the installed service is never explicitly enabled in NixOS + substituteInPlace "$out/etc/xdg/autostart/xdg-user-dirs.desktop" \ + --replace-fail "X-systemd-skip=true" "X-systemd-skip=false" ''; meta = { diff --git a/pkgs/development/compilers/go/1.25.nix b/pkgs/development/compilers/go/1.25.nix index 3fdeb90035932..ed7f243279a1c 100644 --- a/pkgs/development/compilers/go/1.25.nix +++ b/pkgs/development/compilers/go/1.25.nix @@ -25,11 +25,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "go"; - version = "1.25.8"; + version = "1.25.9"; src = fetchurl { url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; - hash = "sha256-6YjUokRqx/4/baoImljpk2pSo4E1Wt7ByJgyMKjWxZ4="; + hash = "sha256-DsnvjrzqCXqsN97K6fCachi0Uc2Wvn1u1RPY5Lz5Cc8="; }; strictDeps = true; diff --git a/pkgs/development/interpreters/spidermonkey/140.nix b/pkgs/development/interpreters/spidermonkey/140.nix index 862aa494d2404..f66957465bf98 100644 --- a/pkgs/development/interpreters/spidermonkey/140.nix +++ b/pkgs/development/interpreters/spidermonkey/140.nix @@ -1,4 +1,4 @@ import ./common.nix { - version = "140.5.0"; - hash = "sha512-QSI2oly+oXG9W9U15Fw7pAlXqU4fjdOrdCQeCqHEB1/LjTlLlhlZnWDOPkVj5xLIJfqL7EQXlPIpNWgC9ysoYQ=="; + version = "140.9.0"; + hash = "sha512-vAP9KnPQCoi9Cjye6u/mGP+zQib7e8L6xKAiRv8p/gOEI793U4Jz7m+sJfsePk+pi7UiAmrjQnoK1fQdLsa6mA=="; } diff --git a/pkgs/development/libraries/fmt/default.nix b/pkgs/development/libraries/fmt/default.nix index 281acff35b354..3b9a89e670f42 100644 --- a/pkgs/development/libraries/fmt/default.nix +++ b/pkgs/development/libraries/fmt/default.nix @@ -99,7 +99,7 @@ in }; fmt_12 = generic { - version = "12.0.0"; - hash = "sha256-AZDmIeU1HbadC+K0TIAGogvVnxt0oE9U6ocpawIgl6g="; + version = "12.1.0"; + hash = "sha256-ZmI1Dv0ZabPlxa02OpERI47jp7zFfjpeWCy1WyuPYZ0="; }; } diff --git a/pkgs/development/libraries/gdk-pixbuf/default.nix b/pkgs/development/libraries/gdk-pixbuf/default.nix index 8b782a3843049..0a1e32428806d 100644 --- a/pkgs/development/libraries/gdk-pixbuf/default.nix +++ b/pkgs/development/libraries/gdk-pixbuf/default.nix @@ -1,6 +1,7 @@ { stdenv, fetchurl, + fetchpatch, nixosTests, fixDarwinDylibNames, meson, @@ -28,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gdk-pixbuf"; - version = "2.44.5"; + version = "2.44.6"; outputs = [ "out" @@ -40,12 +41,19 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://gnome/sources/gdk-pixbuf/${lib.versions.majorMinor finalAttrs.version}/gdk-pixbuf-${finalAttrs.version}.tar.xz"; - hash = "sha256-abk+CRObgMDuZhUD1g3rWlh0oxdytRhLnNVGKkEAq2g="; + hash = "sha256-FAwtC4mfz4U+6SsmNzydwijbzeCCCkJGaT9DKKJ0Zvo="; }; patches = [ # Move installed tests to a separate output ./installed-tests-path.patch + + # Fix loading of xpm module if built-in + # https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/267 + (fetchpatch { + url = "https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/62b8f9fd0bb3b862823cd34afce4b389fbd27569.patch"; + hash = "sha256-ECEIt8lq/jBtDdBetErKpap2PWGav10vqCXKCpIQSyA="; + }) ]; # gdk-pixbuf-thumbnailer is not wrapped therefore strictDeps will work @@ -83,6 +91,8 @@ stdenv.mkDerivation (finalAttrs: { ]; mesonFlags = [ + # https://gitlab.archlinux.org/archlinux/packaging/packages/gdk-pixbuf2/-/work_items/13 + "-Dlegacy_xpm=enabled" "-Dgio_sniffing=false" "-Dandroid=disabled" "-Dglycin=disabled" diff --git a/pkgs/development/libraries/glibc/2.40-master.patch b/pkgs/development/libraries/glibc/2.40-master.patch index 664c2935d536f..6a7fe260cf8ca 100644 --- a/pkgs/development/libraries/glibc/2.40-master.patch +++ b/pkgs/development/libraries/glibc/2.40-master.patch @@ -57195,3 +57195,772 @@ index a7362ef31b..4cd2364519 100644 } if ((flags & WRDE_APPEND) == 0) + +commit 3978f880413cb508ecc0c5d372479083fdf664cc +Author: Yury Khrustalev +Date: Thu Nov 6 12:57:58 2025 +0000 + + posix: Fix invalid flags test for p{write,read}v2 + + Two tests fail from time to time when a new flag is added for the + p{write,read}v2 functions in a new Linux kernel: + + - misc/tst-preadvwritev2 + - misc/tst-preadvwritev64v2 + + This disrupts when testing Glibc on a system with a newer kernel + and it seems we can try improve testing for invalid flags setting + all the bits that are not supposed to be supported (rather than + setting only the next unsupported bit). + + Reviewed-by: Adhemerval Zanella + (cherry picked from commit 58a31b4316f1f687184eb147ffa1c676bc6a190e) + +diff --git a/misc/tst-preadvwritev2-common.c b/misc/tst-preadvwritev2-common.c +index 8e04ff7282..23ddf2e8b9 100644 +--- a/misc/tst-preadvwritev2-common.c ++++ b/misc/tst-preadvwritev2-common.c +@@ -106,9 +106,8 @@ do_test_with_invalid_iov (void) + static void + do_test_with_invalid_flags (void) + { +- /* Set the next bit from the mask of all supported flags. */ +- int invalid_flag = RWF_SUPPORTED != 0 ? __builtin_clz (RWF_SUPPORTED) : 2; +- invalid_flag = 0x1 << ((sizeof (int) * CHAR_BIT) - invalid_flag); ++ /* Set all the bits that are not used by the supported flags. */ ++ int invalid_flag = ~RWF_SUPPORTED; + + char buf[32]; + const struct iovec vec = { .iov_base = buf, .iov_len = sizeof (buf) }; + +commit b5f5f1f3d27d792c05f91dba8e815f2abb895a30 +Author: Florian Weimer +Date: Fri Nov 28 11:46:09 2025 +0100 + + iconvdata: Fix invalid pointer arithmetic in ANSI_X3.110 module + + The expression inptr + 1 can technically be invalid: if inptr == inend, + inptr may point one element past the end of an array. + + Reviewed-by: Adhemerval Zanella + (cherry picked from commit e98bd0c54d5e296ad1be91b6fe35260c6b87e733) + +diff --git a/iconvdata/ansi_x3.110.c b/iconvdata/ansi_x3.110.c +index 869cdf6540..44bd12a863 100644 +--- a/iconvdata/ansi_x3.110.c ++++ b/iconvdata/ansi_x3.110.c +@@ -407,7 +407,7 @@ static const char from_ucs4[][2] = + is also available. */ \ + uint32_t ch2; \ + \ +- if (inptr + 1 >= inend) \ ++ if (inend - inptr <= 1) \ + { \ + /* The second character is not available. */ \ + result = __GCONV_INCOMPLETE_INPUT; \ + +commit d951a94c7da83c5e37489d3daf5bbbf0b0c0d19a +Author: Florian Weimer +Date: Mon Jan 26 17:12:37 2026 +0100 + + posix: Run tst-wordexp-reuse-mem test + + The test was not properly scheduled for execution with a Makefile + dependency. + + Fixes commit 80cc58ea2de214f85b0a1d902a3b668ad2ecb302 ("posix: Reset + wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814"). + + (cherry picked from commit bed2db02f3183e93f21d506786c5f884a1dec9e7) + +diff --git a/posix/Makefile b/posix/Makefile +index 0cd5572297..1a0e150d99 100644 +--- a/posix/Makefile ++++ b/posix/Makefile +@@ -492,7 +492,7 @@ tests-special += \ + $(objpfx)tst-pcre-mem.out \ + $(objpfx)tst-rxspencer-no-utf8-mem.out \ + $(objpfx)tst-vfork3-mem.out \ +- $(objpfx)tst-wordexp-reuse.out \ ++ $(objpfx)tst-wordexp-reuse-mem.out \ + # tests-special + endif + endif + +commit acf870165a07fb229e10e53b1fd53520e8c0cf9d +Author: Carlos O'Donell +Date: Fri Mar 20 16:43:33 2026 -0400 + + resolv: Count records correctly (CVE-2026-4437) + + The answer section boundary was previously ignored, and the code in + getanswer_ptr would iterate past the last resource record, but not + beyond the end of the returned data. This could lead to subsequent data + being interpreted as answer records, thus violating the DNS + specification. Such resource records could be maliciously crafted and + hidden from other tooling, but processed by the glibc stub resolver and + acted upon by the application. While we trust the data returned by the + configured recursive resolvers, we should not trust its format and + should validate it as required. It is a security issue to incorrectly + process the DNS protocol. + + A regression test is added for response section crossing. + + No regressions on x86_64-linux-gnu. + + Reviewed-by: Collin Funk + (cherry picked from commit 9f5f18aab40ec6b61fa49a007615e6077e9a979b) + +diff --git a/resolv/Makefile b/resolv/Makefile +index abff7fc007..7d2aa9b542 100644 +--- a/resolv/Makefile ++++ b/resolv/Makefile +@@ -98,6 +98,7 @@ tests += \ + tst-resolv-basic \ + tst-resolv-binary \ + tst-resolv-byaddr \ ++ tst-resolv-dns-section \ + tst-resolv-edns \ + tst-resolv-invalid-cname \ + tst-resolv-network \ +@@ -109,6 +110,7 @@ tests += \ + tst-resolv-semi-failure \ + tst-resolv-short-response \ + tst-resolv-trailing \ ++ # tests + + # This test calls __res_context_send directly, which is not exported + # from libresolv. +@@ -286,6 +288,8 @@ $(objpfx)tst-resolv-aliases: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-basic: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-binary: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-byaddr: $(objpfx)libresolv.so $(shared-thread-library) ++$(objpfx)tst-resolv-dns-section: $(objpfx)libresolv.so \ ++ $(shared-thread-library) + $(objpfx)tst-resolv-edns: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-network: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-res_init: $(objpfx)libresolv.so +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index 95a7b3f0e5..74a7c08d0f 100644 +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -820,7 +820,7 @@ getanswer_ptr (unsigned char *packet, size_t packetlen, + /* expected_name may be updated to point into this buffer. */ + unsigned char name_buffer[NS_MAXCDNAME]; + +- while (ancount > 0) ++ for (; ancount > 0; --ancount) + { + struct ns_rr_wire rr; + if (!__ns_rr_cursor_next (&c, &rr)) +diff --git a/resolv/tst-resolv-dns-section.c b/resolv/tst-resolv-dns-section.c +new file mode 100644 +index 0000000000..1171baef51 +--- /dev/null ++++ b/resolv/tst-resolv-dns-section.c +@@ -0,0 +1,162 @@ ++/* Test handling of invalid section transitions (bug 34014). ++ Copyright (C) 2022-2026 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* Name of test, and the second section type. */ ++struct item { ++ const char *test; ++ int ns_section; ++}; ++ ++static const struct item test_items[] = ++ { ++ { "Test crossing from ns_s_an to ns_s_ar.", ns_s_ar }, ++ { "Test crossing from ns_s_an to ns_s_an.", ns_s_ns }, ++ ++ { NULL, 0 }, ++ }; ++ ++/* The response is designed to contain the following: ++ - An Answer section with one T_PTR record that is skipped. ++ - A second section with a semantically invalid T_PTR record. ++ The original defect is that the response parsing would cross ++ section boundaries and handle the additional section T_PTR ++ as if it were an answer. A conforming implementation would ++ stop as soon as it reaches the end of the section. */ ++static void ++response (const struct resolv_response_context *ctx, ++ struct resolv_response_builder *b, ++ const char *qname, uint16_t qclass, uint16_t qtype) ++{ ++ TEST_COMPARE (qclass, C_IN); ++ ++ /* We only test PTR. */ ++ TEST_COMPARE (qtype, T_PTR); ++ ++ unsigned int count; ++ char *tail = NULL; ++ ++ if (strstr (qname, "in-addr.arpa") != NULL ++ && sscanf (qname, "%u.%ms", &count, &tail) == 2) ++ TEST_COMPARE_STRING (tail, "0.168.192.in-addr.arpa"); ++ else if (sscanf (qname, "%x.%ms", &count, &tail) == 2) ++ { ++ TEST_COMPARE_STRING (tail, "\ ++0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa"); ++ } ++ else ++ FAIL_EXIT1 ("invalid QNAME: %s\n", qname); ++ free (tail); ++ ++ /* We have a bounded number of possible tests. */ ++ TEST_VERIFY (count >= 0); ++ TEST_VERIFY (count <= 15); ++ ++ struct resolv_response_flags flags = {}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ resolv_response_section (b, ns_s_an); ++ ++ /* Actual answer record, but the wrong name (skipped). */ ++ resolv_response_open_record (b, "1.0.0.10.in-addr.arpa", qclass, qtype, 60); ++ ++ /* Record the answer. */ ++ resolv_response_add_name (b, "test.ptr.example.net"); ++ resolv_response_close_record (b); ++ ++ /* Add a second section to test section boundary crossing. */ ++ resolv_response_section (b, test_items[count].ns_section); ++ /* Semantically incorrect, but hide a T_PTR entry. */ ++ resolv_response_open_record (b, qname, qclass, qtype, 60); ++ resolv_response_add_name (b, "wrong.ptr.example.net"); ++ resolv_response_close_record (b); ++} ++ ++ ++/* Perform one check using a reverse lookup. */ ++static void ++check_reverse (int af, int count) ++{ ++ TEST_VERIFY (af == AF_INET || af == AF_INET6); ++ TEST_VERIFY (count < array_length (test_items)); ++ ++ char addr[sizeof (struct in6_addr)] = { 0 }; ++ socklen_t addrlen; ++ if (af == AF_INET) ++ { ++ addr[0] = (char) 192; ++ addr[1] = (char) 168; ++ addr[2] = (char) 0; ++ addr[3] = (char) count; ++ addrlen = 4; ++ } ++ else ++ { ++ addr[0] = 0x20; ++ addr[1] = 0x01; ++ addr[2] = 0x0d; ++ addr[3] = 0xb8; ++ addr[4] = addr[5] = addr[6] = addr[7] = 0x0; ++ addr[8] = addr[9] = addr[10] = addr[11] = 0x0; ++ addr[12] = 0x0; ++ addr[13] = 0x0; ++ addr[14] = 0x0; ++ addr[15] = count; ++ addrlen = 16; ++ } ++ ++ h_errno = 0; ++ struct hostent *answer = gethostbyaddr (addr, addrlen, af); ++ TEST_VERIFY (answer == NULL); ++ TEST_VERIFY (h_errno == NO_RECOVERY); ++ if (answer != NULL) ++ printf ("error: unexpected success: %s\n", ++ support_format_hostent (answer)); ++} ++ ++static int ++do_test (void) ++{ ++ struct resolv_test *obj = resolv_test_start ++ ((struct resolv_redirect_config) ++ { ++ .response_callback = response ++ }); ++ ++ for (int i = 0; test_items[i].test != NULL; i++) ++ { ++ check_reverse (AF_INET, i); ++ check_reverse (AF_INET6, i); ++ } ++ ++ resolv_test_end (obj); ++ ++ return 0; ++} ++ ++#include + +commit df2bb178a5a6119bcf9775d8c16961bfc5042dc1 +Author: Carlos O'Donell +Date: Fri Mar 20 17:14:33 2026 -0400 + + resolv: Check hostname for validity (CVE-2026-4438) + + The processed hostname in getanswer_ptr should be correctly checked to + avoid invalid characters from being allowed, including shell + metacharacters. It is a security issue to fail to check the returned + hostname for validity. + + A regression test is added for invalid metacharacters and other cases + of invalid or valid characters. + + No regressions on x86_64-linux-gnu. + + Reviewed-by: Adhemerval Zanella + (cherry picked from commit e10977481f4db4b2a3ce34fa4c3a1e26651ae312) + +diff --git a/resolv/Makefile b/resolv/Makefile +index 7d2aa9b542..20ffa9b5c8 100644 +--- a/resolv/Makefile ++++ b/resolv/Makefile +@@ -101,6 +101,7 @@ tests += \ + tst-resolv-dns-section \ + tst-resolv-edns \ + tst-resolv-invalid-cname \ ++ tst-resolv-invalid-ptr \ + tst-resolv-network \ + tst-resolv-noaaaa \ + tst-resolv-noaaaa-vc \ +@@ -299,6 +300,8 @@ $(objpfx)tst-resolv-res_init-thread: $(objpfx)libresolv.so \ + $(shared-thread-library) + $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \ + $(shared-thread-library) ++$(objpfx)tst-resolv-invalid-ptr: $(objpfx)libresolv.so \ ++ $(shared-thread-library) + $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library) +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index 74a7c08d0f..b8f5d61b2a 100644 +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -866,7 +866,7 @@ getanswer_ptr (unsigned char *packet, size_t packetlen, + char hname[MAXHOSTNAMELEN + 1]; + if (__ns_name_unpack (c.begin, c.end, rr.rdata, + name_buffer, sizeof (name_buffer)) < 0 +- || !__res_binary_hnok (expected_name) ++ || !__res_binary_hnok (name_buffer) + || __ns_name_ntop (name_buffer, hname, sizeof (hname)) < 0) + { + *h_errnop = NO_RECOVERY; +diff --git a/resolv/tst-resolv-invalid-ptr.c b/resolv/tst-resolv-invalid-ptr.c +new file mode 100644 +index 0000000000..0c802ab967 +--- /dev/null ++++ b/resolv/tst-resolv-invalid-ptr.c +@@ -0,0 +1,255 @@ ++/* Test handling of invalid T_PTR results (bug 34015). ++ Copyright (C) 2022-2026 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* Name of test, the answer, the expected error return, and if we ++ expect the call to fail. */ ++struct item { ++ const char *test; ++ const char *answer; ++ int expected; ++ bool fail; ++}; ++ ++static const struct item test_items[] = ++ { ++ /* Test for invalid characters. */ ++ { "Invalid use of \"|\"", ++ "test.|.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"&\"", ++ "test.&.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \";\"", ++ "test.;.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"<\"", ++ "test.<.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \">\"", ++ "test.>.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"(\"", ++ "test.(.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \")\"", ++ "test.).ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"$\"", ++ "test.$.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"`\"", ++ "test.`.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"\\\"", ++ "test.\\.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"\'\"", ++ "test.'.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"\"\"", ++ "test.\".ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \" \"", ++ "test. .ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"\\t\"", ++ "test.\t.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"\\n\"", ++ "test.\n.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"\\r\"", ++ "test.\r.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"*\"", ++ "test.*.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"?\"", ++ "test.?.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"[\"", ++ "test.[.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"]\"", ++ "test.].ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \",\"", ++ "test.,.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"~\"", ++ "test.~.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \":\"", ++ "test.:.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"!\"", ++ "test.!.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"@\"", ++ "test.@.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"#\"", ++ "test.#.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"%\"", ++ "test.%%.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of \"^\"", ++ "test.^.ptr.example", NO_RECOVERY, true }, ++ ++ /* Test for invalid UTF-8 characters (2-byte, 4-byte, 6-byte). */ ++ { "Invalid use of UTF-8 (2-byte, U+00C0-U+00C2)", ++ "ÁÂÃ.test.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of UTF-8 (4-byte, U+0750-U+0752)", ++ "ݐݑݒ.test.ptr.example", NO_RECOVERY, true }, ++ { "Invalid use of UTF-8 (6-byte, U+0904-U+0906)", ++ "ऄअआ.test.ptr.example", NO_RECOVERY, true }, ++ ++ /* Test for "-" which may be valid depending on position. */ ++ { "Invalid leading \"-\"", ++ "-test.ptr.example", NO_RECOVERY, true }, ++ { "Valid trailing \"-\"", ++ "test-.ptr.example", 0, false }, ++ { "Valid mid-label use of \"-\"", ++ "te-st.ptr.example", 0, false }, ++ ++ /* Test for "_" which is always valid in any position. */ ++ { "Valid leading use of \"_\"", ++ "_test.ptr.example", 0, false }, ++ { "Valid mid-label use of \"_\"", ++ "te_st.ptr.example", 0, false }, ++ { "Valid trailing use of \"_\"", ++ "test_.ptr.example", 0, false }, ++ ++ /* Sanity test the broader set [A-Za-z0-9_-] of valid characters. */ ++ { "Valid \"[A-Z]\"", ++ "test.ABCDEFGHIJKLMNOPQRSTUVWXYZ.ptr.example", 0, false }, ++ { "Valid \"[a-z]\"", ++ "test.abcdefghijklmnopqrstuvwxyz.ptr.example", 0, false }, ++ { "Valid \"[0-9]\"", ++ "test.0123456789.ptr.example", 0, false }, ++ { "Valid mixed use of \"[A-Za-z0-9_-]\"", ++ "test.012abcABZ_-.ptr.example", 0, false }, ++ }; ++ ++static void ++response (const struct resolv_response_context *ctx, ++ struct resolv_response_builder *b, ++ const char *qname, uint16_t qclass, uint16_t qtype) ++{ ++ TEST_COMPARE (qclass, C_IN); ++ ++ /* We only test PTR. */ ++ TEST_COMPARE (qtype, T_PTR); ++ ++ unsigned int count, count1; ++ char *tail = NULL; ++ ++ /* The test implementation can handle up to 255 tests. */ ++ if (strstr (qname, "in-addr.arpa") != NULL ++ && sscanf (qname, "%u.%ms", &count, &tail) == 2) ++ TEST_COMPARE_STRING (tail, "0.168.192.in-addr.arpa"); ++ else if (sscanf (qname, "%x.%x.%ms", &count, &count1, &tail) == 3) ++ { ++ TEST_COMPARE_STRING (tail, "\ ++0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa"); ++ count |= count1 << 4; ++ } ++ else ++ FAIL_EXIT1 ("invalid QNAME: %s\n", qname); ++ free (tail); ++ ++ /* Cross check. Count has a fixed bound (soft limit). */ ++ TEST_VERIFY (count >= 0 && count <= 255); ++ ++ /* We have a fixed number of tests (hard limit). */ ++ TEST_VERIFY_EXIT (count < array_length (test_items)); ++ ++ struct resolv_response_flags flags = {}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ resolv_response_section (b, ns_s_an); ++ ++ /* Actual answer record. */ ++ resolv_response_open_record (b, qname, qclass, qtype, 60); ++ ++ /* Record the answer. */ ++ resolv_response_add_name (b, test_items[count].answer); ++ resolv_response_close_record (b); ++} ++ ++/* Perform one check using a reverse lookup. */ ++static void ++check_reverse (int af, int count) ++{ ++ TEST_VERIFY (af == AF_INET || af == AF_INET6); ++ TEST_VERIFY_EXIT (count < array_length (test_items)); ++ ++ /* Generate an address to query for each test. */ ++ char addr[sizeof (struct in6_addr)] = { 0 }; ++ socklen_t addrlen; ++ if (af == AF_INET) ++ { ++ addr[0] = (char) 192; ++ addr[1] = (char) 168; ++ addr[2] = (char) 0; ++ addr[3] = (char) count; ++ addrlen = 4; ++ } ++ else ++ { ++ addr[0] = 0x20; ++ addr[1] = 0x01; ++ addr[2] = 0x0d; ++ addr[3] = 0xb8; ++ addr[4] = addr[5] = addr[6] = addr[7] = 0x0; ++ addr[8] = addr[9] = addr[10] = addr[11] = 0x0; ++ addr[12] = 0x0; ++ addr[13] = 0x0; ++ addr[14] = 0x0; ++ addr[15] = (char) count; ++ addrlen = 16; ++ } ++ ++ h_errno = 0; ++ struct hostent *answer = gethostbyaddr (addr, addrlen, af); ++ ++ /* Verify h_errno is as expected. */ ++ TEST_COMPARE (h_errno, test_items[count].expected); ++ if (h_errno != test_items[count].expected) ++ /* And print more information if it's not. */ ++ printf ("INFO: %s\n", test_items[count].test); ++ ++ if (test_items[count].fail) ++ { ++ /* We expected a failure so verify answer is NULL. */ ++ TEST_VERIFY (answer == NULL); ++ /* If it's not NULL we should print out what we received. */ ++ if (answer != NULL) ++ printf ("error: unexpected success: %s\n", ++ support_format_hostent (answer)); ++ } ++ else ++ /* We don't expect a failure so answer must be valid. */ ++ TEST_COMPARE_STRING (answer->h_name, test_items[count].answer); ++} ++ ++static int ++do_test (void) ++{ ++ struct resolv_test *obj = resolv_test_start ++ ((struct resolv_redirect_config) ++ { ++ .response_callback = response ++ }); ++ ++ for (int i = 0; i < array_length (test_items); i++) ++ { ++ check_reverse (AF_INET, i); ++ check_reverse (AF_INET6, i); ++ } ++ resolv_test_end (obj); ++ ++ return 0; ++} ++ ++#include + +commit 573a7e46ecb32e2669cd83245f72697eabd7a7e8 +Author: Xi Ruoyao +Date: Tue Feb 3 16:20:12 2026 +0800 + + elf: parse /proc/self/maps as the last resort to find the gap for tst-link-map-contiguous-ldso + + The initialization process of libc.so calls mmap() several times and the + kernel may lay the maps into the gap. If all pages in the gap are + occupied, the test would not be able to find the gap with mmap() and the + test would fail. + + The failure reproduces most frequently on LoongArch because with the + commonly used page size (16 KiB) the gap only contains 4 pages and the + probability they are all occupied is not near to zero. + + With the changes in the patch, a test run may output: + + info: ld.so link map is not contiguous + info: object "/dev/zero" found at 0x7ffff1fe0000 - 0x7ffff1fe4000 + info: anonymous mapping found at 0x7ffff1fe4000 - 0x7ffff1fec000 + + Also take the chance to fix a mistake in the "object found at" message + which has puzzled me during the initial debug session. + + Signed-off-by: Xi Ruoyao + Reviewed-by: Adhemerval Zanella + (cherry picked from commit aed8390a6a22e5751fc12704c0c5f2a8271fc286) + +diff --git a/elf/tst-link-map-contiguous-ldso.c b/elf/tst-link-map-contiguous-ldso.c +index 04de808bb2..f0e26682f2 100644 +--- a/elf/tst-link-map-contiguous-ldso.c ++++ b/elf/tst-link-map-contiguous-ldso.c +@@ -18,15 +18,73 @@ + + #include + #include ++#include + #include + #include + #include + #include ++#include + #include + #include ++#include + #include + #include + ++/* Slow path in case we cannot find a gap with mmap (when the runtime has ++ mapped all the pages in the gap for some reason). */ ++static bool ++find_gap_with_proc_self_map (const struct link_map *l) ++{ ++ int pagesize = getpagesize (); ++ ++ support_need_proc ("Reads /proc/self/maps to find gap in ld.so mapping"); ++ ++ /* Parse /proc/self/maps and find all the mappings in the ld.so range ++ but not from ld.so. */ ++ FILE *f = xfopen ("/proc/self/maps", "r"); ++ char *line = NULL, *path_ldso = NULL; ++ size_t len; ++ bool found = false; ++ while (xgetline (&line, &len, f)) ++ { ++ uintptr_t from, to; ++ char *path = NULL; ++ int r = sscanf (line, "%" SCNxPTR "-%" SCNxPTR "%*s%*s%*s%*s%ms", ++ &from, &to, &path); ++ ++ TEST_VERIFY (r == 2 || r == 3); ++ TEST_COMPARE (from % pagesize, 0); ++ TEST_COMPARE (to % pagesize, 0); ++ ++ if (path_ldso == NULL && l->l_map_start == from) ++ { ++ TEST_COMPARE (r, 3); ++ path_ldso = path; ++ continue; ++ } ++ ++ if (from > l->l_map_start && to < l->l_map_end ++ && (r == 2 || (path_ldso != NULL && strcmp (path, path_ldso)))) ++ { ++ if (r == 2) ++ printf ("info: anonymous mapping found at 0x%" PRIxPTR " - 0x%" ++ PRIxPTR "\n", from, to); ++ else ++ printf ("info: object \"%s\" found at 0x%" PRIxPTR " - 0x%" ++ PRIxPTR "\n", path, from, to); ++ ++ found = true; ++ } ++ ++ free (path); ++ } ++ ++ free (path_ldso); ++ free (line); ++ xfclose (f); ++ return found; ++} ++ + static int + do_test (void) + { +@@ -64,16 +122,18 @@ do_test (void) + if ((void *) dlfo.dlfo_link_map != (void *) l) + { + printf ("info: object \"%s\" found at %p\n", +- dlfo.dlfo_link_map->l_name, ptr); ++ dlfo.dlfo_link_map->l_name, expected); + gap_found = true; + } + } + else + TEST_COMPARE (dlfo_ret, -1); ++ + xmunmap (ptr, 1); + addr += pagesize; + } +- if (!gap_found) ++ ++ if (!gap_found && !find_gap_with_proc_self_map (l)) + FAIL ("no ld.so gap found"); + } + else diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 858806671d3c3..e2740967c19f8 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -50,7 +50,7 @@ let version = "2.40"; - patchSuffix = "-218"; + patchSuffix = "-224"; sha256 = "sha256-GaiQF16SY9dI9ieZPeb0sa+c0h4D8IDkv7Oh+sECBaI="; in @@ -68,7 +68,7 @@ stdenv.mkDerivation ( /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping. $ git fetch --all -p && git checkout origin/release/2.40/master && git describe - glibc-2.40-218-g9fe8576664 + glibc-2.40-224-g573a7e46ec $ git show --minimal --reverse glibc-2.40.. ':!ADVISORIES' > 2.40-master.patch To compare the archive contents zdiff can be used. diff --git a/pkgs/development/libraries/libpng/default.nix b/pkgs/development/libraries/libpng/default.nix index 074a520d8acb0..97c5d9d9ade91 100644 --- a/pkgs/development/libraries/libpng/default.nix +++ b/pkgs/development/libraries/libpng/default.nix @@ -10,21 +10,21 @@ assert zlib != null; let - patchVersion = "1.6.54"; + patchVersion = "1.6.56"; patch_src = fetchurl { url = "mirror://sourceforge/libpng-apng/libpng-${patchVersion}-apng.patch.gz"; - hash = "sha256-Vjj8RQDq9IRXtNfJ5VP9gqsB13MEpwB32DNoQp1E8bQ="; + hash = "sha256-nOMtSidjoqxfJYcmui9J6QETJ8HujDCGKjLQ8wiJ++g="; }; whenPatched = lib.optionalString apngSupport; in stdenv.mkDerivation (finalAttrs: { pname = "libpng" + whenPatched "-apng"; - version = "1.6.55"; + version = "1.6.56"; src = fetchurl { url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz"; - hash = "sha256-2SVyKGSDetWuKoIHDUsuBgPccq9EvUV8OWIpgli46C0="; + hash = "sha256-99i/FgG3gE9YOiVKs0OmVJymzyfSVcMCxHry2dNqbxg="; }; postPatch = whenPatched "gunzip < ${patch_src} | patch -Np1" diff --git a/pkgs/development/libraries/mbedtls/generic.nix b/pkgs/development/libraries/mbedtls/generic.nix index df19340cf0d83..05e42594795a3 100644 --- a/pkgs/development/libraries/mbedtls/generic.nix +++ b/pkgs/development/libraries/mbedtls/generic.nix @@ -54,6 +54,23 @@ stdenv.mkDerivation rec { # the repository and do not need to be regenerated. See: # https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.3.0 below "Requirement changes". "-DGEN_FILES=off" + ] + ++ lib.optionals (stdenv.cc.isGNU && lib.versionAtLeast stdenv.cc.version "15.0") [ + # mbedtls widely uses a pattern of starting unions with an + # unsigned int dummy member, and then initializing those unions to + # { 0 }. The problem with this is that it only initializes that + # first union member, so in the common case where the non-dummy + # members are larger than the dummy member, they will only be + # partially initialized since GCC 15[1]. Upstream has added + # ad-hoc memset calls to mitigate this issue, but initializers are + # also still widely used. To avoid the risk of using + # uninitialized memory, force the compiler to zero all bits of + # unions, not just the first element, until upstream has a + # systemic fix in place[2]. + # + # [1]: https://gcc.gnu.org/gcc-15/changes.html + # [2]: https://github.com/Mbed-TLS/mbedtls/issues/9885 + "-DCMAKE_C_FLAGS=-fzero-init-padding-bits=unions" ]; doCheck = true; diff --git a/pkgs/development/libraries/ngtcp2/default.nix b/pkgs/development/libraries/ngtcp2/default.nix index cef563d99f7af..0a660f088d68f 100644 --- a/pkgs/development/libraries/ngtcp2/default.nix +++ b/pkgs/development/libraries/ngtcp2/default.nix @@ -14,11 +14,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "ngtcp2"; - version = "1.17.0"; + version = "1.22.1"; src = fetchurl { url = "https://github.com/ngtcp2/ngtcp2/releases/download/v${finalAttrs.version}/ngtcp2-${finalAttrs.version}.tar.bz2"; - hash = "sha256-j8hYGdFp5il4pODbNlVILOdJUafqsMdmc3tXoxQY2mE="; + hash = "sha256-hzVHltWssZvzEMt3vgS9IgDDImWmvnyUuGMeJsjpPKQ="; }; outputs = [ diff --git a/pkgs/development/libraries/nss/esr.nix b/pkgs/development/libraries/nss/esr.nix index 6e835d0dc71fb..b2f2f54591b3d 100644 --- a/pkgs/development/libraries/nss/esr.nix +++ b/pkgs/development/libraries/nss/esr.nix @@ -1,6 +1,6 @@ import ./generic.nix { - version = "3.112.3"; - hash = "sha256-1gOfP3HM1irGuJ+ln6n1toJC46+K5Z7pGm26vSryU7M="; + version = "3.112.5"; + hash = "sha256-+u29CbE5IyapF5w4IeBXDiiNK7usVn30C08G5FWVC88="; filename = "esr.nix"; versionRegex = "NSS_(3)_(112)(?:_(\\d+))?_RTM"; } diff --git a/pkgs/development/libraries/openssl/3.6/mingw-define-netreset.patch b/pkgs/development/libraries/openssl/3.6/mingw-define-netreset.patch deleted file mode 100644 index 6da9be22ff727..0000000000000 --- a/pkgs/development/libraries/openssl/3.6/mingw-define-netreset.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 3d04d5b678c2f95975d1639dc21398b79308af54 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Alexander=20Hansen=20F=C3=A6r=C3=B8y?= -Date: Wed, 28 Jan 2026 17:55:02 +0100 -Subject: [PATCH] Explicitly define `SIO_UDP_NETRESET` for MinGW builds. - -This patch explicitly defines the value `SIO_UDP_NETRESET` according to -both what Windows and ReactOS does. - -Fixes: #29818. ---- - ssl/quic/quic_reactor.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ssl/quic/quic_reactor.c b/ssl/quic/quic_reactor.c -index a754f285bbe2b..d8ac969d02a69 100644 ---- a/ssl/quic/quic_reactor.c -+++ b/ssl/quic/quic_reactor.c -@@ -76,6 +76,12 @@ void ossl_quic_reactor_cleanup(QUIC_REACTOR *rtor) - } - - #if defined(OPENSSL_SYS_WINDOWS) -+ -+/* Work around for MinGW builds. */ -+#if defined(__MINGW32__) && !defined(SIO_UDP_NETRESET) -+# define SIO_UDP_NETRESET _WSAIOW(IOC_VENDOR, 15) -+#endif -+ - /* - * On Windows recvfrom() may return WSAECONNRESET when destination port - * used in preceding call to sendto() is no longer reachable. The reset diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 65e60207656e1..4fec5bbc1085a 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -429,8 +429,8 @@ in }; openssl_3 = common { - version = "3.0.19"; - hash = "sha256-+lpBQ7iq4YvlPvLzyvKaLgdHQwuLx00y2IM1uUq2MHI="; + version = "3.0.20"; + hash = "sha256-yAoB38cOzk3CEWiTLDdzkELUBNRszIGlmG3XUxTs2m8="; patches = [ # Support for NIX_SSL_CERT_FILE, motivation: @@ -455,8 +455,8 @@ in }; openssl_3_6 = common { - version = "3.6.1"; - hash = "sha256-sb/tzVson/Iq7ofJ1gD1FXZ+v0X3cWjLbWTyMfUYqC4="; + version = "3.6.2"; + hash = "sha256-qvUaH+BkOE+BHa6utOxNznNA7IvYkwJ+7mdq8x6DoE8="; patches = [ # Support for NIX_SSL_CERT_FILE, motivation: @@ -474,9 +474,6 @@ in else ./3.6/use-etc-ssl-certs.patch ) - ] - ++ lib.optionals stdenv.hostPlatform.isMinGW [ - ./3.6/mingw-define-netreset.patch ]; withDocs = true; diff --git a/pkgs/development/python-modules/aioboto3/default.nix b/pkgs/development/python-modules/aioboto3/default.nix index f11a8f3088626..57358c48dd4dc 100644 --- a/pkgs/development/python-modules/aioboto3/default.nix +++ b/pkgs/development/python-modules/aioboto3/default.nix @@ -60,6 +60,17 @@ buildPythonPackage rec { disabledTests = [ "test_patches" + ] + ++ [ + # DynamoDB tests fail with aiobotocore 3.x due to HTTP header issue with moto: + # "Duplicate 'Server' header found" - same issue as aiobotocore disables + "test_dynamo_resource_query" + "test_dynamo_resource_put" + "test_dynamo_resource_batch_write_flush_on_exit_context" + "test_dynamo_resource_batch_write_flush_amount" + "test_flush_doesnt_reset_item_buffer" + "test_dynamo_resource_property" + "test_dynamo_resource_waiter" ]; pythonImportsCheck = [ "aioboto3" ]; diff --git a/pkgs/development/python-modules/aiohttp/default.nix b/pkgs/development/python-modules/aiohttp/default.nix index a3beffd1a863d..35d70f9198479 100644 --- a/pkgs/development/python-modules/aiohttp/default.nix +++ b/pkgs/development/python-modules/aiohttp/default.nix @@ -51,14 +51,14 @@ buildPythonPackage rec { pname = "aiohttp"; - version = "3.13.3"; + version = "3.13.4"; pyproject = true; src = fetchFromGitHub { owner = "aio-libs"; repo = "aiohttp"; tag = "v${version}"; - hash = "sha256-V+digrfigdA3hwd2xW47BACh3r07j6pGE8WFAGivZnA="; + hash = "sha256-/MpN8Lvdm6ZN18eLip0YXHEFzJqRsWWyx1HHfqTmjqA="; }; postPatch = '' diff --git a/pkgs/development/python-modules/astropy-iers-data/default.nix b/pkgs/development/python-modules/astropy-iers-data/default.nix index c737ec1190f2a..dadecba128520 100644 --- a/pkgs/development/python-modules/astropy-iers-data/default.nix +++ b/pkgs/development/python-modules/astropy-iers-data/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "astropy-iers-data"; - version = "0.2025.8.4.0.42.59"; + version = "0.2026.1.19.0.42.31"; pyproject = true; src = fetchFromGitHub { owner = "astropy"; repo = "astropy-iers-data"; tag = "v${version}"; - hash = "sha256-Izqm626PZzjnMNUzPW2x15ER7fn5f9+m2X434vXV/yo="; + hash = "sha256-psxVL7375xQuo6mqh+5rvv0xEuZNUOtFco1BrPPWLtg="; }; build-system = [ @@ -29,6 +29,7 @@ buildPythonPackage rec { doCheck = false; meta = { + changelog = "https://github.com/astropy/astropy-iers-data/releases/tag/${src.tag}"; description = "IERS data maintained by @astrofrog and astropy.utils.iers maintainers"; homepage = "https://github.com/astropy/astropy-iers-data"; license = lib.licenses.bsd3; diff --git a/pkgs/development/python-modules/astropy/default.nix b/pkgs/development/python-modules/astropy/default.nix index 0489821f7a82c..105a23588120e 100644 --- a/pkgs/development/python-modules/astropy/default.nix +++ b/pkgs/development/python-modules/astropy/default.nix @@ -1,6 +1,6 @@ { lib, - fetchPypi, + fetchFromGitHub, buildPythonPackage, pythonOlder, @@ -55,14 +55,16 @@ buildPythonPackage rec { pname = "astropy"; - version = "7.1.0"; + version = "7.2.0"; pyproject = true; disabled = pythonOlder "3.11"; - src = fetchPypi { - inherit pname version; - hash = "sha256-yPJUMiKVsbjPJDA9bxVb9+/bbBKCiCuWbOMEDv+MU8U="; + src = fetchFromGitHub { + owner = "astropy"; + repo = "astropy"; + tag = "v${version}"; + hash = "sha256-U9kCzyOZcttlUP0DUGkhJVkk96sBM/Gm/s5ZPJZcEoA="; }; env = lib.optionalAttrs stdenv.cc.isClang { @@ -145,6 +147,10 @@ buildPythonPackage rec { preCheck = '' export HOME="$(mktemp -d)" export OMP_NUM_THREADS=$(( $NIX_BUILD_CORES / 4 )) + if [ $OMP_NUM_THREADS -eq 0 ]; then + export OMP_NUM_THREADS=1 + fi + # See https://github.com/astropy/astropy/issues/17649 and see # --hypothesis-profile=ci pytest flag below. cp conftest.py $out/ @@ -159,6 +165,7 @@ buildPythonPackage rec { ''; meta = { + changelog = "https://docs.astropy.org/en/${src.tag}/changelog.html"; description = "Astronomy/Astrophysics library for Python"; homepage = "https://www.astropy.org"; license = lib.licenses.bsd3; diff --git a/pkgs/development/python-modules/cryptography/default.nix b/pkgs/development/python-modules/cryptography/default.nix index eef08b32b5461..388b9bc8c276c 100644 --- a/pkgs/development/python-modules/cryptography/default.nix +++ b/pkgs/development/python-modules/cryptography/default.nix @@ -22,7 +22,7 @@ buildPythonPackage rec { pname = "cryptography"; - version = "46.0.5"; + version = "46.0.7"; pyproject = true; disabled = pythonOlder "3.7"; @@ -31,7 +31,7 @@ buildPythonPackage rec { owner = "pyca"; repo = "cryptography"; tag = version; - hash = "sha256-jzdkAVMnKr0z1MBUgs6xjLnTZrqNOBwq3w56JDwgFgk="; + hash = "sha256-xMe+gQl4/CfoT+H21ltbo+aPILoRYCAlylsqnB7Ms8s="; }; cargoDeps = rustPlatform.fetchCargoVendor { diff --git a/pkgs/development/python-modules/django/4.nix b/pkgs/development/python-modules/django/4.nix index 598dfcfb70568..33a4ff509e2a6 100644 --- a/pkgs/development/python-modules/django/4.nix +++ b/pkgs/development/python-modules/django/4.nix @@ -45,7 +45,7 @@ buildPythonPackage rec { pname = "django"; - version = "4.2.29"; + version = "4.2.30"; pyproject = true; disabled = pythonOlder "3.8"; @@ -54,7 +54,7 @@ buildPythonPackage rec { owner = "django"; repo = "django"; tag = version; - hash = "sha256-30OcLxtACSxLJ1jT+k7fmM8CyMyleXSPc+l7/3JZKzI="; + hash = "sha256-LbB5eiKy8chxLLe7Cz0qkN0Iv7CGYAvESnF8V84eCcU="; }; patches = [ diff --git a/pkgs/development/python-modules/pillow/default.nix b/pkgs/development/python-modules/pillow/default.nix index bc4007bd63c9b..94debf52dc9d3 100644 --- a/pkgs/development/python-modules/pillow/default.nix +++ b/pkgs/development/python-modules/pillow/default.nix @@ -4,6 +4,7 @@ buildPythonPackage, pythonOlder, fetchFromGitHub, + fetchpatch, # build-system setuptools, @@ -54,6 +55,15 @@ buildPythonPackage rec { hash = "sha256-NlmNabyoHiakwvomjivTA7N304ovNCMDSaBLSmcmZ7w="; }; + patches = [ + (fetchpatch { + # https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j + name = "CVE-2026-40192.patch"; + url = "https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628.patch"; + hash = "sha256-7Hh72WoD7Iy/aB1J7w5X6ge3wx4lPWAQrOR6luO0FOg="; + }) + ]; + build-system = [ setuptools pybind11 diff --git a/pkgs/development/python-modules/psycopg/default.nix b/pkgs/development/python-modules/psycopg/default.nix index b6558b5ff6931..406592958ddd5 100644 --- a/pkgs/development/python-modules/psycopg/default.nix +++ b/pkgs/development/python-modules/psycopg/default.nix @@ -220,6 +220,7 @@ buildPythonPackage rec { "refcount" "timing" "flakey" + "slow" ]; postCheck = '' diff --git a/pkgs/development/python-modules/pygments/CVE-2026-4539.patch b/pkgs/development/python-modules/pygments/CVE-2026-4539.patch new file mode 100644 index 0000000000000..5bd27874c8ad1 --- /dev/null +++ b/pkgs/development/python-modules/pygments/CVE-2026-4539.patch @@ -0,0 +1,34 @@ +From 2be805d86471efb8efd51886d4d11a33fa22a928 Mon Sep 17 00:00:00 2001 +From: "zam." +Date: Wed, 25 Mar 2026 11:47:14 +0700 +Subject: [PATCH] fix(lexers): prevent ReDoS in archetype lexer GUID and ID + patterns + +--- + pygments/lexers/archetype.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/pygments/lexers/archetype.py b/pygments/lexers/archetype.py +index 5b3eb21ae7..977b02f751 100644 +--- a/pygments/lexers/archetype.py ++++ b/pygments/lexers/archetype.py +@@ -35,8 +35,8 @@ class AtomsLexer(RegexLexer): + (r'([ \t]*)(--.*)$', bygroups(Whitespace, Comment)), + ], + 'archetype_id': [ +- (r'([ \t]*)(([a-zA-Z]\w+(\.[a-zA-Z]\w+)*::)?[a-zA-Z]\w+(-[a-zA-Z]\w+){2}' +- r'\.\w+[\w-]*\.v\d+(\.\d+){,2}((-[a-z]+)(\.\d+)?)?)', ++ (r'([ \t]*)(([a-zA-Z]\w{1,100}(\.[a-zA-Z]\w{1,100})*::)?[a-zA-Z]\w{1,100}(-[a-zA-Z]\w{1,100}){2}' ++ r'\.\w{1,100}[\w-]*\.v\d+(\.\d+){,2}((-[a-z]+)(\.\d+)?)?)', + bygroups(Whitespace, Name.Decorator)), + ], + 'date_constraints': [ +@@ -293,7 +293,7 @@ class AdlLexer(AtomsLexer): + # numbers and version ids + (r'\d+(\.\d+)*', Literal), + # Guids +- (r'(\d|[a-fA-F])+(-(\d|[a-fA-F])+){3,}', Literal), ++ (r'[0-9a-fA-F]{1,36}(-[0-9a-fA-F]{1,36}){3,}', Literal), + (r'\w+', Name.Class), + (r'"', String, 'string'), + (r'=', Operator), diff --git a/pkgs/development/python-modules/pygments/default.nix b/pkgs/development/python-modules/pygments/default.nix index 7966f6ebd742d..69e42e3aec4f1 100644 --- a/pkgs/development/python-modules/pygments/default.nix +++ b/pkgs/development/python-modules/pygments/default.nix @@ -23,6 +23,12 @@ let hash = "sha256-Y2yyR3zsf4lSU2lwvFM7xDdDVC9wOSrgJjdGAK3VuIc="; }; + patches = [ + # https://github.com/NixOS/nixpkgs/issues/502540 + # https://github.com/pygments/pygments/issues/3058 + ./CVE-2026-4539.patch + ]; + nativeBuildInputs = [ hatchling ]; # circular dependencies if enabled by default diff --git a/pkgs/development/python-modules/pyopenssl/default.nix b/pkgs/development/python-modules/pyopenssl/default.nix index 4d1273ad71fd0..4c61fa9bc75a6 100644 --- a/pkgs/development/python-modules/pyopenssl/default.nix +++ b/pkgs/development/python-modules/pyopenssl/default.nix @@ -3,6 +3,7 @@ stdenv, buildPythonPackage, fetchFromGitHub, + fetchpatch, openssl, setuptools, cryptography, @@ -26,6 +27,21 @@ buildPythonPackage rec { hash = "sha256-QF511MVyjfddmkTd2H7RNJeoWs+e0me4i55YGP4t910="; }; + patches = [ + (fetchpatch { + name = "CVE-2026-27459.patch"; + url = "https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408.patch"; + excludes = [ "CHANGELOG.rst" ]; + hash = "sha256-pj1T6E8+wbLGeu9BinX95XUayn1CAm31QlvrNocKdDc="; + }) + (fetchpatch { + name = "CVE-2026-27448.patch"; + url = "https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0.patch"; + excludes = [ "CHANGELOG.rst" ]; + hash = "sha256-tpFgG92PxeAr2aN1NalqcV5CCPt8SJe68VacEXSFMUw="; + }) + ]; + outputs = [ "out" "dev" diff --git a/pkgs/development/python-modules/python-multipart/CVE-2026-40347-part-2.patch b/pkgs/development/python-modules/python-multipart/CVE-2026-40347-part-2.patch new file mode 100644 index 0000000000000..ea8e5b2e95f85 --- /dev/null +++ b/pkgs/development/python-modules/python-multipart/CVE-2026-40347-part-2.patch @@ -0,0 +1,106 @@ +Based on upstream d4452a78bbde94995dd3c0d1b4aff3610a5c472f, adjusted +to apply to 0.0.22 + +diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py +index 0f238c2..d2a597e 100644 +--- a/python_multipart/multipart.py ++++ b/python_multipart/multipart.py +@@ -1418,12 +1418,8 @@ class MultipartParser(BaseParser): + state = MultipartState.END + + elif state == MultipartState.END: +- # Don't do anything if chunk ends with CRLF. +- if c == CR and i + 1 < length and data[i + 1] == LF: +- i += 2 +- continue +- # Skip data after the last boundary. +- self.logger.warning("Skipping data after last boundary") ++ # Silently discard any epilogue data (RFC 2046 section 5.1.1 allows a CRLF and optional ++ # epilogue after the closing boundary). Django and Werkzeug do the same. + i = length + break + +diff --git a/tests/test_multipart.py b/tests/test_multipart.py +index 75982b6..3e8dd89 100644 +--- a/tests/test_multipart.py ++++ b/tests/test_multipart.py +@@ -1,6 +1,5 @@ + from __future__ import annotations + +-import logging + import os + import random + import sys +@@ -722,6 +721,14 @@ single_byte_tests = [ + "single_field_single_file", + ] + ++EPILOGUE_TEST_HEAD = ( ++ "--boundary\r\n" ++ 'Content-Disposition: form-data; name="file"; filename="filename.txt"\r\n' ++ "Content-Type: text/plain\r\n\r\n" ++ "hello\r\n" ++ "--boundary--" ++).encode("latin-1") ++ + + def split_all(val: bytes) -> Iterator[tuple[bytes, bytes]]: + """ +@@ -1266,7 +1273,7 @@ class TestFormParser(unittest.TestCase): + self.assert_file_data(files[0], b"hello") + + def test_multipart_parser_data_after_last_boundary(self) -> None: +- """This test makes sure that the parser does not handle when there is junk data after the last boundary.""" ++ """Parser must short-circuit on arbitrary epilogue data after the closing boundary (no O(N) scan).""" + num = 50_000_000 + data = ( + "--boundary\r\n" +@@ -1284,29 +1291,32 @@ class TestFormParser(unittest.TestCase): + f = FormParser("multipart/form-data", on_field=Mock(), on_file=on_file, boundary="boundary") + f.write(data.encode("latin-1")) + +- @pytest.fixture(autouse=True) +- def inject_fixtures(self, caplog: pytest.LogCaptureFixture) -> None: +- self._caplog = caplog +- +- def test_multipart_parser_data_end_with_crlf_without_warnings(self) -> None: +- """This test makes sure that the parser does not handle when the data ends with a CRLF.""" +- data = ( +- "--boundary\r\n" +- 'Content-Disposition: form-data; name="file"; filename="filename.txt"\r\n' +- "Content-Type: text/plain\r\n\r\n" +- "hello\r\n" +- "--boundary--\r\n" +- ) ++ @parametrize( ++ "chunks", ++ [ ++ [EPILOGUE_TEST_HEAD + b"\r\n"], ++ [EPILOGUE_TEST_HEAD + b"\r", b"\n"], ++ [EPILOGUE_TEST_HEAD, b"\r\n"], ++ [EPILOGUE_TEST_HEAD + b"\r\n--boundary\r\nthis is not a valid header\r\n\r\nnot a real part"], ++ ], ++ ) ++ def test_multipart_parser_ignores_epilogue(self, chunks: list[bytes]) -> None: ++ """Epilogue data after the closing boundary must be ignored. + ++ Covers both the single-chunk case and the case where trailing CRLF is split across `write()` calls. ++ The final case asserts that epilogue bytes are not parsed or validated. ++ """ + files: list[File] = [] + + def on_file(f: FileProtocol) -> None: + files.append(cast(File, f)) + + f = FormParser("multipart/form-data", on_field=Mock(), on_file=on_file, boundary="boundary") +- with self._caplog.at_level(logging.WARNING): +- f.write(data.encode("latin-1")) +- assert len(self._caplog.records) == 0 ++ for chunk in chunks: ++ f.write(chunk) ++ ++ assert len(files) == 1 ++ self.assert_file_data(files[0], b"hello") + + def test_max_size_multipart(self) -> None: + # Load test data. diff --git a/pkgs/development/python-modules/python-multipart/default.nix b/pkgs/development/python-modules/python-multipart/default.nix index 639b696624a26..a297bbc792ecc 100644 --- a/pkgs/development/python-modules/python-multipart/default.nix +++ b/pkgs/development/python-modules/python-multipart/default.nix @@ -2,6 +2,7 @@ lib, buildPythonPackage, fetchFromGitHub, + fetchpatch, hatchling, pytestCheckHook, mock, @@ -27,6 +28,15 @@ buildPythonPackage rec { hash = "sha256-y8wLGRvc7xSmkSyK77Tl5V6mMneS+dtmqBLZOhvmRSY="; }; + patches = [ + (fetchpatch { + name = "CVE-2026-40347-part-1.patch"; + url = "https://github.com/Kludex/python-multipart/commit/6a7b76dd2653d99d8e5981d7ff09a4a047750b37.patch"; + hash = "sha256-W1nyYMMoaf+lsNze3ppPeAXN+swG1dScDibazePSt+k="; + }) + ./CVE-2026-40347-part-2.patch + ]; + build-system = [ hatchling ]; pythonImportsCheck = [ "python_multipart" ]; diff --git a/pkgs/development/python-modules/qtawesome/default.nix b/pkgs/development/python-modules/qtawesome/default.nix index f80fe3f9868e6..9b860a5bc5ca6 100644 --- a/pkgs/development/python-modules/qtawesome/default.nix +++ b/pkgs/development/python-modules/qtawesome/default.nix @@ -2,7 +2,7 @@ lib, buildPythonPackage, fetchFromGitHub, - pyqt5, + pyqt6, pytestCheckHook, pythonOlder, qtpy, @@ -23,7 +23,7 @@ buildPythonPackage rec { }; propagatedBuildInputs = [ - pyqt5 + pyqt6 qtpy ]; diff --git a/pkgs/development/python-modules/qtconsole/default.nix b/pkgs/development/python-modules/qtconsole/default.nix index a6382daba3789..e3d92b9de64aa 100644 --- a/pkgs/development/python-modules/qtconsole/default.nix +++ b/pkgs/development/python-modules/qtconsole/default.nix @@ -11,7 +11,7 @@ jupyter-core, jupyter-client, pygments, - pyqt5, + pyqt6, qtpy, traitlets, @@ -38,7 +38,7 @@ buildPythonPackage rec { jupyter-core jupyter-client pygments - pyqt5 + pyqt6 qtpy traitlets ]; diff --git a/pkgs/development/python-modules/requests/default.nix b/pkgs/development/python-modules/requests/default.nix index c669a2591d7f8..e3fe547cd6c95 100644 --- a/pkgs/development/python-modules/requests/default.nix +++ b/pkgs/development/python-modules/requests/default.nix @@ -18,7 +18,7 @@ buildPythonPackage rec { pname = "requests"; - version = "2.32.5"; + version = "2.33.1"; pyproject = true; disabled = pythonOlder "3.9"; @@ -29,7 +29,7 @@ buildPythonPackage rec { owner = "psf"; repo = "requests"; tag = "v${version}"; - hash = "sha256-cEBalMFoYFaGG8M48k+OEBvzLegzrTNP1NxH2ljP6qg="; + hash = "sha256-cQnCTMmpdkvWwt7RFAIhAfmhVwGVn0Y8Z5Tr6lzDmS8="; }; build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/spyder/default.nix b/pkgs/development/python-modules/spyder/default.nix index 34b1a155ab715..901e81578c395 100644 --- a/pkgs/development/python-modules/spyder/default.nix +++ b/pkgs/development/python-modules/spyder/default.nix @@ -4,7 +4,7 @@ fetchPypi, # nativeBuildInputs - pyqtwebengine, + pyqt6-webengine, # build-system setuptools, @@ -36,6 +36,7 @@ pylint-venv, pyls-spyder, pyopengl, + pyqt6, python-lsp-black, python-lsp-ruff, python-lsp-server, @@ -55,6 +56,7 @@ three-merge, watchdog, yarl, + qt6, }: buildPythonPackage rec { @@ -69,7 +71,7 @@ buildPythonPackage rec { patches = [ ./dont-clear-pythonpath.patch ]; - nativeBuildInputs = [ pyqtwebengine.wrapQtAppsHook ]; + nativeBuildInputs = [ qt6.wrapQtAppsHook ]; build-system = [ setuptools ]; @@ -78,6 +80,11 @@ buildPythonPackage rec { "python-lsp-server" ]; + buildInputs = [ + qt6.qtbase + qt6.qtwayland + ]; + dependencies = [ aiohttp asyncssh @@ -105,7 +112,7 @@ buildPythonPackage rec { pylint-venv pyls-spyder pyopengl - pyqtwebengine + pyqt6-webengine python-lsp-black python-lsp-ruff python-lsp-server @@ -125,12 +132,15 @@ buildPythonPackage rec { three-merge watchdog yarl + pyqt6 ] ++ python-lsp-server.optional-dependencies.all; # There is no test for spyder doCheck = false; + env.SPYDER_QT_BINDING = "pyqt6"; + postInstall = '' # Add Python libs to env so Spyder subprocesses # created to run compute kernels don't fail with ImportErrors diff --git a/pkgs/development/python-modules/superqt/default.nix b/pkgs/development/python-modules/superqt/default.nix index aa0109a6b3b2d..35eac4d6118d1 100644 --- a/pkgs/development/python-modules/superqt/default.nix +++ b/pkgs/development/python-modules/superqt/default.nix @@ -37,7 +37,6 @@ buildPythonPackage rec { dependencies = [ pygments - pyqt5 qtpy typing-extensions ]; @@ -47,6 +46,7 @@ buildPythonPackage rec { pyside2 = [ pyside2 ]; pyside6 = [ pyside6 ]; pyqt6 = [ pyqt6 ]; + pyqt5 = [ pyqt5 ]; }; nativeCheckInputs = [ pytestCheckHook ]; diff --git a/pkgs/development/web/nodejs/nodejs.nix b/pkgs/development/web/nodejs/nodejs.nix index d11aafdb1713d..772aa6c816010 100644 --- a/pkgs/development/web/nodejs/nodejs.nix +++ b/pkgs/development/web/nodejs/nodejs.nix @@ -430,6 +430,12 @@ let ++ lib.optional ( majorVersion == "22" && stdenv.buildPlatform.isDarwin ) "test/sequential/test-http-server-request-timeouts-mixed.js" + # https://github.com/NixOS/nixpkgs/pull/507974#issuecomment-4249433124 + # OpenSSL reports different errors + # https://github.com/nodejs/node/pull/62629 + # patch does not apply + ++ lib.optional (!lib.versionAtLeast version "24") "test-tls-junk-server" + ++ lib.optional (majorVersion == "22") "test-tls-alert-handling" ) }" ]; diff --git a/pkgs/os-specific/linux/systemd/0007-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch b/pkgs/os-specific/linux/systemd/0007-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch index 254a63c1a1072..8168a7d755708 100644 --- a/pkgs/os-specific/linux/systemd/0007-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch +++ b/pkgs/os-specific/linux/systemd/0007-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch @@ -5,12 +5,12 @@ Subject: [PATCH] Change /usr/share/zoneinfo to /etc/zoneinfo NixOS uses this path. --- - man/localtime.xml | 4 ++-- - src/basic/time-util.c | 8 ++++---- - src/firstboot/firstboot.c | 9 +++------ - src/nspawn/nspawn.c | 4 ++-- - src/timedate/timedated.c | 8 ++++---- - 5 files changed, 15 insertions(+), 18 deletions(-) + man/localtime.xml | 4 ++-- + src/basic/time-util.c | 8 ++++---- + src/firstboot/firstboot.c | 9 +++------ + src/nspawn/nspawn.c | 4 ++-- + src/timedate/timedated.c | 15 +++++++++------ + 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/man/localtime.xml b/man/localtime.xml index 3a13e04a27..4fd58068a1 100644 @@ -35,7 +35,7 @@ index 3a13e04a27..4fd58068a1 100644 Etc/UTC. The resulting link should lead to the corresponding binary diff --git a/src/basic/time-util.c b/src/basic/time-util.c -index 55931a2546..2e00bd7539 100644 +index 5dd00af952..b97a41f6ac 100644 --- a/src/basic/time-util.c +++ b/src/basic/time-util.c @@ -1410,7 +1410,7 @@ static int get_timezones_from_zone1970_tab(char ***ret) { @@ -70,7 +70,7 @@ index 55931a2546..2e00bd7539 100644 return r; /* Return EINVAL if not a symlink */ - const char *e = PATH_STARTSWITH_SET(t, "/usr/share/zoneinfo/", "../usr/share/zoneinfo/"); -+ const char *e = PATH_STARTSWITH_SET(t, "/etc/zoneinfo/", "../etc/zoneinfo/", "zoneinfo/"); ++ const char *e = PATH_STARTSWITH_SET(t, "/etc/zoneinfo/", "../etc/zoneinfo/"); if (!e) return -EINVAL; if (!timezone_is_valid(e, LOG_DEBUG)) @@ -103,7 +103,7 @@ index 5ed6d3a9d2..f922d91a9d 100644 return log_error_errno(r, "Failed to create /etc/localtime symlink: %m"); diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c -index 480a9c55c6..02c9ae6608 100644 +index a0052c1c88..cd4a48c9ef 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1821,8 +1821,8 @@ int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t uid, gid @@ -112,13 +112,13 @@ index 480a9c55c6..02c9ae6608 100644 path, - "../usr/share/zoneinfo/", - "/usr/share/zoneinfo/"); -+ "../etc/zoneinfo/", "zoneinfo/", ++ "../etc/zoneinfo/", + "/etc/zoneinfo/"); } static bool etc_writable(void) { diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c -index 57f3413dc6..6a456fe601 100644 +index 1455830cba..6849ada033 100644 --- a/src/timedate/timedated.c +++ b/src/timedate/timedated.c @@ -266,7 +266,7 @@ static int context_read_data(Context *c) { @@ -139,7 +139,7 @@ index 57f3413dc6..6a456fe601 100644 if (unlink(etc_localtime()) < 0 && errno != ENOENT) return -errno; -@@ -298,9 +298,9 @@ static int context_write_data_timezone(Context *c) { +@@ -300,17 +300,20 @@ static int context_write_data_timezone(Context *c) { return 0; } @@ -151,3 +151,16 @@ index 57f3413dc6..6a456fe601 100644 if (!p) return -ENOMEM; + source = p; + } + +- return symlinkat_atomic_full(source, AT_FDCWD, etc_localtime(), +- !secure_getenv("SYSTEMD_ETC_LOCALTIME")); ++ /* With zoneinfo being at /etc/zoneinfo instead of /usr/share/zoneinfo on NixOS, and etc_localtime() left untouched ++ * at /etc/localtime, a relative symlink would look like zoneinfo/UTC instead of ../usr/share/zoneinfo/UTC. This is ++ * an issue because not just systemd itself (src/basic/time-util.c @@ get_timezone), but also others like icu::TimeZone ++ * reject such symlinks. Forcing the symlink to be absolute (/etc/zoneinfo/UTC) takes care of at least both of them. */ ++ return symlinkat_atomic_full(source, AT_FDCWD, etc_localtime(), /* flags */ 0); + } + + static const char* etc_adjtime(void) { diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index acb4c053438cf..ba7fdacb2fe6f 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -207,13 +207,13 @@ let in stdenv.mkDerivation (finalAttrs: { inherit pname; - version = "258.5"; + version = "258.7"; src = fetchFromGitHub { owner = "systemd"; repo = "systemd"; rev = "v${finalAttrs.version}"; - hash = "sha256-3xz8q0R0gMAwRDV2QmYO0r/0Fw+9LOyR3O3XuMrTpgY="; + hash = "sha256-ehxf7szijCJGZ1lqZsvoDrahGp8P3IgWH6mUJ2Yx9S0="; }; # On major changes, or when otherwise required, you *must* : diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 89869d29fc996..a0e1e67a577cd 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -15,13 +15,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "xz"; - version = "5.8.1"; + version = "5.8.3"; src = fetchurl { url = with finalAttrs; "https://github.com/tukaani-project/xz/releases/download/v${version}/xz-${version}.tar.xz"; - hash = "sha256-C1T3nfhZElBN4LFK7Hlx4/lkSRrxgS2DRHAFgHUTzZ4="; + hash = "sha256-//H/zysNqE0wihTeUToaoj1OmqNGTRfmS5cUv90Lv7Y="; }; strictDeps = true; diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index dd6cfcdb68d07..4018d96b386b6 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -115,6 +115,10 @@ stdenv.mkDerivation rec { # intermittent failures on builders, unknown reason sed '2i echo Skipping du basic test && exit 77' -i ./tests/du/basic.sh + # flaky on some filesystems due to non-deterministic disk usage + sed '2i echo Skipping du deref test && exit 77' -i ./tests/du/deref.sh + sed '2i echo Skipping du inacc-dir test && exit 77' -i ./tests/du/inacc-dir.sh + # fails when syscalls related to acl not being available, e.g. in sandboxed environment sed '2i echo Skipping ls -al with acl test && exit 77' -i ./tests/ls/acl.sh '' diff --git a/pkgs/tools/networking/openssh/common.nix b/pkgs/tools/networking/openssh/common.nix index bafb82fa50909..68cc990af7a9a 100644 --- a/pkgs/tools/networking/openssh/common.nix +++ b/pkgs/tools/networking/openssh/common.nix @@ -71,7 +71,8 @@ stdenv.mkDerivation (finalAttrs: { # See discussion in https://github.com/NixOS/nixpkgs/pull/16966 ./dont_create_privsep_path.patch - + ] + ++ lib.optionals (lib.versionOlder finalAttrs.version "10.3") [ # See discussion in https://github.com/NixOS/nixpkgs/issues/466049 and # https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/issues/23 (fetchpatch { diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 6e95321b3de1a..35ece9ce73963 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -14,11 +14,11 @@ in { openssh = common rec { pname = "openssh"; - version = "10.2p1"; + version = "10.3p1"; src = fetchurl { url = urlFor version; - hash = "sha256-zMQsBBmTeVkmP6Hb0W2vwYxWuYTANWLSk3zlamD3mLI="; + hash = "sha256-VmgqNruS3PS08Bb9jsjnQFm3mo3iXBXWcNcx59GORfQ="; }; extraPatches = [ @@ -95,8 +95,8 @@ in (fetchpatch { name = "openssh-gssapi.patch"; - url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%2510.1p1-1/debian/patches/gssapi.patch"; - hash = "sha256-/wJ3AA+RscHjFRSeL0LENviKlCglpOi7HNuCxidpQV8="; + url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%2510.2p1-6/debian/patches/gssapi.patch"; + hash = "sha256-mYrJJrE6l0r/VYLWlOTGkKLzj9Dj4wOLgJyW/NLGaeo="; }) ];