diff --git a/pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py b/pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py deleted file mode 100644 index 5dc789c93ad95..0000000000000 --- a/pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py +++ /dev/null @@ -1,416 +0,0 @@ -import functools -import hashlib -import json -import multiprocessing as mp -import re -import shutil -import subprocess -import sys -import tomllib -from os.path import islink, realpath -from pathlib import Path -from typing import Any, TypedDict, cast -from urllib.parse import unquote - -import requests -import tomli_w -from requests.adapters import HTTPAdapter, Retry - -eprint = functools.partial(print, file=sys.stderr) - - -def load_toml(path: Path) -> dict[str, Any]: - with open(path, "rb") as f: - return tomllib.load(f) - - -def get_lockfile_version(cargo_lock_toml: dict[str, Any]) -> int: - # lockfile v1 and v2 don't have the `version` key, so assume v2 - version = cargo_lock_toml.get("version", 2) - - # TODO: add logic for differentiating between v1 and v2 - - return version - - -def create_http_session() -> requests.Session: - retries = Retry( - total=5, - backoff_factor=0.5, - status_forcelist=[500, 502, 503, 504] - ) - session = requests.Session() - session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)" - session.mount('http://', HTTPAdapter(max_retries=retries)) - session.mount('https://', HTTPAdapter(max_retries=retries)) - return session - - -def download_file_with_checksum(session: requests.Session, url: str, destination_path: Path) -> str: - sha256_hash = hashlib.sha256() - with session.get(url, stream=True) as response: - if not response.ok: - raise Exception(f"Failed to fetch file from {url}. Status code: {response.status_code}") - with open(destination_path, "wb") as file: - for chunk in response.iter_content(1024): # Download in chunks - if chunk: # Filter out keep-alive chunks - file.write(chunk) - sha256_hash.update(chunk) - - # Compute the final checksum - checksum = sha256_hash.hexdigest() - return checksum - - -def get_download_url_for_tarball(pkg: dict[str, Any]) -> str: - # TODO: support other registries - # maybe fetch config.json from the registry root and get the dl key - # See: https://doc.rust-lang.org/cargo/reference/registry-index.html#index-configuration - if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index": - raise Exception("Only the default crates.io registry is supported.") - - # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec - # rate limit on the API servers. - return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download" - - -def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None: - - url = get_download_url_for_tarball(pkg) - filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz" - - # TODO: allow legacy checksum specification, see importCargoLock for example - # also, don't forget about the other usage of the checksum - expected_checksum = pkg["checksum"] - - tarball_out_dir = out_dir / "tarballs" / filename - eprint(f"Fetching {url} -> tarballs/{filename}") - - calculated_checksum = download_file_with_checksum(session, url, tarball_out_dir) - - if calculated_checksum != expected_checksum: - raise Exception(f"Hash mismatch! File fetched from {url} had checksum {calculated_checksum}, expected {expected_checksum}.") - - -def download_git_tree(url: str, git_sha_rev: str, out_dir: Path) -> None: - - tree_out_dir = out_dir / "git" / git_sha_rev - eprint(f"Fetching {url}#{git_sha_rev} -> git/{git_sha_rev}") - - cmd = ["nix-prefetch-git", "--builder", "--quiet", "--fetch-submodules", "--url", url, "--rev", git_sha_rev, "--out", str(tree_out_dir)] - subprocess.check_output(cmd) - - -GIT_SOURCE_REGEX = re.compile("git\\+(?P[^?]+)(\\?(?Prev|tag|branch)=(?P.*))?#(?P.*)") - - -class GitSourceInfo(TypedDict): - url: str - type: str | None - value: str | None - git_sha_rev: str - - -def parse_git_source(source: str, lockfile_version: int) -> GitSourceInfo: - match = GIT_SOURCE_REGEX.match(source) - if match is None: - raise Exception(f"Unable to process git source: {source}.") - - source_info = cast(GitSourceInfo, match.groupdict(default=None)) - - # the source URL is URL-encoded in lockfile_version >=4 - # since we just used regex to parse it we have to manually decode the escaped branch/tag name - if lockfile_version >= 4 and source_info["value"] is not None: - source_info["value"] = unquote(source_info["value"]) - - return source_info - - -def create_vendor_staging(lockfile_path: Path, out_dir: Path) -> None: - cargo_lock_toml = load_toml(lockfile_path) - lockfile_version = get_lockfile_version(cargo_lock_toml) - - git_packages: list[dict[str, Any]] = [] - registry_packages: list[dict[str, Any]] = [] - - for pkg in cargo_lock_toml["package"]: - # ignore local dependenices - if "source" not in pkg.keys(): - eprint(f"Skipping local dependency: {pkg["name"]}") - continue - source = pkg["source"] - - if source.startswith("git+"): - git_packages.append(pkg) - elif source.startswith("registry+"): - registry_packages.append(pkg) - else: - raise Exception(f"Can't process source: {source}.") - - git_sha_rev_to_url: dict[str, str] = {} - for pkg in git_packages: - source_info = parse_git_source(pkg["source"], lockfile_version) - git_sha_rev_to_url[source_info["git_sha_rev"]] = source_info["url"] - - out_dir.mkdir(exist_ok=True) - shutil.copy(lockfile_path, out_dir / "Cargo.lock") - - # fetch git trees sequentially, since fetching concurrently leads to flaky behaviour - if len(git_packages) != 0: - (out_dir / "git").mkdir() - for git_sha_rev, url in git_sha_rev_to_url.items(): - download_git_tree(url, git_sha_rev, out_dir) - - # run tarball download jobs in parallel, with at most 5 concurrent download jobs - with mp.Pool(min(5, mp.cpu_count())) as pool: - if len(registry_packages) != 0: - (out_dir / "tarballs").mkdir() - session = create_http_session() - tarball_args_gen = ((session, pkg, out_dir) for pkg in registry_packages) - pool.starmap(download_tarball, tarball_args_gen) - - -def get_manifest_metadata(manifest_path: Path) -> dict[str, Any]: - cmd = ["cargo", "metadata", "--format-version", "1", "--no-deps", "--manifest-path", str(manifest_path)] - output = subprocess.check_output(cmd) - return json.loads(output) - - -def try_get_crate_manifest_path_from_manifest_path(manifest_path: Path, crate_name: str) -> Path | None: - try: - metadata = get_manifest_metadata(manifest_path) - except subprocess.CalledProcessError: - eprint(f"Warning: cargo metadata failed for {manifest_path}, skipping") - return None - - for pkg in metadata["packages"]: - if pkg["name"] == crate_name: - return Path(pkg["manifest_path"]) - - return None - - -def find_crate_manifest_in_tree(tree: Path, crate_name: str) -> Path: - # Scan all Cargo.toml files; sort by depth/path to make ordering deterministic - # and prefer less-nested manifests first. - manifest_paths = sorted( - tree.glob("**/Cargo.toml"), - key=lambda path: (len(path.parts), str(path)), - ) - - for manifest_path in manifest_paths: - res = try_get_crate_manifest_path_from_manifest_path(manifest_path, crate_name) - if res is not None: - return res - - raise Exception(f"Couldn't find manifest for crate {crate_name} inside {tree}.") - - -def copy_and_patch_git_crate_subtree(git_tree: Path, crate_name: str, crate_out_dir: Path) -> None: - - # This function will get called by copytree to decide which entries of a directory should be copied - # We'll copy everything except symlinks that are invalid - def ignore_func(dir_str: str, path_strs: list[str]) -> list[str]: - ignorelist: list[str] = [] - - dir = Path(realpath(dir_str, strict=True)) - - for path_str in path_strs: - path = dir / path_str - if not islink(path): - continue - - # Filter out cyclic symlinks and symlinks pointing at nonexistant files - try: - target_path = Path(realpath(path, strict=True)) - except OSError: - ignorelist.append(path_str) - eprint(f"Failed to resolve symlink, ignoring: {path}") - continue - - # Filter out symlinks that point outside of the current crate's base git tree - # This can be useful if the nix build sandbox is turned off and there is a symlink to a common absolute path - if not target_path.is_relative_to(git_tree): - ignorelist.append(path_str) - eprint(f"Symlink points outside of the crate's base git tree, ignoring: {path} -> {target_path}") - continue - - return ignorelist - - crate_manifest_path = find_crate_manifest_in_tree(git_tree, crate_name) - crate_tree = crate_manifest_path.parent - - eprint(f"Copying to {crate_out_dir}") - shutil.copytree(crate_tree, crate_out_dir, ignore=ignore_func) - crate_out_dir.chmod(0o755) - - with open(crate_manifest_path, "r") as f: - manifest_data = f.read() - - if "workspace" in manifest_data: - crate_manifest_metadata = get_manifest_metadata(crate_manifest_path) - workspace_root = Path(crate_manifest_metadata["workspace_root"]) - - root_manifest_path = workspace_root / "Cargo.toml" - manifest_path = crate_out_dir / "Cargo.toml" - - manifest_path.chmod(0o644) - eprint(f"Patching {manifest_path}") - - cmd = ["replace-workspace-values", str(manifest_path), str(root_manifest_path)] - subprocess.check_output(cmd) - - -def extract_crate_tarball_contents(tarball_path: Path, crate_out_dir: Path) -> None: - eprint(f"Unpacking to {crate_out_dir}") - crate_out_dir.mkdir() - cmd = ["tar", "xf", str(tarball_path), "-C", str(crate_out_dir), "--strip-components=1"] - subprocess.check_output(cmd) - - -def make_git_source_selector(source_info: GitSourceInfo) -> dict[str, str]: - selector = {} - selector["git"] = source_info["url"] - if source_info["type"] is not None: - selector[source_info["type"]] = source_info["value"] - return selector - - -def make_registry_source_selector(source: str) -> dict[str, str]: - registry = source[9:] if source.startswith("registry+") else source - selector = {} - selector["registry"] = registry - return selector - - -def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: - lockfile_path = vendor_staging_dir / "Cargo.lock" - out_dir.mkdir(exist_ok=True) - shutil.copy(lockfile_path, out_dir / "Cargo.lock") - - cargo_lock_toml = load_toml(lockfile_path) - lockfile_version = get_lockfile_version(cargo_lock_toml) - - source_to_ind: dict[str, str] = {} - source_config = {} - next_registry_ind = 0 - next_git_ind = 0 - - def add_source_replacement( - orig_key: str, - orig_selector: dict[str, str], - vendored_key: str, - vendored_dir: str - ) -> None: - source_config[vendored_key] = {} - source_config[vendored_key]["directory"] = vendored_dir - source_config[orig_key] = orig_selector - source_config[orig_key]["replace-with"] = vendored_key - - # we reserve registry index 0 for crates-io - source_to_ind["registry+https://github.com/rust-lang/crates.io-index"] = "registry-0" - source_to_ind["sparse+https://index.crates.io/"] = "registry-0" - add_source_replacement( - orig_key="crates-io", - orig_selector={}, # there is an internal selector defined for the `crates-io` source - vendored_key="vendored-source-registry-0", - vendored_dir="@vendor@/source-registry-0" - ) - next_registry_ind += 1 - - for pkg in cargo_lock_toml["package"]: - # ignore local dependencies - if "source" not in pkg.keys(): - continue - source: str = pkg["source"] - if source in source_to_ind: - continue - - if source.startswith("git+"): - ind = f"git-{next_git_ind}" - next_git_ind += 1 - source_info = parse_git_source(source, lockfile_version) - selector = make_git_source_selector(source_info) - elif source.startswith("registry+") or source.startswith("sparse+"): - ind = f"registry-{next_registry_ind}" - next_registry_ind += 1 - selector = make_registry_source_selector(source) - else: - raise Exception(f"Can't process source: {source}.") - - source_to_ind[source] = ind - add_source_replacement( - orig_key=f"original-source-{ind}", - orig_selector=selector, - vendored_key=f"vendored-source-{ind}", - vendored_dir=f"@vendor@/source-{ind}" - ) - - config_path = out_dir / ".cargo" / "config.toml" - config_path.parent.mkdir() - - with open(config_path, "wb") as config_file: - tomli_w.dump({"source": source_config}, config_file) - - for pkg in cargo_lock_toml["package"]: - - # ignore local dependenices - if "source" not in pkg.keys(): - continue - - source: str = pkg["source"] - source_ind = source_to_ind[source] - crate_dir_name = f"{pkg["name"]}-{pkg["version"]}" - source_dir_name = f"source-{source_ind}" - crate_out_dir = out_dir / source_dir_name / crate_dir_name - crate_out_dir.parent.mkdir(exist_ok=True) - - if source.startswith("git+"): - - source_info = parse_git_source(source, lockfile_version) - - git_sha_rev = source_info["git_sha_rev"] - git_tree = vendor_staging_dir / "git" / git_sha_rev - - copy_and_patch_git_crate_subtree(git_tree, pkg["name"], crate_out_dir) - - # git based crates allow having no checksum information - with open(crate_out_dir / ".cargo-checksum.json", "w") as f: - json.dump({"files": {}}, f) - - elif source.startswith("registry+") or source.startswith("sparse+"): - filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz" - - # TODO: change this when non-crates-io registries are supported - dir_name = "tarballs" - - tarball_path = vendor_staging_dir / dir_name / filename - - extract_crate_tarball_contents(tarball_path, crate_out_dir) - - # non-git based crates need the package checksum at minimum - with open(crate_out_dir / ".cargo-checksum.json", "w") as f: - json.dump({"files": {}, "package": pkg["checksum"]}, f) - - else: - raise Exception(f"Can't process source: {source}.") - - -def main() -> None: - subcommand = sys.argv[1] - - subcommand_func_dict = { - "create-vendor-staging": lambda: create_vendor_staging(lockfile_path=Path(sys.argv[2]), out_dir=Path(sys.argv[3])), - "create-vendor": lambda: create_vendor(vendor_staging_dir=Path(sys.argv[2]), out_dir=Path(sys.argv[3])) - } - - subcommand_func = subcommand_func_dict.get(subcommand) - - if subcommand_func is None: - raise Exception(f"Unknown subcommand: '{subcommand}'. Must be one of {list(subcommand_func_dict.keys())}") - - subcommand_func() - - -if __name__ == "__main__": - main() diff --git a/pkgs/build-support/rust/fetch-cargo-vendor-util.py b/pkgs/build-support/rust/fetch-cargo-vendor-util.py index 3bee7e150c8e8..825f07b175ee9 100644 --- a/pkgs/build-support/rust/fetch-cargo-vendor-util.py +++ b/pkgs/build-support/rust/fetch-cargo-vendor-util.py @@ -40,6 +40,7 @@ def create_http_session() -> requests.Session: status_forcelist=[500, 502, 503, 504] ) session = requests.Session() + session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)" session.mount('http://', HTTPAdapter(max_retries=retries)) session.mount('https://', HTTPAdapter(max_retries=retries)) return session @@ -68,7 +69,9 @@ def get_download_url_for_tarball(pkg: dict[str, Any]) -> str: if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index": raise Exception("Only the default crates.io registry is supported.") - return f"https://crates.io/api/v1/crates/{pkg["name"]}/{pkg["version"]}/download" + # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec + # rate limit on the API servers. + return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download" def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None: @@ -289,6 +292,7 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: lockfile_version = get_lockfile_version(cargo_lock_toml) source_to_ind: dict[str, str] = {} + selector_to_ind: dict[tuple, str] = {} source_config = {} next_registry_ind = 0 next_git_ind = 0 @@ -324,24 +328,35 @@ def add_source_replacement( continue if source.startswith("git+"): - ind = f"git-{next_git_ind}" - next_git_ind += 1 source_info = parse_git_source(source, lockfile_version) selector = make_git_source_selector(source_info) + selector_key = (source_info["url"], source_info["type"], source_info["value"]) + if selector_key in selector_to_ind: + ind = selector_to_ind[selector_key] + else: + ind = f"git-{next_git_ind}" + next_git_ind += 1 + selector_to_ind[selector_key] = ind + add_source_replacement( + orig_key=f"original-source-{ind}", + orig_selector=selector, + vendored_key=f"vendored-source-{ind}", + vendored_dir=f"@vendor@/source-{ind}" + ) elif source.startswith("registry+") or source.startswith("sparse+"): ind = f"registry-{next_registry_ind}" next_registry_ind += 1 selector = make_registry_source_selector(source) + add_source_replacement( + orig_key=f"original-source-{ind}", + orig_selector=selector, + vendored_key=f"vendored-source-{ind}", + vendored_dir=f"@vendor@/source-{ind}" + ) else: raise Exception(f"Can't process source: {source}.") source_to_ind[source] = ind - add_source_replacement( - orig_key=f"original-source-{ind}", - orig_selector=selector, - vendored_key=f"vendored-source-{ind}", - vendored_dir=f"@vendor@/source-{ind}" - ) config_path = out_dir / ".cargo" / "config.toml" config_path.parent.mkdir() diff --git a/pkgs/build-support/rust/fetch-cargo-vendor.nix b/pkgs/build-support/rust/fetch-cargo-vendor.nix index 2802bf9e73f11..8d554a8dc3e22 100644 --- a/pkgs/build-support/rust/fetch-cargo-vendor.nix +++ b/pkgs/build-support/rust/fetch-cargo-vendor.nix @@ -37,29 +37,18 @@ let "hash" ]; - mkFetchCargoVendorUtil = - name: src: - writers.writePython3Bin name { - libraries = - with python3Packages; - [ - requests - tomli-w - ] - ++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests - flakeIgnore = [ - "E501" - ]; - } (builtins.readFile src); - - # Separate util used only by the FOD `vendorStaging` stage below. Kept - # distinct from fetchCargoVendorUtil so that changes to the network-facing - # bits (User-Agent, download URL) don't invalidate the input-addressed - # `-vendor` stage and force a mass rebuild of every Rust package in nixpkgs. - # vendorStaging is an FOD, so swapping its util is free for consumers. - # TODO: unify with fetchCargoVendorUtil on the next `staging` cycle. - fetchCargoVendorUtilV2 = mkFetchCargoVendorUtil "fetch-cargo-vendor-util-v2" ./fetch-cargo-vendor-util-v2.py; - fetchCargoVendorUtil = mkFetchCargoVendorUtil "fetch-cargo-vendor-util" ./fetch-cargo-vendor-util.py; + fetchCargoVendorUtil = writers.writePython3Bin "fetch-cargo-vendor-util" { + libraries = + with python3Packages; + [ + requests + tomli-w + ] + ++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests + flakeIgnore = [ + "E501" + ]; + } (builtins.readFile ./fetch-cargo-vendor-util.py); in { @@ -79,7 +68,7 @@ let impureEnvVars = lib.fetchers.proxyImpureEnvVars; nativeBuildInputs = [ - fetchCargoVendorUtilV2 + fetchCargoVendorUtil cacert nix-prefetch-git' ] @@ -92,7 +81,7 @@ let cd "$cargoRoot" fi - fetch-cargo-vendor-util-v2 create-vendor-staging ./Cargo.lock "$out" + fetch-cargo-vendor-util create-vendor-staging ./Cargo.lock "$out" runHook postBuild ''; diff --git a/pkgs/by-name/as/assimp/package.nix b/pkgs/by-name/as/assimp/package.nix index 717fd1a0746f7..24769c4a231cd 100644 --- a/pkgs/by-name/as/assimp/package.nix +++ b/pkgs/by-name/as/assimp/package.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "assimp"; - version = "6.0.4"; + version = "6.0.5"; outputs = [ "out" "lib" @@ -20,7 +20,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "assimp"; repo = "assimp"; tag = "v${finalAttrs.version}"; - hash = "sha256-ryTgsN0z9BZBz7i9aUMKuneN5oqfxpduwJlb+Q0q3Mk="; + hash = "sha256-QWBi1pl5C76UtPhB6SmFipm9oEdnfhELMT3MqfV6oxg="; }; postPatch = '' diff --git a/pkgs/by-name/at/at-spi2-core/package.nix b/pkgs/by-name/at/at-spi2-core/package.nix index dd5e8f9e4ce13..c204431843746 100644 --- a/pkgs/by-name/at/at-spi2-core/package.nix +++ b/pkgs/by-name/at/at-spi2-core/package.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "at-spi2-core"; - version = "2.60.1"; + version = "2.60.4"; outputs = [ "out" @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://gnome/sources/at-spi2-core/${lib.versions.majorMinor finalAttrs.version}/at-spi2-core-${finalAttrs.version}.tar.xz"; - hash = "sha256-+ZuH48FnT1+8QXzJwdniYcDymqsFUK1jaYBQMdEvaFI="; + hash = "sha256-Gh9bqYBZF/QfxqpoI9z4h6KR1gekJ+LVr7a136ZQcMc="; }; nativeBuildInputs = [ diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix index 197df3501597b..3b2389e7843c6 100644 --- a/pkgs/by-name/au/audit/package.nix +++ b/pkgs/by-name/au/audit/package.nix @@ -30,13 +30,13 @@ }: stdenv.mkDerivation (finalAttrs: { pname = "audit"; - version = "4.1.2-unstable-2025-09-06"; # fixes to non-static builds right after 4.1.2 release + version = "4.1.4"; src = fetchFromGitHub { owner = "linux-audit"; repo = "audit-userspace"; - rev = "cb13fe75ee2c36d5c525ed9de22aae10dbc8caf4"; - hash = "sha256-NX0TWA+LtcZgbM9aQfokWv2rGNAAb3ksGqAH8URAkYM="; + tag = "v${finalAttrs.version}"; + hash = "sha256-GdJ9nzlDAdOazOHH/YWuEoELrJh+G5ZJUKwIqAKAzpo="; }; postPatch = '' @@ -132,10 +132,6 @@ stdenv.mkDerivation (finalAttrs: { # Instead, we load audit rules in a dedicated module. postFixup = '' moveToOutput bin/augenrules $scripts - substituteInPlace $scripts/bin/augenrules \ - --replace-fail "/sbin/auditctl -R" "$bin/bin/auditctl -R" \ - --replace-fail "auditctl -s" "$bin/bin/auditctl -s" \ - --replace-fail "/bin/ls" "ls" wrapProgram $scripts/bin/augenrules \ --prefix PATH : ${ lib.makeBinPath [ diff --git a/pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch b/pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch new file mode 100644 index 0000000000000..0bc04b60bb87a --- /dev/null +++ b/pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch @@ -0,0 +1,32 @@ +From 2a2104f3cff44bb28bb570a093be52bbeeed8f23 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Mon, 11 May 2026 14:56:04 +0200 +Subject: [PATCH] event: fix wakeup consumption + +The events on a multi wakeup socketpair were only consumed via +curl_multi_poll()/curl_multi_wait() but not in event based processing on +a curl_multi_socket() call. That led to busy loops as reported in + +Fixes #21547 +Reported-by: Earnestly on github +Closes #21549 +--- + lib/multi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/multi.c b/lib/multi.c +index be32740a7097..5e84133f13fd 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -2703,6 +2703,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + Curl_uint32_bset_remove(&multi->dirty, data->mid); + + if(data == multi->admin) { ++#ifdef ENABLE_WAKEUP ++ /* Consume any pending wakeup signals before processing. ++ * This is necessary for event based processing. See #21547 */ ++ (void)Curl_wakeup_consume(multi->wakeup_pair, TRUE); ++#endif + #ifdef USE_RESOLV_THREADED + Curl_async_thrdd_multi_process(multi); + #endif diff --git a/pkgs/by-name/cu/curlMinimal/package.nix b/pkgs/by-name/cu/curlMinimal/package.nix index 28220181cba0b..a25ea809c62b0 100644 --- a/pkgs/by-name/cu/curlMinimal/package.nix +++ b/pkgs/by-name/cu/curlMinimal/package.nix @@ -96,6 +96,13 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-Y/4twUi6DOromSLvg49+XJRicsLni3xZ+rS3nTziuJY="; }; + patches = [ + # https://github.com/curl/curl/commit/2a2104f3cff44bb28bb570a093be52bbeeed8f23 + # According to , this fixes + # a performance regression, causing high CPU usage + ./fix-wakeup-consumption.patch + ]; + # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion # necessary for FreeBSD code path in configure postPatch = '' @@ -115,6 +122,7 @@ stdenv.mkDerivation (finalAttrs: { enableParallelBuilding = true; strictDeps = true; + __structuredAttrs = true; env = { CXX = "${stdenv.cc.targetPrefix}c++"; diff --git a/pkgs/by-name/do/doctest/package.nix b/pkgs/by-name/do/doctest/package.nix index f6ffd1b9e5590..cbea1dcba7494 100644 --- a/pkgs/by-name/do/doctest/package.nix +++ b/pkgs/by-name/do/doctest/package.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "doctest"; - version = "2.5.0"; + version = "2.5.2"; src = fetchFromGitHub { owner = "doctest"; repo = "doctest"; tag = "v${finalAttrs.version}"; - hash = "sha256-7t/eknv7VtHoBgcuJmI07x//HIyqzE9HUuH5u2y7X8A="; + hash = "sha256-4jW6xPFCFxk1l47EkSUVojhycrtluPhOc5Adf/25R7M="; }; nativeBuildInputs = [ cmake ]; @@ -27,6 +27,7 @@ stdenv.mkDerivation (finalAttrs: { doCheck = true; meta = { + changelog = "https://github.com/doctest/doctest/releases/tag/${finalAttrs.src.tag}"; homepage = "https://github.com/doctest/doctest"; description = "Fastest feature-rich C++11/14/17/20 single-header testing framework"; platforms = lib.platforms.all; diff --git a/pkgs/by-name/du/duplicity/package.nix b/pkgs/by-name/du/duplicity/package.nix index 7cdb8eff47f21..8e7b8698a1a4c 100644 --- a/pkgs/by-name/du/duplicity/package.nix +++ b/pkgs/by-name/du/duplicity/package.nix @@ -75,20 +75,17 @@ let glib ]; - pythonPath = - with python3.pkgs; - [ - b2sdk - boto3 - idna - pygobject3 - fasteners - paramiko - pexpect - # Currently marked as broken. - # pydrive2 - ] - ++ paramiko.optional-dependencies.invoke; + pythonPath = with python3.pkgs; [ + b2sdk + boto3 + idna + pygobject3 + fasteners + paramiko + pexpect + # Currently marked as broken. + # pydrive2 + ]; nativeCheckInputs = [ gnupg # Add 'gpg' to PATH. diff --git a/pkgs/by-name/e2/e2fsprogs/package.nix b/pkgs/by-name/e2/e2fsprogs/package.nix index ceb394b1c433e..970ea64682c51 100644 --- a/pkgs/by-name/e2/e2fsprogs/package.nix +++ b/pkgs/by-name/e2/e2fsprogs/package.nix @@ -3,7 +3,6 @@ stdenv, buildPackages, fetchurl, - fetchpatch, pkg-config, libuuid, gettext, @@ -20,25 +19,15 @@ stdenv.mkDerivation rec { pname = "e2fsprogs"; - version = "1.47.3"; + version = "1.47.4"; __structuredAttrs = true; src = fetchurl { url = "mirror://kernel/linux/kernel/people/tytso/e2fsprogs/v${version}/e2fsprogs-${version}.tar.xz"; - hash = "sha256-hX5u+AD+qiu0V4+8gQIUvl08iLBy6lPFOEczqWVzcyk="; + hash = "sha256-/VvziMvb4Aaj07MY2YOylIOCRArMhah/Hn0QhlPo2ws="; }; - patches = [ - # Upstream patch that fixes musl build (and probably others). - # Should be included in next release after 1.47.3. - (fetchpatch { - name = "stdio-portability.patch"; - url = "https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/patch/?id=f79abd8554e600eacc2a7c864a8332b670c9e262"; - hash = "sha256-zZ7zmSMTwGyS3X3b/D/mVG0bV2ul5xtY5DJx9YUvQO8="; - }) - ]; - # fuse2fs adds 14mb of dependencies outputs = [ "bin" diff --git a/pkgs/by-name/ex/expat/package.nix b/pkgs/by-name/ex/expat/package.nix index cf55e71a2037d..78ff9e9253b06 100644 --- a/pkgs/by-name/ex/expat/package.nix +++ b/pkgs/by-name/ex/expat/package.nix @@ -18,7 +18,7 @@ # files. let - version = "2.8.0"; + version = "2.8.1"; tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}"; in stdenv.mkDerivation (finalAttrs: { @@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: { url = with finalAttrs; "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz"; - hash = "sha256-o3v64KqXdb2FIevYXcRW1Ibw/zETj2yR/ZAupzJiRUI="; + hash = "sha256-ELGV7ngWCpCDiBgKj+NgPU6aEvR1X79fOBayOp11DaA="; }; strictDeps = true; diff --git a/pkgs/by-name/ff/fftw/package.nix b/pkgs/by-name/ff/fftw/package.nix index 0d9736335f682..a706799bf693e 100644 --- a/pkgs/by-name/ff/fftw/package.nix +++ b/pkgs/by-name/ff/fftw/package.nix @@ -1,6 +1,5 @@ { fetchurl, - fetchpatch, stdenv, lib, gfortran, @@ -22,24 +21,16 @@ assert lib.elem precision [ stdenv.mkDerivation (finalAttrs: { pname = "fftw-${precision}"; - version = "3.3.10"; + version = "3.3.11"; src = fetchurl { urls = [ "https://fftw.org/fftw-${finalAttrs.version}.tar.gz" "ftp://ftp.fftw.org/pub/fftw/fftw-${finalAttrs.version}.tar.gz" ]; - hash = "sha256-VskyVJhSzdz6/as4ILAgDHdCZ1vpIXnlnmIVs0DiZGc="; + hash = "sha256-VjDCTN6zOxMWEvfrSxqZNCNHVPnziP+GF0WNC+byOaE="; }; - patches = [ - (fetchpatch { - name = "remove_missing_FFTW3LibraryDepends.patch"; - url = "https://github.com/FFTW/fftw3/pull/338/commits/f69fef7aa546d4477a2a3fd7f13fa8b2f6c54af7.patch"; - hash = "sha256-lzX9kAHDMY4A3Td8necXwYLcN6j8Wcegi3A7OIECKeU="; - }) - ]; - outputs = [ "out" "dev" @@ -107,6 +98,7 @@ stdenv.mkDerivation (finalAttrs: { __structuredAttrs = true; meta = { + changelog = "https://github.com/FFTW/fftw3/blob/fftw-${finalAttrs.version}/NEWS"; description = "Fastest Fourier Transform in the West library"; homepage = "https://www.fftw.org/"; license = lib.licenses.gpl2Plus; diff --git a/pkgs/by-name/fr/freetype/package.nix b/pkgs/by-name/fr/freetype/package.nix index 76ffe6324cf26..2f5f6ccef0a84 100644 --- a/pkgs/by-name/fr/freetype/package.nix +++ b/pkgs/by-name/fr/freetype/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchurl, + fetchpatch, buildPackages, pkgsHostHost, pkg-config, @@ -39,7 +40,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "freetype"; - version = "2.14.2"; + version = "2.14.3"; src = let @@ -47,7 +48,7 @@ stdenv.mkDerivation (finalAttrs: { in fetchurl { url = "mirror://savannah/freetype/freetype-${version}.tar.xz"; - sha256 = "sha256-S2Lcq0ySChqGA2mTMiGBQ2LmmeJvVXklFtZx5v9VteE="; + sha256 = "sha256-NrxPHMQTM1No7mVsQq/KZcWjmH6HaMwozxG6d154Wl8="; }; propagatedBuildInputs = [ @@ -69,6 +70,53 @@ stdenv.mkDerivation (finalAttrs: { patches = [ ./enable-table-validation.patch + + # https://project-zero.issues.chromium.org/issues/505355061 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1419 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1420 + (fetchpatch { + name = "truetype-shz-limit-heap-buffer-overflow-part1.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/1803559c4ee407d0bcbf2a67dbe96690cee869d2.patch"; + hash = "sha256-zxtJ2pJz8pNofgYrJ6c8/eZqRvxTotanF2IdU9ckpM4="; + }) + (fetchpatch { + name = "truetype-shz-limit-heap-buffer-overflow-part2.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/7d600a022e1d813e85a8c94ffd395f6135872267.patch"; + hash = "sha256-aHE11C9Cr23D2lqNmTVUDA5E07xxUm+AcYdWJG9zLFs="; + }) + + # https://project-zero.issues.chromium.org/issues/505357209 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1421 + (fetchpatch { + name = "truetype-iup-integer-overflow.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/7974be74d8b5a2fbf99aa88f0461d1f80af51cee.patch"; + hash = "sha256-b5Px0ALsnC5K1+601YioAjCLkLVXNnvTIZ1aQtCeNoQ="; + }) + + # https://project-zero.issues.chromium.org/issues/506902245 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1423 + # https://gitlab.freedesktop.org/freetype/freetype/-/merge_requests/428 + (fetchpatch { + name = "truetype-variation-handling-signednes-mismatch.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/0d45c7f1911bc6db0bf072eea0c8cdccd77bc6b3.patch"; + hash = "sha256-bw/9O86sZQa+vwdgx2MTqxWi6vjMcRTyC42ba9CaZ3I="; + }) + + # prerequisite for the below to apply, since this changes formatting of + # affected code. + (fetchpatch { + name = "ftobjs-formatting.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/590b77014bd920d0bdf64c039fddbce89a288b83.patch"; + hash = "sha256-govOzLBzQMAjSKABVFryDnSn2by2f/W9BgGG3o+qSuE="; + }) + + # https://project-zero.issues.chromium.org/issues/507321912 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1425 + (fetchpatch { + name = "sub-byte-bitmaps-heap-buffer-over-read.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/cbe12767ea73d1006edc75fcd61c0b0d2a88f34e.patch"; + hash = "sha256-jMeqY9uX7Ryfdd8icGDT4kEKl6aGRWafSN8GzOhGW7g="; + }) ] ++ lib.optional useEncumberedCode ./enable-subpixel-rendering.patch; diff --git a/pkgs/by-name/gh/ghostscript/package.nix b/pkgs/by-name/gh/ghostscript/package.nix index 36b9ced6f56b7..6cd7c4b18ed1a 100644 --- a/pkgs/by-name/gh/ghostscript/package.nix +++ b/pkgs/by-name/gh/ghostscript/package.nix @@ -67,13 +67,13 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "ghostscript${lib.optionalString x11Support "-with-X"}"; - version = "10.07.0"; + version = "10.07.1"; src = fetchurl { url = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${ lib.replaceStrings [ "." ] [ "" ] finalAttrs.version }/ghostscript-${finalAttrs.version}.tar.xz"; - hash = "sha256-3azk4XIflnpVA5uv9WSEAiXguqHU9UMiR8oczRRzt8E="; + hash = "sha256-HNt2bejbjx5YnIF/CcWFXqX2XfyFQORlpprBTBhBYCU="; }; patches = [ @@ -233,6 +233,7 @@ stdenv.mkDerivation (finalAttrs: { meta = { homepage = "https://www.ghostscript.com/"; + changelog = "https://ghostscript.readthedocs.io/en/gs${finalAttrs.version}/News.html"; description = "PostScript interpreter (mainline version)"; longDescription = '' Ghostscript is the name of a set of tools that provides (i) an diff --git a/pkgs/by-name/gr/groff/package.nix b/pkgs/by-name/gr/groff/package.nix index a824d9a82f023..083b1493dcf6b 100644 --- a/pkgs/by-name/gr/groff/package.nix +++ b/pkgs/by-name/gr/groff/package.nix @@ -48,8 +48,7 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-dOKBl5W2r/QxrqyYPWOpyJaO6roqLrp9+LpMe0Hnz9g="; }; - patches = lib.optionals stdenv.isLinux [ - # TODO: apply everywhere on rebuild + patches = [ # This revert a upstream refactor in continuous rendering mode, but this # causes a big performance regression for big manpages like # `man 5 configuration.nix`. diff --git a/pkgs/by-name/gt/gtk4/package.nix b/pkgs/by-name/gt/gtk4/package.nix index 28fd6efc8850d..9b7807508a353 100644 --- a/pkgs/by-name/gt/gtk4/package.nix +++ b/pkgs/by-name/gt/gtk4/package.nix @@ -95,11 +95,13 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-Ub2fYMfSOmZaVWxzZMIfsuTiglZrPn4JJFXo+RAzCJM="; }; - patches = lib.optional stdenv.hostPlatform.is32bit (fetchpatch { - name = "fix-32bit-VkImage-null.patch"; - url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch"; - hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ="; - }); + patches = [ + (fetchpatch { + name = "fix-32bit-VkImage-null.patch"; + url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch"; + hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ="; + }) + ]; depsBuildBuild = [ pkg-config diff --git a/pkgs/by-name/im/imagemagick/package.nix b/pkgs/by-name/im/imagemagick/package.nix index 40d518373564b..ffce265c53e04 100644 --- a/pkgs/by-name/im/imagemagick/package.nix +++ b/pkgs/by-name/im/imagemagick/package.nix @@ -89,13 +89,13 @@ in stdenv.mkDerivation (finalAttrs: { pname = "imagemagick"; - version = "7.1.2-23"; + version = "7.1.2-24"; src = fetchFromGitHub { owner = "ImageMagick"; repo = "ImageMagick"; tag = finalAttrs.version; - hash = "sha256-zYk75q+EyWq5g/AHFU6v8a7gye0aDAEe/ZZvjqR9ZTc="; + hash = "sha256-oSH0dsQ3cuFNYJIIr6LHbv82FbFxxcmkjQ5csTNsYCA="; }; outputs = [ diff --git a/pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch b/pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch new file mode 100644 index 0000000000000..fe37f894fdc47 --- /dev/null +++ b/pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch @@ -0,0 +1,61 @@ +From acea6182e46fff3d1d64a3172cdff307b07ca441 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 8 Apr 2026 17:57:59 -0400 +Subject: [PATCH] Fix two NegoEx parsing vulnerabilities + +In parse_nego_message(), check the result of the second call to +vector_base() before dereferencing it. In parse_message(), check for +a short header_len to prevent an integer underflow when calculating +the remaining message length. + +Reported by Cem Onat Karagun. + +CVE-2026-40355: + +In MIT krb5 release 1.18 and later, if an application calls +gss_accept_sec_context() on a system with a NegoEx mechanism +registered in /etc/gss/mech, an unauthenticated remote attacker can +trigger a null pointer dereference, causing the process to terminate. + +CVE-2026-40356: + +In MIT krb5 release 1.18 and later, if an application calls +gss_accept_sec_context() on a system with a NegoEx mechanism +registered in /etc/gss/mech, an unauthenticated remote attacker can +trigger a read overrun of up to 52 bytes, possibly causing the process +to terminate. Exfiltration of the bytes read does not appear +possible. + +(cherry picked from commit 2e75f0d9362fb979f5fc92829431a590a130929f) + +ticket: 9205 +version_fixed: 1.22.3 +--- + lib/gssapi/spnego/negoex_util.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c +index edc5462e844..a65238e5730 100644 +--- a/lib/gssapi/spnego/negoex_util.c ++++ b/lib/gssapi/spnego/negoex_util.c +@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in, + offset = k5_input_get_uint32_le(in); + count = k5_input_get_uint16_le(in); + p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len); ++ if (p == NULL) { ++ *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; ++ return GSS_S_DEFECTIVE_TOKEN; ++ } + for (i = 0; i < count; i++) { + extension_type = load_32_le(p + i * EXTENSION_LENGTH); + if (extension_type & EXTENSION_FLAG_CRITICAL) { +@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in, + msg_len = k5_input_get_uint32_le(in); + conv_id = k5_input_get_bytes(in, GUID_LENGTH); + +- if (in->status || msg_len > token_remaining || header_len > msg_len) { ++ if (in->status || msg_len > token_remaining || ++ header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) { + *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; + return GSS_S_DEFECTIVE_TOKEN; + } diff --git a/pkgs/by-name/kr/krb5/package.nix b/pkgs/by-name/kr/krb5/package.nix index 0b504c6dc8a66..c4e35061d41af 100644 --- a/pkgs/by-name/kr/krb5/package.nix +++ b/pkgs/by-name/kr/krb5/package.nix @@ -34,16 +34,20 @@ stdenv.mkDerivation (finalAttrs: { pname = "krb5"; - version = "1.22.1"; + version = "1.22.2"; __structuredAttrs = true; src = fetchurl { url = "https://kerberos.org/dist/krb5/${lib.versions.majorMinor finalAttrs.version}/krb5-${finalAttrs.version}.tar.gz"; - hash = "sha256-GogyuMrZI+u/E5T2fi789B46SfRgKFpm41reyPoAU68="; + hash = "sha256-MkP/vI6k1Kwi3cfdKh3FTFeHTEBki2D/lwCXY1VOrxM="; }; - patches = lib.optionals stdenv.hostPlatform.isFreeBSD [ + patches = [ + # https://github.com/krb5/krb5/pull/1506 + ./CVE-2026-40355-and-CVE-2026-40356.patch + ] + ++ lib.optionals stdenv.hostPlatform.isFreeBSD [ (fetchpatch { name = "fix-missing-ENODATA.patch"; url = "https://cgit.freebsd.org/ports/plain/security/krb5-122/files/patch-lib_krad_packet.c?id=0501f716c4aff7880fde56e42d641ef504593b7d"; @@ -170,6 +174,7 @@ stdenv.mkDerivation (finalAttrs: { ]; meta = { + changelog = "https://web.mit.edu/Kerberos/krb5-${lib.versions.majorMinor finalAttrs.version}/"; description = "MIT Kerberos 5"; homepage = "http://web.mit.edu/kerberos/"; license = lib.licenses.mit; diff --git a/pkgs/by-name/li/libadwaita/package.nix b/pkgs/by-name/li/libadwaita/package.nix index 0d1ed0da7e85e..8f289c6e4977e 100644 --- a/pkgs/by-name/li/libadwaita/package.nix +++ b/pkgs/by-name/li/libadwaita/package.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libadwaita"; - version = "1.9.0"; + version = "1.9.1"; outputs = [ "out" @@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "GNOME"; repo = "libadwaita"; tag = finalAttrs.version; - hash = "sha256-JAKP8CjLCKGZvHoB26ih/J3xAru4wiVf/ObG0L8r4pY="; + hash = "sha256-Oy3WcsymNbbmAacm5hEOrorI1wKXjSp063mh4jCJRAE="; }; depsBuildBuild = [ diff --git a/pkgs/by-name/li/libaec/package.nix b/pkgs/by-name/li/libaec/package.nix index c9824823b6691..3b7b1768c93bf 100644 --- a/pkgs/by-name/li/libaec/package.nix +++ b/pkgs/by-name/li/libaec/package.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "libaec"; - version = "1.1.6"; + version = "1.1.7"; src = fetchFromGitHub { owner = "Deutsches-Klimarechenzentrum"; repo = "libaec"; tag = "v${finalAttrs.version}"; - hash = "sha256-cxDP+JNwokxgzH9hO2zw+rIcz8XG7E8ujbAbWpgUEW8="; + hash = "sha256-aBm+CXCq7sdJb6Qq9sNuTzNj0nRwTJI20HsqUg1Qi/8="; }; nativeBuildInputs = [ diff --git a/pkgs/by-name/li/libass/package.nix b/pkgs/by-name/li/libass/package.nix index 61b8611327f0d..045b0d926bdb8 100644 --- a/pkgs/by-name/li/libass/package.nix +++ b/pkgs/by-name/li/libass/package.nix @@ -44,9 +44,7 @@ stdenv.mkDerivation (finalAttrs: { fribidi harfbuzz ] - ++ lib.optional fontconfigSupport fontconfig - # TODO: remove dep after branchoff (in darwin stdenv) - ++ lib.optional stdenv.hostPlatform.isDarwin libiconv.out; + ++ lib.optional fontconfigSupport fontconfig; meta = { description = "Portable ASS/SSA subtitle renderer"; diff --git a/pkgs/by-name/li/libcaca/package.nix b/pkgs/by-name/li/libcaca/package.nix index 689257d7ff8ed..d233cdabfe871 100644 --- a/pkgs/by-name/li/libcaca/package.nix +++ b/pkgs/by-name/li/libcaca/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchFromGitHub, + fetchpatch, autoreconfHook, imlib2, libxext, @@ -23,6 +24,14 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-N0Lfi0d4kjxirEbIjdeearYWvStkKMyV6lgeyNKXcVw="; }; + patches = [ + (fetchpatch { + name = "CVE-2026-42046.patch"; + url = "https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb01d53940da34fb10f20b156a23.patch"; + hash = "sha256-AdpiE5Gw/CVET//7TTYZCb0glW5HY+T8xZkYs1XCBvY="; + }) + ]; + nativeBuildInputs = [ autoreconfHook pkg-config diff --git a/pkgs/by-name/li/libde265/package.nix b/pkgs/by-name/li/libde265/package.nix index 51e24c6ed5ac2..771b9e3366340 100644 --- a/pkgs/by-name/li/libde265/package.nix +++ b/pkgs/by-name/li/libde265/package.nix @@ -15,14 +15,14 @@ }: stdenv.mkDerivation (finalAttrs: { - version = "1.0.18"; + version = "1.1.1"; pname = "libde265"; src = fetchFromGitHub { owner = "strukturag"; repo = "libde265"; tag = "v${finalAttrs.version}"; - hash = "sha256-N6K82ElrzrMSNKfPTDsc5onrxucIJ8niwFgbaEPPd2I="; + hash = "sha256-ZHfPC86oylqt2bwWMJRWVjdMEEmX6UOKR7XkR0HPyok="; }; nativeBuildInputs = [ @@ -43,6 +43,7 @@ stdenv.mkDerivation (finalAttrs: { meta = { homepage = "https://github.com/strukturag/libde265"; + changelog = "https://github.com/strukturag/libde265/releases/tag/${finalAttrs.src.tag}"; description = "Open h.265 video codec implementation"; mainProgram = "dec265"; license = lib.licenses.lgpl3; diff --git a/pkgs/by-name/li/libgcrypt/package.nix b/pkgs/by-name/li/libgcrypt/package.nix index 9317da7494fda..08fa5886de73f 100644 --- a/pkgs/by-name/li/libgcrypt/package.nix +++ b/pkgs/by-name/li/libgcrypt/package.nix @@ -17,11 +17,11 @@ assert enableCapabilities -> stdenv.hostPlatform.isLinux; stdenv.mkDerivation rec { pname = "libgcrypt"; - version = "1.11.2"; + version = "1.12.2"; src = fetchurl { url = "mirror://gnupg/libgcrypt/${pname}-${version}.tar.bz2"; - hash = "sha256-a6Wd0ZInDowdIt20GgfZXc28Hw+wLQPEtUsjWBQzCqw="; + hash = "sha256-fOM8JJIiGgQ2+WqFACFenz49y1/SanV81BXnqEO6vV4="; }; outputs = [ @@ -73,17 +73,6 @@ stdenv.mkDerivation rec { postConfigure = '' sed -i configure \ -e 's/NOEXECSTACK_FLAGS=$/NOEXECSTACK_FLAGS="-Wa,--noexecstack"/' - '' - # The cipher/simd-common-riscv.h wasn't added to the release tarball, please remove this hack on next version update - # https://dev.gnupg.org/T7647 - + lib.optionalString stdenv.hostPlatform.isRiscV '' - cp ${ - fetchurl { - url = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob_plain;f=cipher/simd-common-riscv.h;h=8381000f9ac148c60a6963a1d9ec14a3fee1c576;hb=81ce5321b1b79bde6dfdc3c164efb40c13cf656b"; - hash = "sha256-Toe15YLAOYULnLc2fGMMv/xzs/q1t3LsyiqtL7imc+8="; - name = "simd-common-riscv.h"; - } - } cipher/simd-common-riscv.h ''; enableParallelBuilding = true; diff --git a/pkgs/by-name/li/libheif/package.nix b/pkgs/by-name/li/libheif/package.nix index 7d4912e775986..42171d469f5a9 100644 --- a/pkgs/by-name/li/libheif/package.nix +++ b/pkgs/by-name/li/libheif/package.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libheif"; - version = "1.21.2"; + version = "1.23.0"; outputs = [ "bin" @@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "strukturag"; repo = "libheif"; rev = "v${finalAttrs.version}"; - hash = "sha256-odkJ0wZSGoZ7mX9fkaNREDpMvQuQA9HKaf3so1dYrbc="; + hash = "sha256-+LbYwDSxixy4TaraUCN2LiCnn32dkMppCA8EOFXbvtg="; }; nativeBuildInputs = [ diff --git a/pkgs/by-name/li/libpng/package.nix b/pkgs/by-name/li/libpng/package.nix index d533f3ed56bbd..7d52bcffb378e 100644 --- a/pkgs/by-name/li/libpng/package.nix +++ b/pkgs/by-name/li/libpng/package.nix @@ -11,10 +11,10 @@ assert zlib != null; let - patchVersion = "1.6.56"; + patchVersion = "1.6.58"; patch_src = fetchurl { url = "mirror://sourceforge/libpng-apng/libpng-${patchVersion}-apng.patch.gz"; - hash = "sha256-nOMtSidjoqxfJYcmui9J6QETJ8HujDCGKjLQ8wiJ++g="; + hash = "sha256-7ufeoi7VAoaAF5cchsY8TtHmCF3guuv9zD0zIvAPPrA="; }; whenPatched = lib.optionalString apngSupport; @@ -24,11 +24,11 @@ let in stdenv'.mkDerivation (finalAttrs: { pname = "libpng" + whenPatched "-apng"; - version = "1.6.56"; + version = "1.6.58"; src = fetchurl { url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz"; - hash = "sha256-99i/FgG3gE9YOiVKs0OmVJymzyfSVcMCxHry2dNqbxg="; + hash = "sha256-KOtAP1Hw90BSSRMs7P6C6lwO+X8bMsWmWCiBSuDTR3U="; }; postPatch = whenPatched "gunzip < ${patch_src} | patch -Np1" diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index 7a266936f6c41..4bf139efc381d 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -23,6 +23,9 @@ let pname = "libressl"; inherit version; + strictDeps = true; + __structuredAttrs = true; + src = fetchurl { url = "mirror://openbsd/LibreSSL/libressl-${version}.tar.gz"; inherit hash; @@ -60,6 +63,23 @@ let preCheck = '' export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName} export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)" + '' + + lib.optionalString stdenv.hostPlatform.isElf '' + # Bail if any shared object has executable stack enabled. This can + # happen when an object produced from an assmbly file in libcrypto is + # missing a .note.GNU-stack section. An executable stack is dangerous + # and unintentional, but without this check the derivation will build + # and even run if W^X is not enforced; it would fail dangerously. + objdump -p **/*.so | awk ' + BEGIN { res = 0 } + /file format/ { file = $1 } + /STACK/ { stack = 1; next } + stack { + if ($0 ~ /flags.*x/) { print file " has executable stack"; res = 1 } + stack = 0 + } + END { exit res } + ' ''; postCheck = '' export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName} @@ -96,6 +116,7 @@ let maintainers = with lib.maintainers; [ thoughtpolice fpletz + ruuda ]; inherit knownVulnerabilities; @@ -111,37 +132,42 @@ let identifiers.cpeParts = lib.meta.cpeFullVersionWithVendor "openbsd" version; }; }; + # https://github.com/libressl/portable/pull/1206 + # This got merged in February 2026 and is included as of LibreSSL 4.3.0. common-cmake-install-full-dirs-patch = fetchpatch { url = "https://github.com/libressl/portable/commit/a15ea0710398eaeed3be53cf643e80a1e80c981d.patch"; hash = "sha256-Mlf4SrGCCqALQicbGtmVGdkdfcE8DEGYkOuVyG2CozM="; }; in { - libressl_4_1 = generic { - version = "4.1.2"; - hash = "sha256-+6Ti+ip/UjBt96OJlwoQ6YuX6w7bKZqf252/SZmcYeE="; - # Fixes build on loongarch64 - # https://github.com/libressl/portable/pull/1184 - postPatch = '' - mkdir -p include/arch/loongarch64 - cp ${ - fetchurl { - url = "https://github.com/libressl/portable/raw/refs/tags/v4.1.0/include/arch/loongarch64/opensslconf.h"; - hash = "sha256-68dw5syUy1z6GadCMR4TR9+0UQX6Lw/CbPWvjHGAhgo="; - } - } include/arch/loongarch64/opensslconf.h - ''; + # 4.2 was released October 2025 and will become unsupported on October 22, + # 2026, one year after the release of OpenBSD 7.8. + libressl_4_2 = generic { + version = "4.2.1"; + hash = "sha256-bVwvWFg1iOp5H0yGRQBAcdAN+lVKW/eIoAbKHrWr1ws="; patches = [ common-cmake-install-full-dirs-patch ]; }; - libressl_4_2 = generic { - version = "4.2.1"; - hash = "sha256-bVwvWFg1iOp5H0yGRQBAcdAN+lVKW/eIoAbKHrWr1ws="; + # 4.3 was released April 2026 and will become unsupported one year after the + # release of OpenBSD 7.9. + libressl_4_3 = generic { + version = "4.3.1"; + hash = "sha256-wttCrOFOfVQZgm+rNadC7G5NEnJaBRpR0M6jwQug+lA="; patches = [ - common-cmake-install-full-dirs-patch + # Fix for https://github.com/libressl/portable/issues/1278, where LibreSSL + # 4.3 started requiring executable stack because some objects were missing + # a .note.GNU-stack section; will probably be included in the next release. + (fetchpatch { + url = "https://raw.githubusercontent.com/libressl/portable/4dae91d056c6c75ba5cf2bc5e6148b8e02239119/patches/gnu-stack.patch"; + hash = "sha256-Q1oWL4N8w5Zmjfq5QkTJR53NgZ4GqChSDaBicli5G2I="; + # This patch is written to be applied with -p0, with no leading path + # component, but Nix applies with -p1 by default, so we add it to not + # break compatibility with how other patches must be applied. + decode = "sed 's|^--- |--- a/|; s|^+++ |+++ b/|'"; + }) ]; }; } diff --git a/pkgs/by-name/op/openapv/package.nix b/pkgs/by-name/op/openapv/package.nix index b153552d6f172..27d31127a0041 100644 --- a/pkgs/by-name/op/openapv/package.nix +++ b/pkgs/by-name/op/openapv/package.nix @@ -12,13 +12,13 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "openapv"; - version = "0.2.1.2"; + version = "0.2.1.3"; src = fetchFromGitHub { owner = "AcademySoftwareFoundation"; repo = "openapv"; - tag = "v${finalAttrs.version}"; - hash = "sha256-wxncN7j5p0GXpWhOx4Ix0oTgGK2sIrfJgQ45fFwmQBI="; + tag = "v${finalAttrs.version}-fix"; # Remove the `-fix` suffix after the next version + hash = "sha256-lc/x2dWh6T8c63siHB32ka+SPVYTTyaO4YrQ12EbGqw="; }; postPatch = '' diff --git a/pkgs/by-name/op/openldap/package.nix b/pkgs/by-name/op/openldap/package.nix index c87e6c2e75a5f..7499f3a6fd163 100644 --- a/pkgs/by-name/op/openldap/package.nix +++ b/pkgs/by-name/op/openldap/package.nix @@ -122,6 +122,8 @@ stdenv.mkDerivation (finalAttrs: { # https://bugs.openldap.org/show_bug.cgi?id=8623 rm -f tests/scripts/test022-ppolicy + rm -f tests/scripts/test*-sync* + rm -f tests/scripts/test063-delta-multiprovider # https://bugs.openldap.org/show_bug.cgi?id=10009 diff --git a/pkgs/by-name/pu/publicsuffix-list/package.nix b/pkgs/by-name/pu/publicsuffix-list/package.nix index 72c500777df23..ea3f3d9fa1e47 100644 --- a/pkgs/by-name/pu/publicsuffix-list/package.nix +++ b/pkgs/by-name/pu/publicsuffix-list/package.nix @@ -7,13 +7,13 @@ stdenvNoCC.mkDerivation { pname = "publicsuffix-list"; - version = "0-unstable-2026-03-26"; + version = "0-unstable-2026-05-13"; src = fetchFromGitHub { owner = "publicsuffix"; repo = "list"; - rev = "d333b72b39575da1ce6932b01d7c421a4107c620"; - hash = "sha256-LWnvQrIyj+iq96T1u9WEq+HGOZ5sJYN5nCintEr6sBk="; + rev = "e452c7058d6946bd76952b128c12f5ce87a5acb8"; + hash = "sha256-5D4RZAyJOL4hMU32Rmp3SYmjgqEtF36mZJr4YBG0k7E="; }; dontBuild = true; diff --git a/pkgs/by-name/rs/rsync/fix-tests-in-darwin-sandbox.patch b/pkgs/by-name/rs/rsync/fix-tests-in-darwin-sandbox.patch deleted file mode 100644 index d9209a97c1ed3..0000000000000 --- a/pkgs/by-name/rs/rsync/fix-tests-in-darwin-sandbox.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9b104ed9859f17b6ed4c4ad01806c75a0c197dd7 Mon Sep 17 00:00:00 2001 -From: Emily -Date: Tue, 5 Aug 2025 15:55:24 +0100 -Subject: [PATCH] Allow `ls(1)` to fail in test setup - -This can happen when the tests are unable to `stat(2)` some files in -`/etc`, `/bin`, or `/`, due to Unix permissions or other sandboxing. We -still guard against serious errors, which use exit code 2. ---- - testsuite/longdir.test | 4 ++-- - testsuite/rsync.fns | 8 ++++---- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/testsuite/longdir.test b/testsuite/longdir.test -index 8d66bb5f..26747292 100644 ---- a/testsuite/longdir.test -+++ b/testsuite/longdir.test -@@ -16,9 +16,9 @@ makepath "$longdir" || test_skipped "unable to create long directory" - touch "$longdir/1" || test_skipped "unable to create files in long directory" - date > "$longdir/1" - if [ -r /etc ]; then -- ls -la /etc >"$longdir/2" -+ ls -la /etc >"$longdir/2" || [ $? -eq 1 ] - else -- ls -la / >"$longdir/2" -+ ls -la / >"$longdir/2" || [ $? -eq 1 ] - fi - checkit "$RSYNC --delete -avH '$fromdir/' '$todir'" "$fromdir/" "$todir" - -diff --git a/testsuite/rsync.fns b/testsuite/rsync.fns -index 2ab97b69..f7da363f 100644 ---- a/testsuite/rsync.fns -+++ b/testsuite/rsync.fns -@@ -195,15 +195,15 @@ hands_setup() { - echo some data > "$fromdir/dir/subdir/foobar.baz" - mkdir "$fromdir/dir/subdir/subsubdir" - if [ -r /etc ]; then -- ls -ltr /etc > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" -+ ls -ltr /etc > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" || [ $? -eq 1 ] - else -- ls -ltr / > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" -+ ls -ltr / > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" || [ $? -eq 1 ] - fi - mkdir "$fromdir/dir/subdir/subsubdir2" - if [ -r /bin ]; then -- ls -lt /bin > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" -+ ls -lt /bin > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" || [ $? -eq 1 ] - else -- ls -lt / > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" -+ ls -lt / > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" || [ $? -eq 1 ] - fi - - # echo testing head: --- -2.50.1 - diff --git a/pkgs/by-name/rs/rsync/package.nix b/pkgs/by-name/rs/rsync/package.nix index 90380b4869166..a102ff36cc15f 100644 --- a/pkgs/by-name/rs/rsync/package.nix +++ b/pkgs/by-name/rs/rsync/package.nix @@ -1,12 +1,12 @@ { lib, stdenv, - fetchpatch, fetchurl, + fetchpatch, updateAutotoolsGnuConfigScriptsHook, perl, - + python3, libiconv, zlib, popt, @@ -29,24 +29,29 @@ stdenv.mkDerivation (finalAttrs: { pname = "rsync"; - version = "3.4.1"; + version = "3.4.4"; src = fetchurl { # signed with key 9FEF 112D CE19 A0DC 7E88 2CB8 1BB2 4997 A853 5F6F url = "mirror://samba/rsync/src/rsync-${finalAttrs.version}.tar.gz"; - hash = "sha256-KSS8s6Hti1UfwQH3QLnw/gogKxFQJ2R89phQ1l/YjFI="; + hash = "sha256-vYjPgvplPaMjFPsikTZAfFyQ+A0XWNj0sJF2eHfY+pY="; }; - patches = [ - # See: - ./fix-tests-in-darwin-sandbox.patch - # fix compilation with gcc15 + patches = lib.optionals (stdenv.hostPlatform.isDarwin) [ + # Fixes test failure on darwin (fetchpatch { - url = "https://github.com/RsyncProject/rsync/commit/a4b926dcdce96b0f2cc0dc7744e95747b233500a.patch"; - hash = "sha256-UiEQJ+p2gtIDYNJqnxx4qKgItKIZzCpkHnvsgoxBmSE="; + url = "https://github.com/RsyncProject/rsync/commit/e1c5f0e93a75dd45f32f3b92ba221ef158ac2e5f.patch"; + hash = "sha256-pg65K9BCTq/WvS5icK6KT28ARccFKedp2445wLYdRsE="; + excludes = [ + ".github/workflows/cygwin-build.yml" + ]; }) ]; + preBuild = '' + patchShebangs ./runtests.py + ''; + nativeBuildInputs = [ updateAutotoolsGnuConfigScriptsHook perl @@ -86,6 +91,15 @@ stdenv.mkDerivation (finalAttrs: { passthru.tests = { inherit (nixosTests) rsyncd; }; + nativeCheckInputs = [ + python3 + ]; + + # Test fails when built in a chroot store + preCheck = '' + rm testsuite/chgrp.test + ''; + doCheck = true; __darwinAllowLocalNetworking = true; diff --git a/pkgs/by-name/ru/rust-cbindgen/package.nix b/pkgs/by-name/ru/rust-cbindgen/package.nix index 14374532ff525..88bb855e800b0 100644 --- a/pkgs/by-name/ru/rust-cbindgen/package.nix +++ b/pkgs/by-name/ru/rust-cbindgen/package.nix @@ -14,16 +14,16 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "rust-cbindgen"; - version = "0.29.2"; + version = "0.29.3"; src = fetchFromGitHub { owner = "mozilla"; repo = "cbindgen"; rev = "v${finalAttrs.version}"; - hash = "sha256-P2A+XSLrcuYsI48gnZSNNs5qX+EatiuEJSEJbMvMSxg="; + hash = "sha256-d0rY7Sk37s8HEZlQq9Sbjj1P+DgygD0Yjx8cXlFKEIA="; }; - cargoHash = "sha256-DbmlpjiOraLWPh5RgJqCIGIYzE1h82MH2S6gpLH+CIQ="; + cargoHash = "sha256-UeierkQpfCiB5ES9ZW9hO+0AcI9Ip8qSJ/Nd+I1xrmQ="; nativeCheckInputs = [ cmake diff --git a/pkgs/by-name/sd/sdl3/package.nix b/pkgs/by-name/sd/sdl3/package.nix index 19ee7429320d4..f5814d3f91b8e 100644 --- a/pkgs/by-name/sd/sdl3/package.nix +++ b/pkgs/by-name/sd/sdl3/package.nix @@ -70,7 +70,7 @@ assert lib.assertMsg (ibusSupport -> dbusSupport) "SDL3 requires dbus support to stdenv.mkDerivation (finalAttrs: { pname = "sdl3"; - version = "3.4.8"; + version = "3.4.10"; outputs = [ "lib" @@ -83,14 +83,21 @@ stdenv.mkDerivation (finalAttrs: { owner = "libsdl-org"; repo = "SDL"; tag = "release-${finalAttrs.version}"; - hash = "sha256-uBGyGxrUVx642Ku8qhR2sTy2JagcSioIhh/5RsXVAIM="; + hash = "sha256-6Dph2eLiJUmpQzPWe8EuY5LrWhrFwde2f2dwfgCcWNw="; }; postPatch = - # Tests timeout on Darwin lib.optionalString (finalAttrs.finalPackage.doCheck) '' + # Tests timeout on Darwin substituteInPlace test/CMakeLists.txt \ --replace-fail 'set(noninteractive_timeout 10)' 'set(noninteractive_timeout 30)' + + # intermittent test failure + # https://github.com/libsdl-org/SDL/issues/15346 + substituteInPlace test/CMakeLists.txt \ + --replace-fail \ + 'add_sdl_test_executable(testrwlock SOURCES testrwlock.c NONINTERACTIVE NONINTERACTIVE_TIMEOUT 20)' \ + 'add_sdl_test_executable(testrwlock SOURCES testrwlock.c NONINTERACTIVE NONINTERACTIVE_TIMEOUT 300)' '' + lib.optionalString waylandSupport '' substituteInPlace src/dialog/unix/SDL_zenitymessagebox.c \ diff --git a/pkgs/by-name/si/simdjson/package.nix b/pkgs/by-name/si/simdjson/package.nix index 575f604ca34c4..3cb507297c472 100644 --- a/pkgs/by-name/si/simdjson/package.nix +++ b/pkgs/by-name/si/simdjson/package.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "simdjson"; - version = "4.6.0"; + version = "4.6.4"; src = fetchFromGitHub { owner = "simdjson"; repo = "simdjson"; tag = "v${finalAttrs.version}"; - hash = "sha256-VGErBWAHk63XMv8yC+Na+gXHByhYhtIEMSBySwIDlXk="; + hash = "sha256-8oQzsR7DSaNTN9su1uI9tRQ9HvOwXShPwSrnQj8+lGM="; }; nativeBuildInputs = [ cmake ]; diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix index 45cdc57ff0a87..9358185211031 100644 --- a/pkgs/by-name/un/unbound/package.nix +++ b/pkgs/by-name/un/unbound/package.nix @@ -57,13 +57,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "unbound"; - version = "1.25.0"; + version = "1.25.1"; src = fetchFromGitHub { owner = "NLnetLabs"; repo = "unbound"; tag = "release-${finalAttrs.version}"; - hash = "sha256-BAqGNi5lfYYTQd7CPH0lssLc5/AkeuKSVEFcrF/cNyc="; + hash = "sha256-1PXnxCPxoB5IrVBQIsrxiWAq+IoH7Ma9T1TTJsoTJc4="; }; outputs = [ diff --git a/pkgs/by-name/va/valkey/package.nix b/pkgs/by-name/va/valkey/package.nix index 81a40f68bf214..82e625efe9330 100644 --- a/pkgs/by-name/va/valkey/package.nix +++ b/pkgs/by-name/va/valkey/package.nix @@ -2,7 +2,6 @@ lib, stdenv, fetchFromGitHub, - fetchpatch, lua, jemalloc, pkg-config, @@ -25,13 +24,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "valkey"; - version = "9.0.4"; + version = "9.1.0"; src = fetchFromGitHub { owner = "valkey-io"; repo = "valkey"; rev = finalAttrs.version; - hash = "sha256-FDm6i6G6h9WapMTj7ke4YtOjZ4rwIJZGONunQi0v7CE="; + hash = "sha256-RMZz83fycpOTPWB1dIXU0/hdh4ZGC+6JhCws8htAQ5E="; }; patches = lib.optional useSystemJemalloc ./use_system_jemalloc.patch; @@ -94,13 +93,14 @@ stdenv.mkDerivation (finalAttrs: { fi # Skip some more flaky tests. - # Skip test requiring custom jemalloc (unit/memefficiency). + # Skip test requiring custom jemalloc (unit/memefficiency, unit/type/string). ./runtest \ --no-latency \ --timeout 2000 \ --clients "$CLIENTS" \ --tags -leaks \ --skipunit unit/memefficiency \ + --skipunit unit/type/string \ --skipunit integration/failover \ --skipunit integration/aof-multi-part diff --git a/pkgs/by-name/xv/xvfb/package.nix b/pkgs/by-name/xv/xvfb/package.nix index d14e353387763..934fade5a7958 100644 --- a/pkgs/by-name/xv/xvfb/package.nix +++ b/pkgs/by-name/xv/xvfb/package.nix @@ -38,13 +38,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "xvfb"; - # TODO: rebuild avoidance. revert on staging. - # inherit (xorg-server) src version; - version = "21.1.22"; - src = fetchurl { - url = "mirror://xorg/individual/xserver/xorg-server-${finalAttrs.version}.tar.xz"; - hash = "sha256-GiQsiRfEm6KczB9gIWE9iiuYBd0NJxpmrp0J9LC7BrM="; - }; + inherit (xorg-server) src version; strictDeps = true; diff --git a/pkgs/development/compilers/go/1.26.nix b/pkgs/development/compilers/go/1.26.nix index 01704593ad777..242fa4c91de87 100644 --- a/pkgs/development/compilers/go/1.26.nix +++ b/pkgs/development/compilers/go/1.26.nix @@ -25,11 +25,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "go"; - version = "1.26.3"; + version = "1.26.4"; src = fetchurl { url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; - hash = "sha256-HGRoddCqh5kTMYTtV895/yS97+jIggRwYCqdPW2Rkrg="; + hash = "sha256-T2aKMvv8ETLmqIH7lowvHa2mMUkqM5IRc1+7JVpCYC0="; }; strictDeps = true; diff --git a/pkgs/development/compilers/rust/cargo.nix b/pkgs/development/compilers/rust/cargo.nix index a86e4a3d186d7..7c3d4eb2a5e0a 100644 --- a/pkgs/development/compilers/rust/cargo.nix +++ b/pkgs/development/compilers/rust/cargo.nix @@ -3,6 +3,7 @@ stdenv, pkgsHostHost, pkgsBuildBuild, + fetchpatch, file, curl, pkg-config, @@ -26,6 +27,23 @@ rustPlatform.buildRustPackage.override pname = "cargo"; inherit (rustc.unwrapped) version src; + patches = [ + (fetchpatch { + name = "CVE-2026-5222.patch"; + url = "https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f.patch"; + stripLen = 1; + extraPrefix = "src/tools/cargo/"; + hash = "sha256-YG7xtC308z+o1xVzrV81qqWov1121GVouyAXKflyBF8="; + }) + (fetchpatch { + name = "CVE-2026-5223.patch"; + url = "https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577.patch"; + stripLen = 1; + extraPrefix = "src/tools/cargo/"; + hash = "sha256-DbmPQ31N4AIYZEBiwwGAn59hgPsFEVTzA6PrI071LXE="; + }) + ]; + # the rust source tarball already has all the dependencies vendored, no need to fetch them again cargoVendorDir = "vendor"; buildAndTestSubdir = "src/tools/cargo"; diff --git a/pkgs/development/interpreters/perl/CVE-2026-8376.patch b/pkgs/development/interpreters/perl/CVE-2026-8376.patch new file mode 100644 index 0000000000000..c8ad722981788 --- /dev/null +++ b/pkgs/development/interpreters/perl/CVE-2026-8376.patch @@ -0,0 +1,20 @@ +Targeted patch for CVE-2026-8376, based on 5e7f119eb2bb1181be908701f22bf7068e722f1c but avoids changes to t/re/pat_psycho.t as they do not apply cleanly. + +diff --git a/regcomp_study.c b/regcomp_study.c +index b513454a4258..1602663f4b26 100644 +--- a/regcomp_study.c ++++ b/regcomp_study.c +@@ -2784,6 +2784,13 @@ Perl_study_chunk(pTHX_ + (U8 *) SvEND(data->last_found)) + - (U8*)s; + l -= old; ++ ++ if (l > 0 && ++ (mincount >= SSize_t_MAX / (SSize_t)l ++ || old > SSize_t_MAX - mincount * (SSize_t)l)) { ++ FAIL("Regexp out of space"); ++ } ++ + /* Get the added string: */ + last_str = newSVpvn_utf8(s + old, l, UTF); + last_chrs = UTF ? utf8_length((U8*)(s + old), diff --git a/pkgs/development/interpreters/perl/interpreter.nix b/pkgs/development/interpreters/perl/interpreter.nix index fce8e1c9e0f04..cdb03912b5177 100644 --- a/pkgs/development/interpreters/perl/interpreter.nix +++ b/pkgs/development/interpreters/perl/interpreter.nix @@ -36,6 +36,8 @@ let commonPatches = [ # Do not look in /usr etc. for dependencies. ./no-sys-dirs.patch + + ./CVE-2026-8376.patch ] # Fix build on Solaris on x86_64 @@ -79,6 +81,61 @@ let # Some more details: https://arsv.github.io/perl-cross/modules.html ++ lib.optional crossCompiling ./cross.patch; + # Inject fixed CPAN releases for bundled dual-life distributions until the + # next perl maintenance release includes them. + vendoredPerlDistributions = [ + { + # CVE-2026-7010 + path = "cpan/HTTP-Tiny"; + src = fetchurl { + url = "mirror://cpan/authors/id/H/HA/HAARG/HTTP-Tiny-0.094.tar.gz"; + hash = "sha256-poQemfwbVdFd6VlHzL17dnvsxRxxAhl/qPBE333cB0M="; + }; + } + { + # CVE-2026-3381, CVE-2026-4176 + path = "cpan/Compress-Raw-Zlib"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Zlib-2.222.tar.gz"; + hash = "sha256-Hf19URplVifIGBXTDTurwo+luIRV/wP4sECZ3LUShrg="; + }; + } + { + # Runtime dependency of IO-Compress 2.220. + path = "cpan/Compress-Raw-Bzip2"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Bzip2-2.218.tar.gz"; + hash = "sha256-iRU+ai69pSNJSTsHT6S3VJ/x+QU952E8GKXgXFtBX6g="; + }; + } + { + # CVE-2026-48962, CVE-2026-48961, CVE-2026-48959 + path = "cpan/IO-Compress"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/IO-Compress-2.220.tar.gz"; + hash = "sha256-nZbqKR8sVO82fHOWuFfZO6GsHEsvG84T7Yo+Xz7rtic="; + }; + } + { + # CVE-2026-42496, CVE-2026-42497, CVE-2026-9538 + path = "cpan/Archive-Tar"; + src = fetchurl { + url = "mirror://cpan/authors/id/B/BI/BINGOS/Archive-Tar-3.12.tar.gz"; + hash = "sha256-ARTvObZfSfiWgoOrR3Gdfoj5jXNg/jZJvjMcf1PVgyw="; + }; + } + ]; + + replaceVendoredPerlDistributions = lib.concatMapStringsSep "\n" (d: '' + rm -rf ${d.path} + mkdir -p ${d.path} + + tar --strip-components=1 -C ${d.path} -xf ${d.src} + + # Remove executable bits to make t/porting/exec-bit.t happy. + find ${d.path} -type f -exec chmod a-x {} + + '') vendoredPerlDistributions; + libc = if stdenv.cc.libc or null != null then stdenv.cc.libc else "/usr"; libcInc = lib.getDev libc; libcLib = lib.getLib libc; @@ -136,10 +193,10 @@ stdenv.mkDerivation ( --replace "/bin/pwd" "$(type -P pwd)" '' ) - + - # Perl's build system uses the src variable, and its value may end up in - # the output in some cases (when cross-compiling) - '' + + replaceVendoredPerlDistributions + + '' + # Perl's build system uses the src variable, and its value may end up in + # the output in some cases (when cross-compiling). unset src ''; diff --git a/pkgs/development/libraries/ffmpeg/default.nix b/pkgs/development/libraries/ffmpeg/default.nix index a155b694f6c33..acfedac85f4da 100644 --- a/pkgs/development/libraries/ffmpeg/default.nix +++ b/pkgs/development/libraries/ffmpeg/default.nix @@ -30,8 +30,8 @@ let hash = "sha256-GDN0+tJY8Nap9UkNUfzqT9cGV1IVCuy5Du/64G+8QdE="; }; v8 = { - version = "8.1"; - hash = "sha256-FdKhhCveEo5UodEoyUh3aBHABv3OT2VXmwBXE1ce3p0="; + version = "8.1.1"; + hash = "sha256-WPGfjTZjsgpR5QiANRWF4g6LF2ejGzFQUrLjhzw9cfQ="; }; in diff --git a/pkgs/development/libraries/glibc/2.42-master.patch b/pkgs/development/libraries/glibc/2.42-master.patch index 47ed7dd1183bb..a7bdf93961db0 100644 --- a/pkgs/development/libraries/glibc/2.42-master.patch +++ b/pkgs/development/libraries/glibc/2.42-master.patch @@ -7154,3 +7154,762 @@ index 00181cfefb..e83ea2b939 100644 TEST_VERIFY (ret != 0); TEST_COMPARE (errno, EBUSY); } + +commit f13c1bb0f97fbc12a6ba1ab5669ce561ea32b80a +Author: Florian Weimer +Date: Thu Apr 16 19:13:43 2026 +0200 + + Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046) + + Follow the example in iso-2022-jp-3.c and use the __count state + variable to store the pending character. This avoids restarting + the conversion if the output buffer ends between two 4-byte UCS-4 + code points, so that the assert reported in the bug can no longer + happen. + + Even though the fix is applied to ibm1364.c, the change is only + effective for the two HAS_COMBINED codecs for IBM1390, IBM1399. + + The test case was mostly auto-generated using + claude-4.6-opus-high-thinking, and composer-2-fast shows up in the + log as well. During review, gpt-5.4-xhigh flagged that the original + version of the test case was not exercising the new character + flush logic. + + This fixes bug 33980. + + Assisted-by: LLM + Reviewed-by: Carlos O'Donell + (cherry picked from commit d6f08d1cf027f4eb2ba289a6cc66853722d4badc) + +diff --git a/iconvdata/Makefile b/iconvdata/Makefile +index 5a2abeea24..cc689f63e9 100644 +--- a/iconvdata/Makefile ++++ b/iconvdata/Makefile +@@ -76,7 +76,7 @@ tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ + tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ + bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \ + bug-iconv13 bug-iconv14 bug-iconv15 \ +- tst-iconv-iso-2022-cn-ext ++ tst-iconv-iso-2022-cn-ext tst-bug33980 + ifeq ($(have-thread-library),yes) + tests += bug-iconv3 + endif +@@ -333,6 +333,8 @@ $(objpfx)bug-iconv15.out: $(addprefix $(objpfx), $(gconv-modules)) \ + $(addprefix $(objpfx),$(modules.so)) + $(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \ + $(addprefix $(objpfx),$(modules.so)) ++$(objpfx)tst-bug33980.out: $(addprefix $(objpfx), $(gconv-modules)) \ ++ $(addprefix $(objpfx),$(modules.so)) + + $(objpfx)iconv-test.out: run-iconv-test.sh \ + $(addprefix $(objpfx), $(gconv-modules)) \ +diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c +index 45c62acee5..244c61ad7a 100644 +--- a/iconvdata/ibm1364.c ++++ b/iconvdata/ibm1364.c +@@ -67,12 +67,29 @@ + + /* Since this is a stateful encoding we have to provide code which resets + the output state to the initial state. This has to be done during the +- flushing. */ ++ flushing. For the to-internal direction (FROM_DIRECTION is true), ++ there may be a pending character that needs flushing. */ + #define EMIT_SHIFT_TO_INIT \ + if ((data->__statep->__count & ~7) != sb) \ + { \ + if (FROM_DIRECTION) \ +- data->__statep->__count &= 7; \ ++ { \ ++ uint32_t ch = data->__statep->__count >> 7; \ ++ if (__glibc_unlikely (ch != 0)) \ ++ { \ ++ if (__glibc_unlikely (outend - outbuf < 4)) \ ++ status = __GCONV_FULL_OUTPUT; \ ++ else \ ++ { \ ++ put32 (outbuf, ch); \ ++ outbuf += 4; \ ++ /* Clear character and db bit. */ \ ++ data->__statep->__count &= 7; \ ++ } \ ++ } \ ++ else \ ++ data->__statep->__count &= 7; \ ++ } \ + else \ + { \ + /* We are not in the initial state. To switch back we have \ +@@ -99,11 +116,13 @@ + *curcsp = save_curcs + + +-/* Current codeset type. */ ++/* Current codeset type. The bit is stored in the __count variable of ++ the conversion state. If the db bit is set, bit 7 and above store ++ a pending UCS-4 code point if non-zero. */ + enum + { +- sb = 0, +- db = 64 ++ sb = 0, /* Single byte mode. */ ++ db = 64 /* Double byte mode. */ + }; + + +@@ -119,21 +138,29 @@ enum + } \ + else \ + { \ +- /* This is a combined character. Make sure we have room. */ \ +- if (__glibc_unlikely (outptr + 8 > outend)) \ +- { \ +- result = __GCONV_FULL_OUTPUT; \ +- break; \ +- } \ +- \ + const struct divide *cmbp \ + = &DB_TO_UCS4_COMB[ch - __TO_UCS4_COMBINED_MIN]; \ + assert (cmbp->res1 != 0 && cmbp->res2 != 0); \ + \ + put32 (outptr, cmbp->res1); \ + outptr += 4; \ +- put32 (outptr, cmbp->res2); \ +- outptr += 4; \ ++ \ ++ /* See whether we have room for the second character. */ \ ++ if (outend - outptr >= 4) \ ++ { \ ++ put32 (outptr, cmbp->res2); \ ++ outptr += 4; \ ++ } \ ++ else \ ++ { \ ++ /* Otherwise store only the first character now, and \ ++ put the second one into the queue. */ \ ++ curcs |= cmbp->res2 << 7; \ ++ inptr += 2; \ ++ /* Tell the caller why we terminate the loop. */ \ ++ result = __GCONV_FULL_OUTPUT; \ ++ break; \ ++ } \ + } \ + } + #else +@@ -153,7 +180,20 @@ enum + #define LOOPFCT FROM_LOOP + #define BODY \ + { \ +- uint32_t ch = *inptr; \ ++ uint32_t ch; \ ++ \ ++ ch = curcs >> 7; \ ++ if (__glibc_unlikely (ch != 0)) \ ++ { \ ++ put32 (outptr, ch); \ ++ outptr += 4; \ ++ /* Remove the pending character, but preserve state bits. */ \ ++ curcs &= (1 << 7) - 1; \ ++ continue; \ ++ } \ ++ \ ++ /* Otherwise read the next input byte. */ \ ++ ch = *inptr; \ + \ + if (__builtin_expect (ch, 0) == SO) \ + { \ +diff --git a/iconvdata/tst-bug33980.c b/iconvdata/tst-bug33980.c +new file mode 100644 +index 0000000000..c9693e0efe +--- /dev/null ++++ b/iconvdata/tst-bug33980.c +@@ -0,0 +1,153 @@ ++/* Test for bug 33980: combining characters in IBM1390/IBM1399. ++ Copyright (C) 2026 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* Run iconv in a loop with a small output buffer of OUTBUFSIZE bytes ++ starting at OUTBUF. OUTBUF should be right before an unmapped page ++ so that writing past the end will fault. Skip SHIFT bytes at the ++ start of the input and output, to exercise different buffer ++ alignment. TRUNCATE indicates skipped bytes at the end of ++ input (0 and 1 a valid). */ ++static void ++test_one (const char *encoding, unsigned int shift, unsigned int truncate, ++ char *outbuf, size_t outbufsize) ++{ ++ /* In IBM1390 and IBM1399, the DBCS code 0xECB5 expands to two ++ Unicode code points when translated. */ ++ static char input[] = ++ { ++ /* 8 letters X. */ ++ 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, ++ /* SO, 0xECB5, SI: shift to DBCS, special character, shift back. */ ++ 0x0e, 0xec, 0xb5, 0x0f ++ }; ++ ++ /* Expected output after UTF-8 conversion. */ ++ static char expected[] = ++ { ++ 'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X', ++ /* U+304B (HIRAGANA LETTER KA). */ ++ 0xe3, 0x81, 0x8b, ++ /* U+309A (COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK). */ ++ 0xe3, 0x82, 0x9a ++ }; ++ ++ iconv_t cd = iconv_open ("UTF-8", encoding); ++ TEST_VERIFY_EXIT (cd != (iconv_t) -1); ++ ++ char result_storage[64]; ++ struct alloc_buffer result_buf ++ = alloc_buffer_create (result_storage, sizeof (result_storage)); ++ ++ char *inptr = &input[shift]; ++ size_t inleft = sizeof (input) - shift - truncate; ++ ++ while (inleft > 0) ++ { ++ char *outptr = outbuf; ++ size_t outleft = outbufsize; ++ size_t inleft_before = inleft; ++ ++ size_t ret = iconv (cd, &inptr, &inleft, &outptr, &outleft); ++ size_t produced = outptr - outbuf; ++ alloc_buffer_copy_bytes (&result_buf, outbuf, produced); ++ ++ if (ret == (size_t) -1 && errno == E2BIG) ++ { ++ if (produced == 0 && inleft == inleft_before) ++ { ++ /* Output buffer too small to make progress. This is ++ expected for very small output buffer sizes. */ ++ TEST_VERIFY_EXIT (outbufsize < 3); ++ break; ++ } ++ continue; ++ } ++ if (ret == (size_t) -1) ++ FAIL_EXIT1 ("%s (outbufsize %zu): iconv: %m", encoding, outbufsize); ++ break; ++ } ++ ++ /* Flush any pending state (e.g. a buffered combined character). ++ With outbufsize < 3, we could not store the first character, so ++ the second character did not become pending, and there is nothing ++ to flush. */ ++ { ++ char *outptr = outbuf; ++ size_t outleft = outbufsize; ++ ++ size_t ret = iconv (cd, NULL, NULL, &outptr, &outleft); ++ TEST_VERIFY_EXIT (ret == 0); ++ size_t produced = outptr - outbuf; ++ alloc_buffer_copy_bytes (&result_buf, outbuf, produced); ++ ++ /* Second flush does not provide more data. */ ++ outptr = outbuf; ++ outleft = outbufsize; ++ ret = iconv (cd, NULL, NULL, &outptr, &outleft); ++ TEST_VERIFY_EXIT (ret == 0); ++ TEST_VERIFY (outptr == outbuf); ++ } ++ ++ TEST_VERIFY_EXIT (!alloc_buffer_has_failed (&result_buf)); ++ size_t result_used ++ = sizeof (result_storage) - alloc_buffer_size (&result_buf); ++ ++ if (outbufsize >= 3) ++ { ++ TEST_COMPARE (inleft, 0); ++ TEST_COMPARE (result_used, sizeof (expected) - shift); ++ TEST_COMPARE_BLOB (result_storage, result_used, ++ &expected[shift], sizeof (expected) - shift); ++ } ++ else ++ /* If the buffer is too small, only the leading X could be converted. */ ++ TEST_COMPARE (result_used, 8 - shift); ++ ++ TEST_VERIFY_EXIT (iconv_close (cd) == 0); ++} ++ ++static int ++do_test (void) ++{ ++ struct support_next_to_fault ntf ++ = support_next_to_fault_allocate (8); ++ ++ for (int shift = 0; shift <= 8; ++shift) ++ for (int truncate = 0; truncate < 2; ++truncate) ++ for (size_t outbufsize = 1; outbufsize <= 8; outbufsize++) ++ { ++ char *outbuf = ntf.buffer + ntf.length - outbufsize; ++ test_one ("IBM1390", shift, truncate, outbuf, outbufsize); ++ test_one ("IBM1399", shift, truncate, outbuf, outbufsize); ++ } ++ ++ support_next_to_fault_free (&ntf); ++ return 0; ++} ++ ++#include + +commit 12feedaf67e11c4618dc50c6aab4dbfd1e6d9531 +Author: DJ Delorie +Date: Mon Jan 26 22:24:42 2026 -0500 + + include: isolate __O_CLOEXEC flag for sys/mount.h and fcntl.h + + Including sys/mount.h should not implicitly include fcntl.h + as that causes namespace pollution and conflicts with kernel + headers. It only needs O_CLOEXEC for OPEN_TREE_CLOEXEC + (although it shouldn't need that, but it's defined that way) + so we provide that define (via a private version) separately. + + Reviewed-by: Adhemerval Zanella + Tested-by: Florian Weimer + (cherry picked from commit 419245719ccbc7dad6a97f24465e7f09c090327a) + +diff --git a/io/fcntl.c b/io/fcntl.c +index e88e28664c..b7dab1bb39 100644 +--- a/io/fcntl.c ++++ b/io/fcntl.c +@@ -18,6 +18,10 @@ + #include + #include + ++#ifndef __O_CLOEXEC ++# error __O_CLOEXEC not defined by fcntl.h/cloexec.h ++#endif ++ + /* Perform file control operations on FD. */ + int + __fcntl (int fd, int cmd, ...) +diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile +index c47cbdf428..053041f256 100644 +--- a/sysdeps/unix/sysv/linux/Makefile ++++ b/sysdeps/unix/sysv/linux/Makefile +@@ -129,6 +129,7 @@ CFLAGS-test-errno-linux.c += $(no-fortify-source) + + sysdep_headers += \ + bits/a.out.h \ ++ bits/cloexec.h \ + bits/epoll.h \ + bits/eventfd.h \ + bits/inotify.h \ +diff --git a/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h b/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h +new file mode 100644 +index 0000000000..f381f28a53 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 010000000 +diff --git a/sysdeps/unix/sysv/linux/bits/cloexec.h b/sysdeps/unix/sysv/linux/bits/cloexec.h +new file mode 100644 +index 0000000000..3059fb6473 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 02000000 +diff --git a/sysdeps/unix/sysv/linux/bits/fcntl-linux.h b/sysdeps/unix/sysv/linux/bits/fcntl-linux.h +index f425a4bf22..98954feaca 100644 +--- a/sysdeps/unix/sysv/linux/bits/fcntl-linux.h ++++ b/sysdeps/unix/sysv/linux/bits/fcntl-linux.h +@@ -81,9 +81,7 @@ + #ifndef __O_NOFOLLOW + # define __O_NOFOLLOW 0400000 + #endif +-#ifndef __O_CLOEXEC +-# define __O_CLOEXEC 02000000 +-#endif ++#include + #ifndef __O_DIRECT + # define __O_DIRECT 040000 + #endif +diff --git a/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h b/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h +new file mode 100644 +index 0000000000..f381f28a53 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 010000000 +diff --git a/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h b/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h +new file mode 100644 +index 0000000000..6706eaa7d5 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 0x400000 +diff --git a/sysdeps/unix/sysv/linux/sys/mount.h b/sysdeps/unix/sysv/linux/sys/mount.h +index b549e75148..365da1c296 100644 +--- a/sysdeps/unix/sysv/linux/sys/mount.h ++++ b/sysdeps/unix/sysv/linux/sys/mount.h +@@ -21,7 +21,6 @@ + #ifndef _SYS_MOUNT_H + #define _SYS_MOUNT_H 1 + +-#include + #include + #include + #include +@@ -266,6 +265,11 @@ enum fsconfig_command + + /* open_tree flags. */ + #define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ ++#ifndef O_CLOEXEC ++# include ++# define O_CLOEXEC __O_CLOEXEC ++#endif ++#undef OPEN_TREE_CLOEXEC + #define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ + + +diff --git a/sysdeps/unix/sysv/linux/tst-mount.c b/sysdeps/unix/sysv/linux/tst-mount.c +index 40913c7082..78a2772b2f 100644 +--- a/sysdeps/unix/sysv/linux/tst-mount.c ++++ b/sysdeps/unix/sysv/linux/tst-mount.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include /* For AT_ constants. */ + #include + + _Static_assert (sizeof (struct mount_attr) == MOUNT_ATTR_SIZE_VER0, + +commit 3ecfa68561d723564a1fb565366182eb4acb3e8f +Author: Florian Weimer +Date: Wed Mar 4 18:32:36 2026 +0100 + + Linux: Only define OPEN_TREE_* macros in if undefined (bug 33921) + + There is a conditional inclusion of earlier in the file. + If that defines the macros, do not redefine them. This addresses build + problems as the token sequence used by the UAPI macro definitions + changes between Linux versions. + + Reviewed-by: Adhemerval Zanella + (cherry picked from commit d12b017cddfeb9fe9920ba054ae3dfcb8e9238b8) + +diff --git a/sysdeps/unix/sysv/linux/sys/mount.h b/sysdeps/unix/sysv/linux/sys/mount.h +index 365da1c296..30ba56c1e8 100644 +--- a/sysdeps/unix/sysv/linux/sys/mount.h ++++ b/sysdeps/unix/sysv/linux/sys/mount.h +@@ -264,14 +264,16 @@ enum fsconfig_command + #define FSOPEN_CLOEXEC 0x00000001 + + /* open_tree flags. */ +-#define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ ++#ifndef OPEN_TREE_CLONE ++# define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ ++#endif + #ifndef O_CLOEXEC + # include + # define O_CLOEXEC __O_CLOEXEC + #endif +-#undef OPEN_TREE_CLOEXEC +-#define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ +- ++#ifndef OPEN_TREE_CLOEXEC ++# define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ ++#endif + + __BEGIN_DECLS + + +commit 3e87cf9be93acf19d685e8003fc649cdb052a891 +Author: H.J. Lu +Date: Mon Apr 13 10:46:42 2026 +0800 + + abilist.awk: Handle weak unversioned defined symbols + + After + + commit f685e3953f9a38a41bbd0a597f9882870cee13d5 + Author: H.J. Lu + Date: Wed Oct 29 09:49:57 2025 +0800 + + elf: Don't set its DT_VERSYM entry for unversioned symbol + + ld no longer assigns version index 1 to unversioned defined symbol. + For libmachuser.so, "objdump --dynamic-syms" reports: + + 0000dd30 w DF .text 000000f8 processor_start + + instead of + + 0000dd30 w DF .text 000000f8 (Base) processor_start + + Also allow NF == 6 for weak unversioned dynamic symbols. This fixes BZ + 33650. + + Signed-off-by: H.J. Lu + Reviewed-by: Sam James + (cherry picked from commit ee5d1db2a81468413fbf7c82779ffa782f429d1a) + +diff --git a/scripts/abilist.awk b/scripts/abilist.awk +index 6cc7af6ac8..7ea1edf8c0 100644 +--- a/scripts/abilist.awk ++++ b/scripts/abilist.awk +@@ -38,7 +38,7 @@ $4 == "*UND*" { next } + $2 == "l" { next } + + # If the target uses ST_OTHER, it will be output before the symbol name. +-$2 == "g" || $2 == "w" && (NF == 7 || NF == 8) { ++$2 == "g" || $2 == "w" && (NF == 6 || NF == 7 || NF == 8) { + type = $3; + size = $5; + sub(/^0*/, "", size); + +commit b4bca35ab9e76890504c4dbdd5eaf15a93514580 +Author: Rocket Ma +Date: Fri May 1 20:39:07 2026 -0700 + + libio: Fix ungetwc operating on byte stream [BZ #33998] + + * libio/wgenops.c: When _IO_wdefault_pbackfail attempts to push back one + character, it accidently compare the wchar to push back with the last + char from byte stream, instead of wide stream. Under specific coding, + attacker may exploit this to leak information. This commit fix bug + 33998, or CVE-2026-5928. + + Signed-off-by: Rocket Ma + Reviewed-by: Carlos O'Donell + (cherry picked from commit ef3bfb5f910011f3780cb06aa47e730035f53285) + +diff --git a/libio/Makefile b/libio/Makefile +index f020f8ec4d..fa2b8ae791 100644 +--- a/libio/Makefile ++++ b/libio/Makefile +@@ -83,6 +83,7 @@ tests = \ + bug-ungetwc1 \ + bug-ungetwc2 \ + bug-wfflush \ ++ bug-wgenops-bz33998 \ + bug-wmemstream1 \ + bug-wsetpos \ + test-fmemopen \ +diff --git a/libio/bug-wgenops-bz33998.c b/libio/bug-wgenops-bz33998.c +new file mode 100644 +index 0000000000..cc4067da99 +--- /dev/null ++++ b/libio/bug-wgenops-bz33998.c +@@ -0,0 +1,54 @@ ++/* Regression test for ungetwc operating on byte stream (BZ #33998) ++ Copyright (C) 2026 The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include "support/temp_file.h" ++#include "support/xstdio.h" ++#include "support/xunistd.h" ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ char *filename; ++ int fd = create_temp_file ("tst-bz33998-", &filename); ++ TEST_VERIFY (fd != -1); ++ xwrite (fd, "A", sizeof ("A")); // write "A\0" by design ++ xclose (fd); ++ ++ FILE *fp = xfopen (filename, "r+"); ++ TEST_COMPARE (getwc (fp), L'A'); ++ /* If the bug is fixed, then ungetwc should not touch byte stream. ++ If the bug is not fixed, ungetwc firstly match last read char, L'A', ++ failed, then the pbackfail branch, matching last read char in byte ++ stream, that is, '\0' (initialized when setup wide stream). */ ++ char *old_read_ptr = fp->_IO_read_ptr; ++ TEST_COMPARE (ungetwc (L'\0', fp), L'\0'); ++ TEST_VERIFY (fp->_IO_read_ptr == old_read_ptr); ++ ++ xfclose (fp); ++ free (filename); ++ ++ return 0; ++} ++ ++#include +diff --git a/libio/wgenops.c b/libio/wgenops.c +index 0a11d1b1de..9e0b2c00ea 100644 +--- a/libio/wgenops.c ++++ b/libio/wgenops.c +@@ -108,8 +108,8 @@ _IO_wdefault_pbackfail (FILE *fp, wint_t c) + { + if (fp->_wide_data->_IO_read_ptr > fp->_wide_data->_IO_read_base + && !_IO_in_backup (fp) +- && (wint_t) fp->_IO_read_ptr[-1] == c) +- --fp->_IO_read_ptr; ++ && (wint_t) fp->_wide_data->_IO_read_ptr[-1] == c) ++ --fp->_wide_data->_IO_read_ptr; + else + { + /* Need to handle a filebuf in write mode (switch to read mode). FIXME!*/ + +commit 4ebd33dd77eabe8d4c45232bed4b42a31d2f9edc +Author: Rocket Ma +Date: Fri Apr 17 23:48:41 2026 -0700 + + stdio-common: Fix buffer overflow in scanf %mc [BZ #34008] + + * stdio-common/vfscanf-internal.c: When enlarging allocated buffer with + format %mc or %mC, glibc allocates one byte less, leading to + user-controlled one byte overflow. This commit fixes BZ #34008, or + CVE-2026-5450. + + Reviewed-by: Carlos O'Donell + Signed-off-by: Rocket Ma + Reviewed-by: H.J. Lu + (cherry picked from commit 839898777226a3ed88c0859f25ffe712519b4ead) + +diff --git a/stdio-common/Makefile b/stdio-common/Makefile +index 64b3575acb..e52c333808 100644 +--- a/stdio-common/Makefile ++++ b/stdio-common/Makefile +@@ -347,6 +347,7 @@ tests := \ + tst-vfprintf-user-type \ + tst-vfprintf-width-i18n \ + tst-vfprintf-width-prec-alloc \ ++ tst-vfscanf-bz34008 \ + tst-wc-printf \ + tstdiomisc \ + tstgetln \ +@@ -562,6 +563,9 @@ tst-printf-bz18872-ENV = MALLOC_TRACE=$(objpfx)tst-printf-bz18872.mtrace \ + tst-vfprintf-width-prec-ENV = \ + MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so ++tst-vfscanf-bz34008-ENV = \ ++ MALLOC_CHECK_=3 \ ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so + tst-printf-bz25691-ENV = \ + MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so +diff --git a/stdio-common/tst-vfscanf-bz34008.c b/stdio-common/tst-vfscanf-bz34008.c +new file mode 100644 +index 0000000000..48371c8a3d +--- /dev/null ++++ b/stdio-common/tst-vfscanf-bz34008.c +@@ -0,0 +1,48 @@ ++/* Regression test for vfscanf %Nmc out-of-bound write (BZ #34008) ++ Copyright (C) 2026 The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include "malloc/mcheck.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define WIDTH 0x410 ++#define SCANFSTR "%1040mc" ++static int ++do_test (void) ++{ ++ mcheck_pedantic (NULL); ++ char *input = malloc (WIDTH + 1); ++ TEST_VERIFY (input != NULL); ++ memset (input, 'A', WIDTH); ++ input[WIDTH] = '\0'; ++ ++ char *buf = NULL; ++ TEST_VERIFY (sscanf (input, SCANFSTR, &buf) != -1); ++ TEST_VERIFY (buf != NULL); ++ ++ free (buf); ++ free (input); ++ return 0; ++} ++ ++#include +diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c +index 86ae5019a6..17b5565d0f 100644 +--- a/stdio-common/vfscanf-internal.c ++++ b/stdio-common/vfscanf-internal.c +@@ -853,8 +853,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, + { + /* Enlarge the buffer. */ + size_t newsize +- = strsize +- + (strsize >= width ? width - 1 : strsize); ++ = strsize + (strsize >= width ? width : strsize); + + str = (char *) realloc (*strptr, newsize); + if (str == NULL) +@@ -925,7 +924,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, + && wstr == (wchar_t *) *strptr + strsize) + { + size_t newsize +- = strsize + (strsize > width ? width - 1 : strsize); ++ = strsize + (strsize >= width ? width : strsize); + /* Enlarge the buffer. */ + wstr = (wchar_t *) realloc (*strptr, + newsize * sizeof (wchar_t)); +@@ -980,7 +979,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, + && wstr == (wchar_t *) *strptr + strsize) + { + size_t newsize +- = strsize + (strsize > width ? width - 1 : strsize); ++ = strsize + (strsize >= width ? width : strsize); + /* Enlarge the buffer. */ + wstr = (wchar_t *) realloc (*strptr, + newsize * sizeof (wchar_t)); diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index a013a2db2f0cd..b6c6a6c864453 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -51,7 +51,7 @@ let version = "2.42"; - patchSuffix = "-61"; + patchSuffix = "-67"; sha256 = "sha256-0XdeMuRijmTvkw9DW2e7Y691may2viszW58Z8WUJ8X8="; in @@ -68,8 +68,8 @@ stdenv.mkDerivation ( patches = [ /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping. - $ git fetch --all -p && git checkout origin/release/2.40/master && git describe - glibc-2.42-61-ga56a2943d2 + $ git fetch --all -p && git checkout origin/release/2.42/master && git describe + glibc-2.42-67-g4ebd33dd77 $ git show --minimal --reverse glibc-2.42.. ':!ADVISORIES' > 2.42-master.patch To compare the archive contents zdiff can be used. diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix index 52a3ab58ad612..015688e4474b4 100644 --- a/pkgs/development/libraries/libxml2/default.nix +++ b/pkgs/development/libraries/libxml2/default.nix @@ -46,13 +46,13 @@ let }; }; libxml2 = callPackage ./common.nix { - version = "2.15.2"; + version = "2.15.3"; src = fetchFromGitLab { domain = "gitlab.gnome.org"; owner = "GNOME"; repo = "libxml2"; tag = "v${packages.libxml2.version}"; - hash = "sha256-k5dZ75D/BOouYAjrof9Jm2lY29XZhOqS1kudDGmGY9Q="; + hash = "sha256-fDntZDyITs223by8n7ueOXiO7yyzshtANoWbY0+yeqo="; }; extraMeta = { maintainers = with lib.maintainers; [ diff --git a/pkgs/development/libraries/openexr/3.nix b/pkgs/development/libraries/openexr/3.nix index efecd33bef353..a989e883a2b34 100644 --- a/pkgs/development/libraries/openexr/3.nix +++ b/pkgs/development/libraries/openexr/3.nix @@ -13,13 +13,13 @@ stdenv.mkDerivation rec { pname = "openexr"; - version = "3.4.10"; + version = "3.4.11"; src = fetchFromGitHub { owner = "AcademySoftwareFoundation"; repo = "openexr"; rev = "v${version}"; - hash = "sha256-jXio+PvagKTR8NjcYIQ/j8LOMNc/0sQBuaixKk/0V3k="; + hash = "sha256-5dx2tag6XyuJfNfJgc68X+VWKXaHOL3M7ZJEQbQwFDA="; }; outputs = [ diff --git a/pkgs/development/libraries/qt-5/5.15/srcs-generated.json b/pkgs/development/libraries/qt-5/5.15/srcs-generated.json index fd5fcefbff345..57473c4f5a293 100644 --- a/pkgs/development/libraries/qt-5/5.15/srcs-generated.json +++ b/pkgs/development/libraries/qt-5/5.15/srcs-generated.json @@ -1,202 +1,202 @@ { "qt3d": { "url": "https://invent.kde.org/qt/qt/qt3d.git", - "rev": "208f5835e6c2415c9dc5cbe92bba83aa28bab7ea", - "sha256": "0zqvdq5y25b1w7agx5wlr16p1wrx54086r0xcdfg9wx8dayhh1md" + "rev": "c3892c3ee3c0a2b8a050d0a1532f34806636eade", + "sha256": "0y3f4pr0vr7cpwmjxqspv79p7rljgc913fl8nqpv8y2aw8i5r4ly" }, "qtactiveqt": { "url": "https://invent.kde.org/qt/qt/qtactiveqt.git", - "rev": "e4c93bc7cac45bac6bccda3310947e8fe026a9ed", - "sha256": "1qq6jvqkl4ff7sw20pi1mawh5pypv7vxmj56d38z6p06r1azkvls" + "rev": "e85773764374878adc197b6a45ae8ec3ff44dafa", + "sha256": "1sbayayxgjj8jfi3apxw6m8qsmkba0gph2rm1wsnzjsa80zr17ia" }, "qtandroidextras": { "url": "https://invent.kde.org/qt/qt/qtandroidextras.git", - "rev": "4928bd58dbc1cdcf44a7e454e3d4654c3c2016f1", - "sha256": "02rsh60lyl6bn2jhx0ajn43safbi904nhwvdpikanrmdbg0z6dpp" + "rev": "14a14b137f0d794278947e980d99c47e6929e5e2", + "sha256": "0nvyxjm5qfq7sk22rp9hxrf8gvs6jq4i3kww1s0i8lsr69fl9biz" }, "qtbase": { "url": "https://invent.kde.org/qt/qt/qtbase.git", - "rev": "bebdfd54917e25d1c100e6bd9f5dd53c2e645fd8", - "sha256": "0bg36lxngkq2k11bhqdyfvbc1qyqaghwsi446zfn67vxvyxya3hx" + "rev": "fbed962c3195ab3952fa54d40e012ad1a4fdc42b", + "sha256": "1gnbgs7kh0vxjh3spv5g5zaaj1z1b0h8752pqi4lqg6jd1js2bpl" }, "qtcharts": { "url": "https://invent.kde.org/qt/qt/qtcharts.git", - "rev": "1093fb53ced126100d14af30a8adffd29b7ef855", - "sha256": "0cnlg59l743milkki8mjbrfd4cx5ycbqw73apcrnrsag9dqdbw41" + "rev": "16e9aff210cd4de7192adfc6cd91cdd44ba45a3d", + "sha256": "02virkb7h8hhkdsqpv2qg3lly4msf648f7421z10acxhin6ypw5i" }, "qtconnectivity": { "url": "https://invent.kde.org/qt/qt/qtconnectivity.git", - "rev": "f1be05c8efeb65b77a8bfd21763ab55bb5c04906", - "sha256": "1vl7wfw9sd8qfl8ixzl5wz4v5km5zdf9bii53q3pw4f2lplsralq" + "rev": "7e29434e06372efbb2127d0ef41538ff9aec1597", + "sha256": "1wv9bh13rq6mnnzsh6g88a2kj2j4nfv83vqpbdxmyavdf349pwdj" }, "qtdatavis3d": { "url": "https://invent.kde.org/qt/qt/qtdatavis3d.git", - "rev": "d9b988d3c5f9f34b97f3a9ac1347bfb55464cd60", - "sha256": "09jk32kw7wgcrd117a9lsm5w7jszsdhdslk10qn631wz203zbs4i" + "rev": "b52063032fda9af894ca0e582774364ce8caf0f8", + "sha256": "1zbfx7hqh1ydi2vx8pj6dxlrrc7wf8sqcwxzx8acphdyj66zcmch" }, "qtdeclarative": { "url": "https://invent.kde.org/qt/qt/qtdeclarative.git", - "rev": "1189557a50f11e7bc5716467a149cd09987a9f88", - "sha256": "0cd89d8i8chy1j1yanp1cq5s7467qr24b9c7cx9qw0nb0rf6f8qr" + "rev": "5bc1ac07b2d2c7839368084a4bb97e4c67eb8294", + "sha256": "0xpq0xjiscx72dcyg0lpr90ag5q7gypzcqnwbsnh401jrxn2pll1" }, "qtdoc": { "url": "https://invent.kde.org/qt/qt/qtdoc.git", - "rev": "ddb2afda6f713259fc8d95fb22a1c96bb448c36a", - "sha256": "0nk2vwl0ppix794xzj8nqrhsc333v8v4vr1rmwddymwlrdqlqd5d" + "rev": "385efd460ec13a465765fc30dd11217ae46d1846", + "sha256": "0djflkibfgjp8gr16hiv6nipj4q4xyclgv84f3d951dj2q7779v6" }, "qtgamepad": { "url": "https://invent.kde.org/qt/qt/qtgamepad.git", - "rev": "269fc0731f6838a1c02877a83c0ada23659c69fc", - "sha256": "06jhby671yzbj753yb0lnk4bv2r0nxxibq7fq1yljxdms0rc72iz" + "rev": "9b69ae558f0f9feffe30b0aa8993e270dfcc81ff", + "sha256": "056b39r4jsag5d7f5m04vmpydvnwpfs5mcynsdx717qdginlmiam" }, "qtgraphicaleffects": { "url": "https://invent.kde.org/qt/qt/qtgraphicaleffects.git", - "rev": "dfb2e7b2c98a9b7185c300d0b92b4048f5d89ba5", - "sha256": "1sn46lmq0y56mw0q11sgaijr2vg1wpp6lj237finp6vr3bji2816" + "rev": "551732fb1d963e53af437e3982a010f69eb76253", + "sha256": "1pyjb66nhlhin6ysm4005ng4m2ak857ai761rqx8l2h4fscgwvhf" }, "qtimageformats": { "url": "https://invent.kde.org/qt/qt/qtimageformats.git", - "rev": "c91e4c63c1eaf1e23806d9df10e3d5a9ae353c1d", - "sha256": "0q0vcymiqfyz8sfs9wdkhhwff55acj2rsmrb8w6yikmwcmcxp2a3" + "rev": "4076e38d68f05f5e1bcdedb79442d9008f18702c", + "sha256": "1kgvs3jgs2qysrx2kr4vn68h9gjv6ir1nd4hg0m2fbsjk644aa8w" }, "qtlocation": { "url": "https://invent.kde.org/qt/qt/qtlocation.git", - "rev": "ba48a8b5cedd157d972c08d371ac2581db166bf7", - "sha256": "00kwv405qq9q8fcwar33s2wvs1dm10fb8plxbz1q0jqcjs2ips6x" + "rev": "81f560be2274958011c255efa1d2d573874bed11", + "sha256": "1lpxngppxkhych9pkkcvw7ypw02cd324pw0z9hd9kqcd803p2017" }, "qtlottie": { "url": "https://invent.kde.org/qt/qt/qtlottie.git", - "rev": "27ed5a3c95a0810a96fac2a8661ea94d8ea3c44e", - "sha256": "04ivyxnn8d3pkjsbx0gwyj3f5if4m4cih6wyavm8bd2m2kkszx35" + "rev": "5f1be885cf4ee0f1eb5400bf0c5d138818fc01d0", + "sha256": "01880y8r2acnzfg09qm031kx99vp3zjv3zi38sh17shgcipx1fxp" }, "qtmacextras": { "url": "https://invent.kde.org/qt/qt/qtmacextras.git", - "rev": "fc7e9f41d9cec2df05c1d38d6e55d3a0d501dd25", - "sha256": "07q1arvdjwmbrayp2b213b8gqm4psczhx9z1m83invwmbs8iqj07" + "rev": "722060e4edff268feb2dda1298a7837c90f6262f", + "sha256": "1fqw1p6vx3gqw1sf1yk4cz1cb3d1xrbjq0p22gi0pspll314c8x0" }, "qtmultimedia": { "url": "https://invent.kde.org/qt/qt/qtmultimedia.git", - "rev": "ff83d119c75cd8406f73ccc08958fe36747e7390", - "sha256": "09jadnvphilcxxy85dlsr8a6x5w32r1c2hrbh93qbvvf9zlg60ld" + "rev": "8ddc44103baf166525d6650c842d7f08f651e7bb", + "sha256": "0akj2d8b6kdy125ggs9cd7pra3vm47frqpn6p756jafsxylkqwbh" }, "qtnetworkauth": { "url": "https://invent.kde.org/qt/qt/qtnetworkauth.git", - "rev": "510687fa4fdee84dd3d6d166e8f080c484016199", - "sha256": "0a8abmql94wxpfvdj5a1rnh3xsd49c5z8x93hm311sgjkd0aajx7" + "rev": "d1ce24a72122c315e3d190c9ebc26ed603b90057", + "sha256": "1wcw26x38k619xavrwav21w0vrzb24bn6ncxllcwd9bdn7vvn1wr" }, "qtpurchasing": { "url": "https://invent.kde.org/qt/qt/qtpurchasing.git", - "rev": "8e9a5ec9f68639162c85c198b28e072e7150883c", - "sha256": "04pmwqnw907dg0hpas0pdrh2fxcqn2mvqz82b1vkviksg8ny3saw" + "rev": "b471c6ca3edfa5ba459b8694622825b9e776bed6", + "sha256": "1plwpxasiw2sx76a294i4i92vk5g5gaigjfy284jpmaargxsyd7k" }, "qtquick3d": { "url": "https://invent.kde.org/qt/qt/qtquick3d.git", - "rev": "47a325358078b72016081a86be628411df2728a9", - "sha256": "18h309g6ni6y4bcss930g04z8ymhl2nfm3sv5s4h2fz3dl0xsqwr" + "rev": "4e85bd063c726f015dc8afb05834de7a71bf6a1b", + "sha256": "0k6wjkr2jyc1v6xrm34dnlbbdnippiph5jxzjxawlxijzzvmgcp5" }, "qtquickcontrols": { "url": "https://invent.kde.org/qt/qt/qtquickcontrols.git", - "rev": "0c3c18bf8bdac1ef1afdb8aade903edb5c2bc041", - "sha256": "0h8bhrbgfcf7nbfppah8lxnhvygc09983qrvp935r5sw7251km4d" + "rev": "af7fc486c8910b51733e1c7e758d50ca1a158b36", + "sha256": "1nbgpnz2qi8g24cmli25a9319vgqmk9vgngb12q2j8c8k3nlhhfs" }, "qtquickcontrols2": { "url": "https://invent.kde.org/qt/qt/qtquickcontrols2.git", - "rev": "e464888c53a641ee44a34ff2350cfb156c8ed59f", - "sha256": "08lnqz6v48j1hi6dpll7a052p6r5qfb32md16fppqzn6g5jg9ir2" + "rev": "5b808e0995d018c6de9f075d4a61f58d3641c11b", + "sha256": "1a65j06nzlxl1hmdh5li1gglcrqms0g560c2cj9vqzqm551krdj8" }, "qtquicktimeline": { "url": "https://invent.kde.org/qt/qt/qtquicktimeline.git", - "rev": "43130f2681b76a8d743a04704465b716b6b2faee", - "sha256": "1z1avxxq9d9nzqyxy5pq5maj73cf6dvsn5k83p3sf5kq3x0y75cj" + "rev": "ea9d6c4d5a0a172b4778e8f37d694d02aab83f37", + "sha256": "0170n0mcrf8phh3nsg2f904p8vxwmw8lks48zkpnbvyrj4gzqcr2" }, "qtremoteobjects": { "url": "https://invent.kde.org/qt/qt/qtremoteobjects.git", - "rev": "b2740a7c7f5b6ac810240404a947ca5cff9de5f7", - "sha256": "1jxlwc2y165fxdalcr4iqq55gsg5x4nxqd8wdq3dc1824yfnzm6i" + "rev": "48d10f341279e08c1bc4abb764c2d3ab9a259a51", + "sha256": "0523n172f96w474y804sanppfx2zkgsm342vwa6ailrcfkjw8v58" }, "qtscxml": { "url": "https://invent.kde.org/qt/qt/qtscxml.git", - "rev": "57491f554bc53bd020978b5744437b7ac7e56a27", - "sha256": "00mvwgb3xr116nl7649zq7ai2074clzw760c140sy91zqgqkjsx4" + "rev": "edc6f0dd5e806cced1937b2b853717f588e14fd2", + "sha256": "1072slgrvy910mxxqsvf7fgi237mjnbd2b8amw1srqzqj2bmnsj3" }, "qtsensors": { "url": "https://invent.kde.org/qt/qt/qtsensors.git", - "rev": "50a61b360877e7c1300df76b5aabf8d75554a398", - "sha256": "0giqwn4grg9999y31avh7ajsv9gkcfzf0xndx8bvv79si0wp59g6" + "rev": "8c6d11df60d4d783869c2d81568e3178f5ae75ce", + "sha256": "18jc5nncmpmbf758mcj9wj6dfn87hl51zp0ihqcvk6k6a8ra6l7p" }, "qtserialbus": { "url": "https://invent.kde.org/qt/qt/qtserialbus.git", - "rev": "c23069351ec31563c9ea9fcdce42ccdba95ea518", - "sha256": "1qgxlgnl53gabrfqihxwygdbdiqjvn2hfajmwb3h44srpq0srk33" + "rev": "6734222bccc5541f9527281c810c6b5f8fdd092f", + "sha256": "0ragq01wdwqwqp9720i3xan3a4xnkkvgc8gjy1wgwmdrs0mlb49z" }, "qtserialport": { "url": "https://invent.kde.org/qt/qt/qtserialport.git", - "rev": "b64a7eeda9b6a65b5ed01b1b40b07177f0aa4c0f", - "sha256": "134mn0njfvmzgrf325bikazkiq4xdn5wjhj56kxh1hhaz3q25hyp" + "rev": "ca1f2486527e7acf87d466062c035845f9774573", + "sha256": "0xdywglxh9sxs2s60shwf6c4m5w20h77l9d58rganqwpbrh49vkj" }, "qtspeech": { "url": "https://invent.kde.org/qt/qt/qtspeech.git", - "rev": "aa2376f9b1302222edcd16b4641bbd7004318c00", - "sha256": "0vcxgkymzhaw01f26zlny4bka9k829rwzkwk95rr3dfq7wlyxshz" + "rev": "a384f0d4fb8a2d0743d5dfdf12e40f6d76f8714c", + "sha256": "0imn7jskjvz30xnbg1z8wxkcw82hb6v92xls327385wxxj0a5i6r" }, "qtsvg": { "url": "https://invent.kde.org/qt/qt/qtsvg.git", - "rev": "b74f7291f343dcbcb487b020868f042d8fe83098", - "sha256": "1n0sjn8h5k2sh8p2a85cxdpqbnd63gz4rf9wwbshhd13w623f9s8" + "rev": "d2abfb9cb1f036446e5913fadb0f065dab9f0159", + "sha256": "048lbk25rbfbd2c8pbsifdxjcxb2003hi04lfsmgh7xr27x55gch" }, "qttools": { "url": "https://invent.kde.org/qt/qt/qttools.git", - "rev": "fa40a2d3373b89be0cd0a43fe0c1d047e3d34058", - "sha256": "06kr88gmwc7xh1whdbcg84y1naak5rv99jkscjbhzyz3z91xy7hl" + "rev": "3e3ab58b40734a1b9bbb7e72b2969d1f752351b1", + "sha256": "18dmmw1r13in7h90y3637jw3sc2pvv33bfr1bs11dyp951spw8d3" }, "qttranslations": { "url": "https://invent.kde.org/qt/qt/qttranslations.git", - "rev": "3cbcceb8e3e2e63a4022f1be946c7118c527a83e", - "sha256": "15lw5snqfkwwcsazh02lhiia39gy08nfijdpkzvll2qvg4b58zkn" + "rev": "388e4f32ed4b28d92bd61b917ba0e6b910e2784d", + "sha256": "1k76zl5c1x9q8kid3sjv4d66wy9ryl24fyiabrg32c7nbn53pbd4" }, "qtvirtualkeyboard": { "url": "https://invent.kde.org/qt/qt/qtvirtualkeyboard.git", - "rev": "859d2a6ee329cc08414410b2ef8c0af77a6853d3", - "sha256": "06sdpcanzp1a71d99rjivrbjp780mvwssc4w1sap2gskcmmgkwbs" + "rev": "4fc9919ee3fad1d520d0921ba3069dca3c34ff78", + "sha256": "12kn69l34s1r6s9w7cw9l5524kwrx8xrxwbx4hw059jns1pqac0d" }, "qtwayland": { "url": "https://invent.kde.org/qt/qt/qtwayland.git", - "rev": "df49b9f3badce793a0a9ea850cf1a02cc5bafef6", - "sha256": "01xm2r1pv7kxb4aj72ldfzmax6d799h6bj4h2xhpcii812wf5lda" + "rev": "605b8bc942ab263b9d1892af33a81b408f522ccc", + "sha256": "09vrd62ikxzjpv6awi7n34pswg4w5yvmac5ckc6ma6rqvps7mbip" }, "qtwebchannel": { "url": "https://invent.kde.org/qt/qt/qtwebchannel.git", - "rev": "2a157921861e651f43456cb7941b250c89feb736", - "sha256": "1w58b602f20mppd0zfr9yvfdn1xwfkfclnjs0p5mgymq6d946dyk" + "rev": "6a20afaeba182ce6e3faee592e1e85a0d3ec0fc6", + "sha256": "18jfxpasn47qd4glkgvps7nzm07dag6w9jbkq9l7fzbkpcbnqykb" }, "qtwebglplugin": { "url": "https://invent.kde.org/qt/qt/qtwebglplugin.git", - "rev": "b9aaac72d0853ba48f6bfd710a43df94d83d4701", - "sha256": "07zx55f52jgk31bm6c68iydknrih245ndnvz714l6kxw66fv4rjq" + "rev": "2a8ce0a61b4b9e892d948948182d935fa6792a1b", + "sha256": "10n50frndssj3vmmhghlw48dn0c9b26zgkgjvkza8x234j9dijv2" }, "qtwebsockets": { "url": "https://invent.kde.org/qt/qt/qtwebsockets.git", - "rev": "0f910acb737cefc889ce1088fc60d15bc18efe9c", - "sha256": "1ba9ll28hznd6qpjjiqvc2z6gaz2qgq7105dd0w810xpbaiixy0a" + "rev": "10eb706b24aa05f4ee69c2f2fec99b21994dfe2b", + "sha256": "1k01s4qkpzsjy7lygb0nhniym6g7yinih3sc16l3kljkabw44rx0" }, "qtwebview": { "url": "https://invent.kde.org/qt/qt/qtwebview.git", - "rev": "34342073a59f3a27ef3de02f6b21337c4f8db6cf", - "sha256": "1h6n7dkd6mjclxllyw2brz8wv4d68dx2ykckbwb3bkxyd6rmg1f6" + "rev": "043cb7c0eaf8d1bcee56a62d6a102f727a22fcbc", + "sha256": "0ha0ksbxm21hj37z7yk3f09ncgchw78cpcrxv56a205i2f04370d" }, "qtwinextras": { "url": "https://invent.kde.org/qt/qt/qtwinextras.git", - "rev": "5e5ae2b77078dbe51fb798743de606e6f9a5e19d", - "sha256": "04x8ax197z0dr01nxrb6bh4q8c077ny5n812fx5mq56l54v2m1ks" + "rev": "0704d01ff1218c2f32a194e38005e625c579222c", + "sha256": "0fsfrs770cia9i9ijvx1jyh0mjiza1cn1l7fm1a877h2qbd20l9f" }, "qtx11extras": { "url": "https://invent.kde.org/qt/qt/qtx11extras.git", - "rev": "c44c4fa86fa0794c25baef4ee1f6272aca8c511a", - "sha256": "0287cvs9wqlzz6gnj81gi8rp50s2rdnigcmld3fgddsg8f3v7hdj" + "rev": "6695a3df4460577b3fcb5546b45a0c5cb3addac4", + "sha256": "1xjdicq8kf6816hgnz4hc7ykcfngispm8xzv3bxacf98zicmy9rm" }, "qtxmlpatterns": { "url": "https://invent.kde.org/qt/qt/qtxmlpatterns.git", - "rev": "0b644263abca66503db1ce8a4e126cf358a34685", - "sha256": "1b1zzglvcdp7wvlpgk1gj8gmyy2r21yi6p8xiyvbccq5bbjpn0hw" + "rev": "ed3b333aa56ac193e969725e3c34be9070441271", + "sha256": "0s0z9dbivrq5pva6psfcfclw4816zb1rlr9ns03lf286iy196368" } } diff --git a/pkgs/development/libraries/qt-5/5.15/srcs.nix b/pkgs/development/libraries/qt-5/5.15/srcs.nix index 87a7bb97707df..ec5fdc9d5646e 100644 --- a/pkgs/development/libraries/qt-5/5.15/srcs.nix +++ b/pkgs/development/libraries/qt-5/5.15/srcs.nix @@ -5,7 +5,7 @@ }: let - version = "5.15.18"; + version = "5.15.19"; mk = name: args: { inherit version; diff --git a/pkgs/development/libraries/qt-6/fetch.sh b/pkgs/development/libraries/qt-6/fetch.sh index 73d170689480a..bd94b3ae2c487 100644 --- a/pkgs/development/libraries/qt-6/fetch.sh +++ b/pkgs/development/libraries/qt-6/fetch.sh @@ -1 +1 @@ -WGET_ARGS=( https://download.qt.io/official_releases/qt/6.11/6.11.0/submodules/ -A '*.tar.xz' ) +WGET_ARGS=( https://download.qt.io/official_releases/qt/6.11/6.11.1/submodules/ -A '*.tar.xz' ) diff --git a/pkgs/development/libraries/qt-6/modules/qtbase/default.nix b/pkgs/development/libraries/qt-6/modules/qtbase/default.nix index fa3ae210d2811..df428b92f64ee 100644 --- a/pkgs/development/libraries/qt-6/modules/qtbase/default.nix +++ b/pkgs/development/libraries/qt-6/modules/qtbase/default.nix @@ -246,11 +246,6 @@ stdenv.mkDerivation { # don't pass qtbase's QML directory to qmlimportscanner if it's empty ./skip-missing-qml-directory.patch - # backport crash fix - (fetchpatch { - url = "https://github.com/qt/qtbase/commit/1466f88633b2c29a6159a0c2eacd0c0d6601aa5e.diff"; - hash = "sha256-ubDAXF47SYagRAJ5SYyBxXl2PiHjAZo3xlYPDz1jRYM="; - }) # another crash fix (fetchpatch { url = "https://github.com/qt/qtbase/commit/515cbbacfba9f4259c9c3b0714a31222c2b4c879.diff"; diff --git a/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix b/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix index 786229c5651b3..2f19e06a67fa2 100644 --- a/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix +++ b/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix @@ -43,6 +43,12 @@ qtModule { hash = "sha256-ESy35OlmsvI4yFQ/rFT8oelOUBCwCmlcbQJvwcTrCig="; revert = true; }) + + # backport fix recommended by KDE + (fetchpatch { + url = "https://github.com/qt/qtdeclarative/commit/8a2c82be6ad90e3f2a0760d8bab1e3a8cdb2473a.diff"; + hash = "sha256-3KbyoQPAiRyCwGnwwYV3y0yz2i6UAJcX70EPsXV0ZZM="; + }) ]; cmakeFlags = [ diff --git a/pkgs/development/libraries/qt-6/modules/qtmqtt.nix b/pkgs/development/libraries/qt-6/modules/qtmqtt.nix index effea1d03ab42..c70d2cbd1f881 100644 --- a/pkgs/development/libraries/qt-6/modules/qtmqtt.nix +++ b/pkgs/development/libraries/qt-6/modules/qtmqtt.nix @@ -6,13 +6,13 @@ qtModule rec { pname = "qtmqtt"; - version = "6.11.0"; + version = "6.11.1"; src = fetchFromGitHub { owner = "qt"; repo = "qtmqtt"; tag = "v${version}"; - hash = "sha256-7X+HWAftWHn40RPFQD3/f+bp00LQk8Vsb871WfxdZSE="; + hash = "sha256-GWaF4iCPtATL1mJkPHVY0rom8R2FMNWGahE3KWBlfV8="; }; propagatedBuildInputs = [ qtbase ]; diff --git a/pkgs/development/libraries/qt-6/srcs.nix b/pkgs/development/libraries/qt-6/srcs.nix index 73067dc5fd5c4..93c206858d18d 100644 --- a/pkgs/development/libraries/qt-6/srcs.nix +++ b/pkgs/development/libraries/qt-6/srcs.nix @@ -4,339 +4,339 @@ { qt3d = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qt3d-everywhere-src-6.11.0.tar.xz"; - sha256 = "086xpissihbil51ryl83dlcpkpv3pp3ryj0712x9k9z6756j7ks0"; - name = "qt3d-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qt3d-everywhere-src-6.11.1.tar.xz"; + sha256 = "01q11bs7vjz1s5wdrdjq904dgl2m6l7r8d3vd2kyf7lx0j78qvd6"; + name = "qt3d-everywhere-src-6.11.1.tar.xz"; }; }; qt5compat = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qt5compat-everywhere-src-6.11.0.tar.xz"; - sha256 = "0gn6sj136y8yl1c00nbm81rmhws0mgx35ny7llx74j97ddj58ag6"; - name = "qt5compat-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qt5compat-everywhere-src-6.11.1.tar.xz"; + sha256 = "06qndy534rzabxk9yq07dsl8fj1vd72lmck11r5xbajil3d9zjyg"; + name = "qt5compat-everywhere-src-6.11.1.tar.xz"; }; }; qtactiveqt = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtactiveqt-everywhere-src-6.11.0.tar.xz"; - sha256 = "1kbqa0gx41s097281g4zym9jmjs2ffc75p3rgkbs6bvnlrvl0h89"; - name = "qtactiveqt-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtactiveqt-everywhere-src-6.11.1.tar.xz"; + sha256 = "05hcnhxkajry4ha7ykmqr83p16qjipspwxid8l2rxgz80wy6aadv"; + name = "qtactiveqt-everywhere-src-6.11.1.tar.xz"; }; }; qtbase = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtbase-everywhere-src-6.11.0.tar.xz"; - sha256 = "0pkmrd8ypw1v21cx0890gc6z4v0xr5qip2jnr56r2kc6g5cxh6i3"; - name = "qtbase-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtbase-everywhere-src-6.11.1.tar.xz"; + sha256 = "1b616gr7k8byfr2ns4vczs4kj3sznhlrlw9inpb3m8la48qllnfr"; + name = "qtbase-everywhere-src-6.11.1.tar.xz"; }; }; qtcanvaspainter = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtcanvaspainter-everywhere-src-6.11.0.tar.xz"; - sha256 = "1gmgzmh81wrnj81xsmilqwhc1wv7j2avg91mww8jlrv5rplzynjl"; - name = "qtcanvaspainter-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtcanvaspainter-everywhere-src-6.11.1.tar.xz"; + sha256 = "1l08zp68q3wcr9v5hh82kw6jqvc1wmnrjn7h9959psx520dwcdly"; + name = "qtcanvaspainter-everywhere-src-6.11.1.tar.xz"; }; }; qtcharts = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtcharts-everywhere-src-6.11.0.tar.xz"; - sha256 = "1dcldlw24qd9swynxcdsxnk8haiv442wx323j7qgfwjp13a9nh5c"; - name = "qtcharts-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtcharts-everywhere-src-6.11.1.tar.xz"; + sha256 = "0p2icmrwb6am7x2kgk9pnpa8ypi7jiscyaawgi0x31iaihqyvqrz"; + name = "qtcharts-everywhere-src-6.11.1.tar.xz"; }; }; qtconnectivity = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtconnectivity-everywhere-src-6.11.0.tar.xz"; - sha256 = "0fhrqqz58h3smkksfgnax73bmsiz7q9a1w9vhwd83vs9r0jc3w60"; - name = "qtconnectivity-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtconnectivity-everywhere-src-6.11.1.tar.xz"; + sha256 = "14g5h0wixqy981cnn5f8gkjbji804f18gfjkzbanxd0lljg2h191"; + name = "qtconnectivity-everywhere-src-6.11.1.tar.xz"; }; }; qtdatavis3d = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdatavis3d-everywhere-src-6.11.0.tar.xz"; - sha256 = "1jr3bkvp4wj1jdafc64ziq4raxbya6jk6s0d4mq0w2kr7zpqrggf"; - name = "qtdatavis3d-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdatavis3d-everywhere-src-6.11.1.tar.xz"; + sha256 = "1b4kcqfq5q79lm70f08qiksxl36laa9dgx9ladjk2xwl1af7n6hy"; + name = "qtdatavis3d-everywhere-src-6.11.1.tar.xz"; }; }; qtdeclarative = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdeclarative-everywhere-src-6.11.0.tar.xz"; - sha256 = "1sgxxmg49flana7mylyz4c5mf5hr00kzl8nkwwj87pqx8dlybv2f"; - name = "qtdeclarative-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdeclarative-everywhere-src-6.11.1.tar.xz"; + sha256 = "193ar0fcfzjjr7mi8i2622vip95qrr3qry949d9lyc5hf3v71rjj"; + name = "qtdeclarative-everywhere-src-6.11.1.tar.xz"; }; }; qtdoc = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdoc-everywhere-src-6.11.0.tar.xz"; - sha256 = "1wwl2vr1qs2lqmz45iqpkzkxqp97g0yzfmz0kb5wpi8sys7c07bx"; - name = "qtdoc-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdoc-everywhere-src-6.11.1.tar.xz"; + sha256 = "1hd5z6prx2sbr3wxzkynrn2iyjllvkids505l2xg3p272j4b5306"; + name = "qtdoc-everywhere-src-6.11.1.tar.xz"; }; }; qtgraphs = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtgraphs-everywhere-src-6.11.0.tar.xz"; - sha256 = "0nxifvs5042pzyd5syhgpmxzsq07fhpbbm57ckwzsn55q14cnvyz"; - name = "qtgraphs-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtgraphs-everywhere-src-6.11.1.tar.xz"; + sha256 = "0qh43qxqg4biyrrsd78nmi4dm3dnbswa95cq8db2k3lans517cc4"; + name = "qtgraphs-everywhere-src-6.11.1.tar.xz"; }; }; qtgrpc = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtgrpc-everywhere-src-6.11.0.tar.xz"; - sha256 = "0yd8jjxigaynv386f3cs1i743nm7yngciw346xqfil3chd8wpvcx"; - name = "qtgrpc-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtgrpc-everywhere-src-6.11.1.tar.xz"; + sha256 = "0l52w91hd2crq6zyh5a8arv07yixnwcr2pya74bxpk2hqpq08ys3"; + name = "qtgrpc-everywhere-src-6.11.1.tar.xz"; }; }; qthttpserver = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qthttpserver-everywhere-src-6.11.0.tar.xz"; - sha256 = "16wqglm8ws63qs7i769xy94bygwbhkz7hjfw27hnps7d4yirb41b"; - name = "qthttpserver-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qthttpserver-everywhere-src-6.11.1.tar.xz"; + sha256 = "01p7li9fvwnz2shx3d9wj9nnnnipya2q0whchyvgjqb8yzy71gq4"; + name = "qthttpserver-everywhere-src-6.11.1.tar.xz"; }; }; qtimageformats = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtimageformats-everywhere-src-6.11.0.tar.xz"; - sha256 = "1j0cjj7gxjbprszw349janl3zk38rkby1bmxil329zp2qlmb1bfk"; - name = "qtimageformats-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtimageformats-everywhere-src-6.11.1.tar.xz"; + sha256 = "04y4pa5krrpyiqn039d6m8bzcxj6pa1m850rz3bmw5xc8ml6rgxj"; + name = "qtimageformats-everywhere-src-6.11.1.tar.xz"; }; }; qtlanguageserver = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlanguageserver-everywhere-src-6.11.0.tar.xz"; - sha256 = "1gq5yjvk6iyg606pgpxkb136qlz9hpb7ngll81nhiyb1ym1y9j0v"; - name = "qtlanguageserver-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlanguageserver-everywhere-src-6.11.1.tar.xz"; + sha256 = "1vwavpi8swgs88pfjfddnb9cmsb4k1sjcgywp2rsnm6ay8vqa02h"; + name = "qtlanguageserver-everywhere-src-6.11.1.tar.xz"; }; }; qtlocation = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlocation-everywhere-src-6.11.0.tar.xz"; - sha256 = "1vxb6n8xf98zcg2bw29gsaqa74sg6jn9ilzs8c5b9q79i9m3if49"; - name = "qtlocation-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlocation-everywhere-src-6.11.1.tar.xz"; + sha256 = "06z4hbiqki5chhmph131s71czyrjpnjvy3rxb4560vwy55vwx49p"; + name = "qtlocation-everywhere-src-6.11.1.tar.xz"; }; }; qtlottie = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlottie-everywhere-src-6.11.0.tar.xz"; - sha256 = "02ndplkk4bq01b0fh9l2ykw09v0k5nbsayrs9wcjwrdwg5law8rg"; - name = "qtlottie-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlottie-everywhere-src-6.11.1.tar.xz"; + sha256 = "0y969gp64imwh49d5zbnw0wi2yva9fsp6qn58617rs9kvkdzml70"; + name = "qtlottie-everywhere-src-6.11.1.tar.xz"; }; }; qtmultimedia = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtmultimedia-everywhere-src-6.11.0.tar.xz"; - sha256 = "0h30l8zflkla7rcshgs0jfjbjwvq9rqx0wq83f6vd0x9lz0cmi4h"; - name = "qtmultimedia-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtmultimedia-everywhere-src-6.11.1.tar.xz"; + sha256 = "02lvq1jk6m67m6z0w7vdzxhzmi441j8avvp79mfclfpfvm98w3rr"; + name = "qtmultimedia-everywhere-src-6.11.1.tar.xz"; }; }; qtnetworkauth = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtnetworkauth-everywhere-src-6.11.0.tar.xz"; - sha256 = "1mqly8had79f54dlygh42jr0c0jfiv4j4w2rbr0s7qx9nk9ig342"; - name = "qtnetworkauth-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtnetworkauth-everywhere-src-6.11.1.tar.xz"; + sha256 = "0gan2qjv97d1387jqaiis2gigm6lz5jbk1k10x13w0yc5kr5n7cz"; + name = "qtnetworkauth-everywhere-src-6.11.1.tar.xz"; }; }; qtopenapi = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtopenapi-everywhere-src-6.11.0.tar.xz"; - sha256 = "1h2pcq6i72yic0r7ns36vj678d1xqy291jamqd6b6jkjddmj1hlg"; - name = "qtopenapi-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtopenapi-everywhere-src-6.11.1.tar.xz"; + sha256 = "0nzl95w5pbfd6mfb6rzv6arz09pcm6siz1n07pgm9rrdr6z083a4"; + name = "qtopenapi-everywhere-src-6.11.1.tar.xz"; }; }; qtpositioning = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtpositioning-everywhere-src-6.11.0.tar.xz"; - sha256 = "1scnnz65qyfg0nl9vjkqcss8xsw3yf91w71d9p1kwlfybscd07yn"; - name = "qtpositioning-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtpositioning-everywhere-src-6.11.1.tar.xz"; + sha256 = "1xbq1xjjbhb41lfp9mli8a5rgqf5pniswv0161v6wa5f04cbkrnm"; + name = "qtpositioning-everywhere-src-6.11.1.tar.xz"; }; }; qtquick3d = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquick3d-everywhere-src-6.11.0.tar.xz"; - sha256 = "1549gdb3yxj1bpl54kgnkkhzjx0zxqi71ssp4rj6qnz56fxh085l"; - name = "qtquick3d-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquick3d-everywhere-src-6.11.1.tar.xz"; + sha256 = "0vs5bcz62r32gin0g4lb6wdmqrv0ypzar1s9wsza98la7zg8asy7"; + name = "qtquick3d-everywhere-src-6.11.1.tar.xz"; }; }; qtquick3dphysics = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquick3dphysics-everywhere-src-6.11.0.tar.xz"; - sha256 = "0dcx9913xss435cijx5bzckvsn66qfi6c39rx0gyv9iiys76qym5"; - name = "qtquick3dphysics-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquick3dphysics-everywhere-src-6.11.1.tar.xz"; + sha256 = "1bvrmjb6m0ynq00ybdghvkbmwm237vff23ng8n4njysf05pns26i"; + name = "qtquick3dphysics-everywhere-src-6.11.1.tar.xz"; }; }; qtquickeffectmaker = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquickeffectmaker-everywhere-src-6.11.0.tar.xz"; - sha256 = "05fpv497rmx2lw7gx05sxyxjwx8gq8fbbnkzhnw73pk2xqzq20mc"; - name = "qtquickeffectmaker-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquickeffectmaker-everywhere-src-6.11.1.tar.xz"; + sha256 = "0sqk8hkkdibv0ayxrvpcbgj3dcwfngpd6qjp2xm15pcbx1q3xrng"; + name = "qtquickeffectmaker-everywhere-src-6.11.1.tar.xz"; }; }; qtquicktimeline = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquicktimeline-everywhere-src-6.11.0.tar.xz"; - sha256 = "1micycw7m25gw0bgbfq7bnr7cg7qrjj2r69320rglc8lak6f3nq6"; - name = "qtquicktimeline-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquicktimeline-everywhere-src-6.11.1.tar.xz"; + sha256 = "09wcx83yxif8r4v81h2jfj3wlj60wnc9k4dsp7hlah4yzm1zclxg"; + name = "qtquicktimeline-everywhere-src-6.11.1.tar.xz"; }; }; qtremoteobjects = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtremoteobjects-everywhere-src-6.11.0.tar.xz"; - sha256 = "15yykbaxqc6v2flgjvn92w7gwfvi820dg4cxkjxcfhpix2m21571"; - name = "qtremoteobjects-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtremoteobjects-everywhere-src-6.11.1.tar.xz"; + sha256 = "06hiiyjpcgn8dp9jmgxj30nlrw73rqb869f0m63scccmqsarhqj0"; + name = "qtremoteobjects-everywhere-src-6.11.1.tar.xz"; }; }; qtscxml = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtscxml-everywhere-src-6.11.0.tar.xz"; - sha256 = "1rylchpvzldy7hhr3icr85w8m4hf7wch17yqh368yrn3q19klf3c"; - name = "qtscxml-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtscxml-everywhere-src-6.11.1.tar.xz"; + sha256 = "0gr0j09isxgii3aivfvr35x40d9n0kj0g2icc7g7bzniwm2m4jcf"; + name = "qtscxml-everywhere-src-6.11.1.tar.xz"; }; }; qtsensors = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtsensors-everywhere-src-6.11.0.tar.xz"; - sha256 = "1iy33w7gjp06xi4342si979q9w84cvbbk90kxmk2gx69icjjja21"; - name = "qtsensors-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtsensors-everywhere-src-6.11.1.tar.xz"; + sha256 = "13ygry3lybkgci6gkrd7k081l01icavzkiyy4g82drbvv9i70q93"; + name = "qtsensors-everywhere-src-6.11.1.tar.xz"; }; }; qtserialbus = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtserialbus-everywhere-src-6.11.0.tar.xz"; - sha256 = "1qfs9zqvz3hf16w8gg6nlwxcv6sz72546pds02dabhkcw47nqvmh"; - name = "qtserialbus-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtserialbus-everywhere-src-6.11.1.tar.xz"; + sha256 = "02pj4jnxc4afl5ymv7w8asggpg0hdj3dbnwwcqd305b8il69qv64"; + name = "qtserialbus-everywhere-src-6.11.1.tar.xz"; }; }; qtserialport = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtserialport-everywhere-src-6.11.0.tar.xz"; - sha256 = "111pmva70mcffhq09q2h1gcr03fivs9j2ywx4ib00pbyxfvr4ii6"; - name = "qtserialport-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtserialport-everywhere-src-6.11.1.tar.xz"; + sha256 = "0x1r5l3kx7riprf0b2api0bcg0z755fq9vbgmx7px6pxiy4imwws"; + name = "qtserialport-everywhere-src-6.11.1.tar.xz"; }; }; qtshadertools = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtshadertools-everywhere-src-6.11.0.tar.xz"; - sha256 = "0jp1sb9pl7y821awln7rpk0hz7d5ipwnkqhy51caich9i2pb2g74"; - name = "qtshadertools-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtshadertools-everywhere-src-6.11.1.tar.xz"; + sha256 = "1z42r414jid12jmhm1yf5kw44j886w01igav0kggkg13kcphax90"; + name = "qtshadertools-everywhere-src-6.11.1.tar.xz"; }; }; qtspeech = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtspeech-everywhere-src-6.11.0.tar.xz"; - sha256 = "08fv8v6rvcv0pa6r52kr2na2rcpjr3yk556ksinnh6aslv8qbid9"; - name = "qtspeech-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtspeech-everywhere-src-6.11.1.tar.xz"; + sha256 = "051z4yf22hkqhy3pkgxq8s77x06k4cd70i9jcmd8f99004cc6df0"; + name = "qtspeech-everywhere-src-6.11.1.tar.xz"; }; }; qtsvg = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtsvg-everywhere-src-6.11.0.tar.xz"; - sha256 = "1rih59jsn0wq12gq5gbs1cz9by27x2x4wjpd0ya7s207pr9xda6z"; - name = "qtsvg-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtsvg-everywhere-src-6.11.1.tar.xz"; + sha256 = "154adaicyy5wyz6yc95g3lm4iw9v2zdsd7l5qp107gr490pz0g3z"; + name = "qtsvg-everywhere-src-6.11.1.tar.xz"; }; }; qttasktree = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttasktree-everywhere-src-6.11.0.tar.xz"; - sha256 = "0kxkm3qvzw5i5x2ads6skpz8z6shbn2msznmr614yvsdgiga4yjr"; - name = "qttasktree-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttasktree-everywhere-src-6.11.1.tar.xz"; + sha256 = "1mjdwy3i24ggn2g82z5pg3grzhnaxmq7nmvdc7ba8dsdixzvjam2"; + name = "qttasktree-everywhere-src-6.11.1.tar.xz"; }; }; qttools = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttools-everywhere-src-6.11.0.tar.xz"; - sha256 = "0xpwv483zrw3jkajhv9sbr7bm95qahxg770vn1jqk10hg8yrkcfg"; - name = "qttools-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttools-everywhere-src-6.11.1.tar.xz"; + sha256 = "03gmr9zpf0raqcvqk2cpw9lblw907hsl5cb5c2fgm4wwcxd86qcf"; + name = "qttools-everywhere-src-6.11.1.tar.xz"; }; }; qttranslations = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttranslations-everywhere-src-6.11.0.tar.xz"; - sha256 = "0mpy3y76n1jw2prhad9rqyn48miqlmqg3581jgzr4s1iwhpqpx2l"; - name = "qttranslations-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttranslations-everywhere-src-6.11.1.tar.xz"; + sha256 = "0xsnxhiqc3ybwvyn1jbhdf1sjmcf7v4mma6w9sxwg535420jrh1p"; + name = "qttranslations-everywhere-src-6.11.1.tar.xz"; }; }; qtvirtualkeyboard = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtvirtualkeyboard-everywhere-src-6.11.0.tar.xz"; - sha256 = "11p6m1s7r7q2y6a2ak5lyzfd2907s2skfa630snf64x32cblp2nq"; - name = "qtvirtualkeyboard-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtvirtualkeyboard-everywhere-src-6.11.1.tar.xz"; + sha256 = "073y02qmpwxxdqc4pkm6k9frghsjg1zppg2hip5b4hv269xrdim1"; + name = "qtvirtualkeyboard-everywhere-src-6.11.1.tar.xz"; }; }; qtwayland = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwayland-everywhere-src-6.11.0.tar.xz"; - sha256 = "0dsdv1d4p1wf0sqd26cmj486bvwlprmqzmjddsw24agrc3kyc477"; - name = "qtwayland-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwayland-everywhere-src-6.11.1.tar.xz"; + sha256 = "1cyr5frhglp2krxvpnqk9q426rgp6nr34ngnxpa42m7p0ajqly4m"; + name = "qtwayland-everywhere-src-6.11.1.tar.xz"; }; }; qtwebchannel = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebchannel-everywhere-src-6.11.0.tar.xz"; - sha256 = "097vm6pxh18bil9ld9cxg50v861nyhaha4f6bjfjqph1icx18ip9"; - name = "qtwebchannel-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebchannel-everywhere-src-6.11.1.tar.xz"; + sha256 = "10ld2nh6gd1v2ssbgqlf6w0lsjlqkjdfwqv85mn5krnnf45vbyv9"; + name = "qtwebchannel-everywhere-src-6.11.1.tar.xz"; }; }; qtwebengine = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebengine-everywhere-src-6.11.0.tar.xz"; - sha256 = "0dk72k92zp19jkph1vl88l2dyrh105v6cycsxln1anfxnb423fb3"; - name = "qtwebengine-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebengine-everywhere-src-6.11.1.tar.xz"; + sha256 = "10vhcvw8j60n0mf38bi3fjcx5v1i0cbfyn4wbqhzqn61qv66d737"; + name = "qtwebengine-everywhere-src-6.11.1.tar.xz"; }; }; qtwebsockets = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebsockets-everywhere-src-6.11.0.tar.xz"; - sha256 = "0cnh67ncfh0gvpqfiqhr0cpmswq9zysza130axlmh69mzg8i17sn"; - name = "qtwebsockets-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebsockets-everywhere-src-6.11.1.tar.xz"; + sha256 = "1gvgci383dfm4sljqlapdiva7jhks1i2z2ayck0wbj1436hklgi4"; + name = "qtwebsockets-everywhere-src-6.11.1.tar.xz"; }; }; qtwebview = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebview-everywhere-src-6.11.0.tar.xz"; - sha256 = "1cy4x331h0f4d5l8c18xrvdq6hwz7r16qd1xhr8gdm8j9bcsw3nb"; - name = "qtwebview-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebview-everywhere-src-6.11.1.tar.xz"; + sha256 = "0g8k4xs7b0s474x00ds4i8q9b164icdgrdg8ngln10nmf3pwhqld"; + name = "qtwebview-everywhere-src-6.11.1.tar.xz"; }; }; } diff --git a/pkgs/development/libraries/science/math/openblas/default.nix b/pkgs/development/libraries/science/math/openblas/default.nix index 9d5d2b4449fdd..4acddd306b5f8 100644 --- a/pkgs/development/libraries/science/math/openblas/default.nix +++ b/pkgs/development/libraries/science/math/openblas/default.nix @@ -170,7 +170,7 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "openblas"; - version = "0.3.32"; + version = "0.3.33"; outputs = [ "out" @@ -181,7 +181,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "OpenMathLib"; repo = "OpenBLAS"; rev = "v${finalAttrs.version}"; - hash = "sha256-D0Wu5Ew72aTqSjj970yOfAwPg1T4Qm6zmpaGlQ/5Q1k="; + hash = "sha256-EArf0K2Gs+w8IRD5wkMOQv79e8yMoTgQfa9kzjXKn3Y="; }; patches = [ @@ -190,13 +190,13 @@ stdenv.mkDerivation (finalAttrs: { # INCLUDEDIR already fixed in upstream HEAD & significant refactor # to config gen so not PRing changes ./cmake-include-fixes.patch - # Fix build on LoongArch (error: '_Float16' is not supported on this target) + # This was an attempted fix for the below commit but still leaves some scipy tests failing. (fetchpatch { - url = "https://github.com/OpenMathLib/OpenBLAS/commit/7086a1b075ca317e12cfe79d40a32ad342a30496.patch"; - hash = "sha256-pA3HK2f2MJr/+h/uale7edIYk/KH194EscYFcsujPXY="; + url = "https://github.com/OpenMathLib/OpenBLAS/commit/e3ce4623c299068bbd47c35ee87aab334bac73b1.patch"; + revert = true; + hash = "sha256-WrP3RCDk/EbpqVOw9XGLnFI+6/bBGJTIrt2TRYGLVQ4="; }) # This commit led to miscompilation of certain ASIMD extensions code paths. - # There was an attempted fix in upstream but this still leaves some scipy tests failing. (fetchpatch { url = "https://github.com/OpenMathLib/OpenBLAS/commit/3f6e928d34aca977bd5d4191e6d2c2338a342.patch"; revert = true; diff --git a/pkgs/development/python-modules/aiodns/default.nix b/pkgs/development/python-modules/aiodns/default.nix index 54b67a88be19a..21251500362e9 100644 --- a/pkgs/development/python-modules/aiodns/default.nix +++ b/pkgs/development/python-modules/aiodns/default.nix @@ -8,14 +8,14 @@ buildPythonPackage (finalAttrs: { pname = "aiodns"; - version = "4.0.0"; + version = "4.0.4"; pyproject = true; src = fetchFromGitHub { owner = "saghul"; repo = "aiodns"; tag = "v${finalAttrs.version}"; - hash = "sha256-/iYkhzN01+NaUfMXaM39IvlEKfoKc29+f0S4y0y3GG8="; + hash = "sha256-TLiiSRhZaEbHeyrQPk8uvj10VEttRanYEgkBy7DxH4Y="; }; build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/asgi-csrf/default.nix b/pkgs/development/python-modules/asgi-csrf/default.nix index f3ec2670d6f81..9c36730fd74c4 100644 --- a/pkgs/development/python-modules/asgi-csrf/default.nix +++ b/pkgs/development/python-modules/asgi-csrf/default.nix @@ -49,6 +49,8 @@ buildPythonPackage rec { pythonImportsCheck = [ "asgi_csrf" ]; meta = { + # https://github.com/simonw/asgi-csrf/issues/38 + broken = lib.versionAtLeast python-multipart.version "0.0.26"; description = "ASGI middleware for protecting against CSRF attacks"; license = lib.licenses.asl20; homepage = "https://github.com/simonw/asgi-csrf"; diff --git a/pkgs/development/python-modules/cfn-lint/default.nix b/pkgs/development/python-modules/cfn-lint/default.nix index db06eac381553..70a2968acfe8e 100644 --- a/pkgs/development/python-modules/cfn-lint/default.nix +++ b/pkgs/development/python-modules/cfn-lint/default.nix @@ -69,6 +69,13 @@ buildPythonPackage rec { "test_update_docs" ]; + disabledTestPaths = [ + # unexpected exit code afer nodejs_24 24.16.0 update + "test/integration/test_quickstart_templates.py::TestQuickStartTemplates::test_templates" + "test/integration/test_quickstart_templates_non_strict.py::TestQuickStartTemplates::test_module_integration" + "test/integration/test_quickstart_templates_non_strict.py::TestQuickStartTemplates::test_templates" + ]; + pythonImportsCheck = [ "cfnlint" ]; meta = { diff --git a/pkgs/development/python-modules/django/5.nix b/pkgs/development/python-modules/django/5.nix index 3a7274793a2bd..273b61da19c95 100644 --- a/pkgs/development/python-modules/django/5.nix +++ b/pkgs/development/python-modules/django/5.nix @@ -41,14 +41,14 @@ buildPythonPackage rec { pname = "django"; - version = "5.2.14"; + version = "5.2.15"; pyproject = true; src = fetchFromGitHub { owner = "django"; repo = "django"; tag = version; - hash = "sha256-gb/4WL2VLoqRucpXuKyPsMSwKZ6gaxy5JA7QTeeazjk="; + hash = "sha256-K9yFHr3IkVNMqoeumESszVlju2fW2r8hS8z6M2OdVpE="; }; patches = [ diff --git a/pkgs/development/python-modules/fastapi/default.nix b/pkgs/development/python-modules/fastapi/default.nix index 9d5aea8559e58..3e29f81a9da26 100644 --- a/pkgs/development/python-modules/fastapi/default.nix +++ b/pkgs/development/python-modules/fastapi/default.nix @@ -45,14 +45,14 @@ buildPythonPackage rec { pname = "fastapi"; - version = "0.135.3"; + version = "0.136.3"; pyproject = true; src = fetchFromGitHub { owner = "tiangolo"; repo = "fastapi"; tag = version; - hash = "sha256-sE5d+MgmP9L+MUosRBsR+KSJkcC9i2EOOtKHq0sXjRM="; + hash = "sha256-lfmk8ZveKPukEEfwWq2mKtWmOHAtVzGuE5BsOskDzh0="; }; build-system = [ pdm-backend ]; diff --git a/pkgs/development/python-modules/fasthtml/default.nix b/pkgs/development/python-modules/fasthtml/default.nix index 3f47dd2ce5a75..12b9b77c04355 100644 --- a/pkgs/development/python-modules/fasthtml/default.nix +++ b/pkgs/development/python-modules/fasthtml/default.nix @@ -31,14 +31,14 @@ buildPythonPackage (finalAttrs: { pname = "fasthtml"; - version = "0.12.48"; + version = "0.13.3"; pyproject = true; src = fetchFromGitHub { owner = "AnswerDotAI"; repo = "fasthtml"; tag = finalAttrs.version; - hash = "sha256-lMAuIw4sMkS3XSG/0Bs0iQPSjMusbmjUKv0w4cINwas="; + hash = "sha256-PS5HGegC6pG/bJAGrKDsRYguBnNS9EDrZIjWvjErO4M="; }; build-system = [ diff --git a/pkgs/development/python-modules/frictionless/default.nix b/pkgs/development/python-modules/frictionless/default.nix index 80013e731fd4e..68edce923de38 100644 --- a/pkgs/development/python-modules/frictionless/default.nix +++ b/pkgs/development/python-modules/frictionless/default.nix @@ -195,7 +195,8 @@ buildPythonPackage rec { openpyxl xlrd ] - ++ lib.concatAttrValues optional-dependencies; + # datasette is transitively broken by asgi-csrf + ++ lib.concatAttrValues (lib.removeAttrs optional-dependencies [ "datasette" ]); disabledTestPaths = [ # Requires optional dependencies that have not been packaged (commented out above) diff --git a/pkgs/development/python-modules/mistune/default.nix b/pkgs/development/python-modules/mistune/default.nix index a130857e1a71e..8cdfa4023ded4 100644 --- a/pkgs/development/python-modules/mistune/default.nix +++ b/pkgs/development/python-modules/mistune/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "mistune"; - version = "3.2.0"; + version = "3.2.1"; pyproject = true; src = fetchFromGitHub { owner = "lepture"; repo = "mistune"; tag = "v${version}"; - hash = "sha256-rUEZNVuMT5+GsMakrkK6rshKSKtTTN72kK92AmQ8bl8="; + hash = "sha256-8AEEh/SWAk/Esq0jAoZGLw1FIQUw6C5Xq8CgnI2fjv0="; }; build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/paramiko/default.nix b/pkgs/development/python-modules/paramiko/default.nix index 156fae9d96d04..6350ba2e5a8a5 100644 --- a/pkgs/development/python-modules/paramiko/default.nix +++ b/pkgs/development/python-modules/paramiko/default.nix @@ -30,6 +30,7 @@ buildPythonPackage rec { dependencies = [ bcrypt cryptography + invoke pynacl ]; @@ -39,7 +40,6 @@ buildPythonPackage rec { gssapi ]; ed25519 = [ ]; - invoke = [ invoke ]; }; nativeCheckInputs = [ diff --git a/pkgs/development/python-modules/pillow-heif/default.nix b/pkgs/development/python-modules/pillow-heif/default.nix index eea442596817a..cc00832bb662c 100644 --- a/pkgs/development/python-modules/pillow-heif/default.nix +++ b/pkgs/development/python-modules/pillow-heif/default.nix @@ -77,6 +77,17 @@ buildPythonPackage rec { disabledTests = [ # Time sensitive speed test, not reproducible "test_decode_threads" + # Tests failing with libheif 1.22.0. To be removed in the next release + # https://github.com/bigcat88/pillow_heif/issues/424 + # these check what happens when the ispe is not valid + "test_numpy_array_invalid_ispe" + "test_allow_incorrect_headers" + "test_invalid_ispe_ok" + "test_invalid_ispe_allow" + "test_invalid_ispe_stride" + "test_invalid_ispe_stride_pillow" + # disable version check for libheif + "test_libheif_info" ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ # https://github.com/bigcat88/pillow_heif/issues/89 diff --git a/pkgs/development/python-modules/pyjwt/default.nix b/pkgs/development/python-modules/pyjwt/default.nix index 1d18045a863c9..74754630a145f 100644 --- a/pkgs/development/python-modules/pyjwt/default.nix +++ b/pkgs/development/python-modules/pyjwt/default.nix @@ -13,14 +13,14 @@ buildPythonPackage rec { pname = "pyjwt"; - version = "2.12.1"; + version = "2.13.0"; pyproject = true; src = fetchFromGitHub { owner = "jpadilla"; repo = "pyjwt"; tag = version; - hash = "sha256-wgOa5JhQT82ppoad6s8gPH7tGRNbbVWmJaaDF84d+r0="; + hash = "sha256-q4ynXCJVDsyZh70439dloyWgRTLVm+elDOahUVOT5vA="; }; outputs = [ diff --git a/pkgs/development/python-modules/python-multipart/default.nix b/pkgs/development/python-modules/python-multipart/default.nix index 4781d391f0a21..ed476d568dd85 100644 --- a/pkgs/development/python-modules/python-multipart/default.nix +++ b/pkgs/development/python-modules/python-multipart/default.nix @@ -2,10 +2,8 @@ lib, buildPythonPackage, fetchFromGitHub, - fetchpatch, hatchling, pytestCheckHook, - mock, pyyaml, # for passthru.tests @@ -18,32 +16,22 @@ buildPythonPackage (finalAttrs: { pname = "python-multipart"; - version = "0.0.22"; + version = "0.0.29"; pyproject = true; src = fetchFromGitHub { owner = "Kludex"; repo = "python-multipart"; tag = finalAttrs.version; - hash = "sha256-UegnwGxiXQalbp18t1dl2JOQH6BY975cpBa9uo3SOuk="; + hash = "sha256-1aV7gWLuulINesm3L8Wm3+prmeD9+OY/ihm36rtQPRs="; }; - patches = [ - (fetchpatch { - name = "CVE-2026-40347-part-1.patch"; - url = "https://github.com/Kludex/python-multipart/commit/6a7b76dd2653d99d8e5981d7ff09a4a047750b37.patch"; - hash = "sha256-W1nyYMMoaf+lsNze3ppPeAXN+swG1dScDibazePSt+k="; - }) - ./CVE-2026-40347-part-2.patch - ]; - build-system = [ hatchling ]; pythonImportsCheck = [ "python_multipart" ]; nativeCheckInputs = [ pytestCheckHook - mock pyyaml ]; diff --git a/pkgs/development/python-modules/starlette/default.nix b/pkgs/development/python-modules/starlette/default.nix index 219ce1e8b7a79..e66a5cf7a80d8 100644 --- a/pkgs/development/python-modules/starlette/default.nix +++ b/pkgs/development/python-modules/starlette/default.nix @@ -27,14 +27,14 @@ buildPythonPackage rec { pname = "starlette"; - version = "0.52.1"; + version = "1.1.0"; pyproject = true; src = fetchFromGitHub { owner = "encode"; repo = "starlette"; tag = version; - hash = "sha256-XPAeRnh9a0A1/5VGZzzGQBhlBsih1VR8QmFdkxG5cQE="; + hash = "sha256-9iQXlpA1VDGw1c7X1zJPmJ3Dub46PwqrVIX1+fWOZ7M="; }; build-system = [ hatchling ]; diff --git a/pkgs/development/python-modules/valkey/default.nix b/pkgs/development/python-modules/valkey/default.nix index 5674542e90165..dcccacb7d569c 100644 --- a/pkgs/development/python-modules/valkey/default.nix +++ b/pkgs/development/python-modules/valkey/default.nix @@ -40,11 +40,20 @@ buildPythonPackage rec { }; patches = [ + # valkey 9.0 compat (fetchpatch { - # valkey 9.0 compat url = "https://github.com/valkey-io/valkey-py/commit/c01505e547f614f278b882a016557b6ed652bb9f.patch"; hash = "sha256-rvA65inIioqdc+QV4KaaUv1I/TMZUq0TWaFJcJiy8NU="; }) + # valkey 9.1 compat + (fetchpatch { + url = "https://github.com/valkey-io/valkey-py/commit/df5c44903dc8e2dda733e5576324ba0ff8c4c6a0.patch"; + hash = "sha256-0wsWuaOYWBgf6BjlJuciZYRbugYfchTU2khQX7rtRJg="; + }) + (fetchpatch { + url = "https://github.com/valkey-io/valkey-py/commit/046c7fb9e8260c2d69d05141b1519903c4e40efe.patch"; + hash = "sha256-/yN1y0hbmBR6o6ab4h0qkn/qhU6jASOIeqWhxUi5w/I="; + }) ]; build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/xmltodict/default.nix b/pkgs/development/python-modules/xmltodict/default.nix index 9d1c01842a420..bd22bc108bbe4 100644 --- a/pkgs/development/python-modules/xmltodict/default.nix +++ b/pkgs/development/python-modules/xmltodict/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "xmltodict"; - version = "1.0.2"; + version = "1.0.4"; pyproject = true; src = fetchFromGitHub { owner = "martinblech"; repo = "xmltodict"; tag = "v${version}"; - hash = "sha256-gnTNkh0GLfRmjMsLhfvpNrewfinNOhem0i3wzIZvKpA="; + hash = "sha256-G7hVtS6toUJC0YY1AXBOJSc3wnAZyWilLnT/5vvFRRw="; }; build-system = [ setuptools ]; diff --git a/pkgs/development/web/nodejs/nodejs.nix b/pkgs/development/web/nodejs/nodejs.nix index 343be8e147919..5fd5eeac69191 100644 --- a/pkgs/development/web/nodejs/nodejs.nix +++ b/pkgs/development/web/nodejs/nodejs.nix @@ -47,7 +47,7 @@ uvwasi, zlib, zstd, - icu, + icu78, bash, ninja, pkgconf, @@ -274,7 +274,7 @@ let # that use bash wrappers, e.g. polaris-web. buildInputs = [ bash - icu + icu78 ] ++ builtins.attrValues sharedLibDeps; diff --git a/pkgs/development/web/nodejs/v24.nix b/pkgs/development/web/nodejs/v24.nix index 69004825bea27..914ab1479370a 100644 --- a/pkgs/development/web/nodejs/v24.nix +++ b/pkgs/development/web/nodejs/v24.nix @@ -23,8 +23,8 @@ let [ ]; in buildNodejs { - version = "24.15.0"; - sha256 = "a4f653d79ed140aaad921e8c22a3b585ca85cfdab80d4030f6309e4663a8a1c8"; + version = "24.16.0"; + sha256 = "2ff84a6de70b6165290111b0fc656ded1ad207a799816fe720cc7c31232df30f"; patches = ( if (stdenv.hostPlatform.emulatorAvailable buildPackages) then @@ -56,13 +56,6 @@ buildNodejs { ./use-correct-env-in-tests.patch ./bin-sh-node-run-v22.patch ./use-nix-codesign.patch - # https://github.com/NixOS/nixpkgs/pull/507974#issuecomment-4249433124 - # OpenSSL reports different errors - # https://github.com/nodejs/node/pull/62629 - (fetchpatch2 { - url = "https://github.com/nodejs/node/commit/dd25d8f29d3ddadcf5a5ebfdf98ece55f9df96c6.patch?full_index=1"; - hash = "sha256-6cxRN7TyWmJgUZt3jp2YXbVIjrDb2BNep5LxBOtT3Q0="; - }) # Patch for nghttp2 1.69 support (fetchpatch2 { diff --git a/pkgs/kde/plasma/plasma-workspace/default.nix b/pkgs/kde/plasma/plasma-workspace/default.nix index d7a60c7853185..26211754685f2 100644 --- a/pkgs/kde/plasma/plasma-workspace/default.nix +++ b/pkgs/kde/plasma/plasma-workspace/default.nix @@ -25,6 +25,7 @@ libqalculate, pipewire, gpsd, + fetchpatch, }: mkKdeDerivation { pname = "plasma-workspace"; @@ -42,6 +43,12 @@ mkKdeDerivation { # stop accidentally duplicating fontconfig configs ./fontconfig.patch + + # backport qt 6.11.1 regression workaround + (fetchpatch { + url = "https://invent.kde.org/plasma/plasma-workspace/-/commit/31a64dfa1a71ab1b6a495f2f44132c86858acb8f.diff"; + hash = "sha256-j+AEdDlutDuXmYdK8BJH8bgDF9gieCkbFJK8di+9nxk="; + }) ]; outputs = [ diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index f0fb666cd8de3..4d91ed2e72a54 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -201,13 +201,13 @@ let in stdenv.mkDerivation (finalAttrs: { inherit pname; - version = "260.1"; + version = "260.2"; src = fetchFromGitHub { owner = "systemd"; repo = "systemd"; rev = "v${finalAttrs.version}"; - hash = "sha256-FUKj3lvjz8TIsyu8NyJYtiNele+1BhdJPdw7r7nW6as="; + hash = "sha256-NXmmSV7/9WIW6C8wjdOwaerCy4v7Zcrd8+XDzcS8rEk="; }; # PATCH POLICY diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index de15b36aef1ce..11d964fd2f067 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -30,6 +30,9 @@ stdenv.mkDerivation ( patchFlags = [ "-p0" ]; patches = [ + # https://sourceware.org/cgit/bzip2/patch/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 + ./patches/CVE-2026-42250.patch + ./patches/bzip2-1.0.6.2-autoconfiscated.patch ]; # Fix up hardcoded version from the above patch, e.g. seen in bzip2.pc or libbz2.so.1.0.N diff --git a/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch b/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch new file mode 100644 index 0000000000000..db16326cdeb70 --- /dev/null +++ b/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch @@ -0,0 +1,34 @@ +From 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 28 May 2026 16:15:45 +0200 +Subject: bzip2recover: Make sure to not process more than + BZ_MAX_HANDLED_BLOCKS + +There is an off-by-one in the check before calling tooManyBlocks. This +causes the scanning loop to run one more time and cause a possible +read or write one past the global bStart, bEnd, rbStart and rbEnd +buffers. There are no known exploits of this issue and you will need +to compile with something like gcc -fsanitize=address (ASAN +AddressSanitizer) to observe the faulty read/write. + +This has been assigned CVE-2026-42250. +--- + bzip2recover.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git bzip2recover.c bzip2recover.c +index a8131e0..4b1c219 100644 +--- bzip2recover.c ++++ bzip2recover.c +@@ -402,7 +402,7 @@ Int32 main ( Int32 argc, Char** argv ) + rbEnd[rbCtr] = bEnd[currBlock]; + rbCtr++; + } +- if (currBlock >= BZ_MAX_HANDLED_BLOCKS) ++ if (currBlock >= BZ_MAX_HANDLED_BLOCKS - 1) + tooManyBlocks(BZ_MAX_HANDLED_BLOCKS); + currBlock++; + +-- +cgit + diff --git a/pkgs/tools/text/gnupatch/default.nix b/pkgs/tools/text/gnupatch/default.nix index 99a801c4cc8ef..188ac323543f3 100644 --- a/pkgs/tools/text/gnupatch/default.nix +++ b/pkgs/tools/text/gnupatch/default.nix @@ -15,8 +15,10 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-+Hzuae7CtPy/YKOWsDCtaqNBXxkqpffuhMrV4R9/WuM="; }; - # This test is filesystem-dependent - observed failing on ZFS - postPatch = lib.optionalString stdenv.hostPlatform.isFreeBSD '' + # This test is filesystem-dependent - observed failing on ZFS. + # It is also just plain flaky: it has been observed failing about 10% + # of the time on btrfs and ext4 too. + postPatch = '' sed -E -i -e '/bad-filenames/d' tests/Makefile.am ''; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e1f46c269394a..7056a9abe702a 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -6527,8 +6527,8 @@ with pkgs; zunclient = with python313Packages; toPythonApplication python-zunclient; inherit (callPackages ../by-name/li/libressl { }) - libressl_4_1 libressl_4_2 + libressl_4_3 ; openssl = openssl_3_6; diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 5b7a40a4a6dc8..33583a11471c5 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -16662,12 +16662,12 @@ with self; }; }; - HTTPDaemon = buildPerlPackage { + HTTPDaemon = buildPerlModule { pname = "HTTP-Daemon"; - version = "6.16"; + version = "6.17"; src = fetchurl { - url = "mirror://cpan/authors/id/O/OA/OALDERS/HTTP-Daemon-6.16.tar.gz"; - hash = "sha256-s40JJyXm+k4MTcKkfhVwcEkbr6Db4Wx4o1joBqp+Fz0="; + url = "mirror://cpan/authors/id/O/OA/OALDERS/HTTP-Daemon-6.17.tar.gz"; + hash = "sha256-FigVgMQOIxCNAoQ0aYtdfVNje/kEyd+CJIHiU8vskgw="; }; buildInputs = [ ModuleBuildTiny