diff --git a/pkgs/applications/graphics/ImageMagick/7.0.nix b/pkgs/applications/graphics/ImageMagick/7.0.nix index 5e0605bce9a..ce1dbc8e3e8 100644 --- a/pkgs/applications/graphics/ImageMagick/7.0.nix +++ b/pkgs/applications/graphics/ImageMagick/7.0.nix @@ -18,13 +18,13 @@ in stdenv.mkDerivation rec { pname = "imagemagick"; - version = "7.1.0-4"; + version = "7.1.0-5"; src = fetchFromGitHub { owner = "ImageMagick"; repo = "ImageMagick"; rev = version; - sha256 = "sha256-CvrSeoKaTigR+4egelwLRr2++CQ5OWUePwX9e1/G1GM="; + sha256 = "sha256-iXE3kVpJHMuZ+H6aaZ1GuOUHnP0lO/Q1F5yK8sPPS3M="; }; outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big diff --git a/pkgs/applications/networking/sync/rsync/base.nix b/pkgs/applications/networking/sync/rsync/base.nix index 3479458088e..39ce5d3a7ea 100644 --- a/pkgs/applications/networking/sync/rsync/base.nix +++ b/pkgs/applications/networking/sync/rsync/base.nix @@ -1,4 +1,4 @@ -{ lib, fetchurl }: +{ lib, fetchurl, fetchpatch }: rec { version = "3.2.3"; @@ -12,6 +12,13 @@ rec { url = "mirror://samba/rsync/rsync-patches-${version}.tar.gz"; sha256 = "1wj21v57v135n6fnmlm2dxmb9lhrrg62jgkggldp1gb7d6s4arny"; }; + extraPatches = [ + (fetchpatch { + name = "CVE-2020-14387.patch"; + url = "https://git.samba.org/?p=rsync.git;a=patch;h=c3f7414;hp=4c4fce51072c9189cfb11b52aa54fed79f5741bd"; + sha256 = "000lyx48lns84p53nsdlr45mb9558lrvnsz3yic0y3z6h2izv82x"; + }) + ]; meta = with lib; { description = "Fast incremental file transfer utility"; diff --git a/pkgs/applications/networking/sync/rsync/default.nix b/pkgs/applications/networking/sync/rsync/default.nix index a38352a328a..f6d61dac390 100644 --- a/pkgs/applications/networking/sync/rsync/default.nix +++ b/pkgs/applications/networking/sync/rsync/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, perl, libiconv, zlib, popt +{ lib, stdenv, fetchurl, fetchpatch, perl, libiconv, zlib, popt , enableACLs ? !(stdenv.isDarwin || stdenv.isSunOS || stdenv.isFreeBSD), acl ? null , enableLZ4 ? true, lz4 ? null , enableOpenSSL ? true, openssl ? null @@ -15,7 +15,7 @@ assert enableXXHash -> xxHash != null; assert enableZstd -> zstd != null; let - base = import ./base.nix { inherit lib fetchurl; }; + base = import ./base.nix { inherit lib fetchurl fetchpatch; }; in stdenv.mkDerivation rec { name = "rsync-${base.version}"; @@ -25,7 +25,8 @@ stdenv.mkDerivation rec { patchesSrc = base.upstreamPatchTarball; srcs = [mainSrc] ++ lib.optional enableCopyDevicesPatch patchesSrc; - patches = lib.optional enableCopyDevicesPatch "./patches/copy-devices.diff"; + patches = lib.optional enableCopyDevicesPatch "./patches/copy-devices.diff" + ++ base.extraPatches; buildInputs = [libiconv zlib popt] ++ lib.optional enableACLs acl diff --git a/pkgs/applications/networking/sync/rsync/rrsync.nix b/pkgs/applications/networking/sync/rsync/rrsync.nix index 83eb4658d2f..8ed09c190af 100644 --- a/pkgs/applications/networking/sync/rsync/rrsync.nix +++ b/pkgs/applications/networking/sync/rsync/rrsync.nix @@ -1,7 +1,7 @@ -{ lib, stdenv, fetchurl, perl, rsync }: +{ lib, stdenv, fetchurl, perl, rsync, fetchpatch }: let - base = import ./base.nix { inherit lib fetchurl; }; + base = import ./base.nix { inherit lib fetchurl fetchpatch; }; in stdenv.mkDerivation { name = "rrsync-${base.version}"; @@ -15,6 +15,8 @@ stdenv.mkDerivation { dontConfigure = true; dontBuild = true; + patches = base.extraPatches; + postPatch = '' substituteInPlace support/rrsync --replace /usr/bin/rsync ${rsync}/bin/rsync ''; diff --git a/pkgs/development/interpreters/python/cpython/default.nix b/pkgs/development/interpreters/python/cpython/default.nix index 39f2ae0c3e4..1fe0bf4fa37 100644 --- a/pkgs/development/interpreters/python/cpython/default.nix +++ b/pkgs/development/interpreters/python/cpython/default.nix @@ -193,6 +193,10 @@ in with passthru; stdenv.mkDerivation { # (since it will do a futile invocation of gcc (!) to find # libuuid, slowing down program startup a lot). (./. + "/${sourceVersion.major}.${sourceVersion.minor}/no-ldconfig.patch") + # Make sure that the virtualenv activation scripts are + # owner-writable, so venvs can be recreated without permission + # errors. + ./virtualenv-permissions.patch ] ++ optionals mimetypesSupport [ # Make the mimetypes module refer to the right file ./mimetypes.patch diff --git a/pkgs/development/interpreters/python/cpython/virtualenv-permissions.patch b/pkgs/development/interpreters/python/cpython/virtualenv-permissions.patch new file mode 100644 index 00000000000..c686f21bfbb --- /dev/null +++ b/pkgs/development/interpreters/python/cpython/virtualenv-permissions.patch @@ -0,0 +1,13 @@ +diff --git a/Lib/venv/__init__.py b/Lib/venv/__init__.py +index caa7285..ad666ac 100644 +--- a/Lib/venv/__init__.py ++++ b/Lib/venv/__init__.py +@@ -379,7 +379,7 @@ class EnvBuilder: + if data is not None: + with open(dstfile, 'wb') as f: + f.write(data) +- shutil.copymode(srcfile, dstfile) ++ os.chmod(dstfile, 0o644) + + + def create(env_dir, system_site_packages=False, clear=False, diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index 328ed715bae..a952e6f06d6 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -120,10 +120,10 @@ with pkgs; sourceVersion = { major = "3"; minor = "8"; - patch = "9"; + patch = "11"; suffix = ""; }; - sha256 = "XjkfPsRdopVEGcqwvq79i+OIlepc4zV3w+wUlAxLlXI="; + sha256 = "1chg8b0m1yrz50lizid20zha0dmj40z0iih3jqcrg7pyxca126pv"; }; }; @@ -147,10 +147,10 @@ in { sourceVersion = { major = "3"; minor = "6"; - patch = "13"; + patch = "14"; suffix = ""; }; - sha256 = "pHpDpTq7QihqLBGWU0P/VnEbnmTo0RvyxnAaT7jOGg8="; + sha256 = "1bnm0bx7xf1jpfm0bmzlq19vwm0bvcbl7klx4rvgq05xryhafqr6"; inherit (darwin) configd; inherit passthruFun; }; @@ -160,10 +160,10 @@ in { sourceVersion = { major = "3"; minor = "7"; - patch = "10"; + patch = "11"; suffix = ""; }; - sha256 = "+NgudXLIbsnVXIYnquUEAST9IgOvQAw4PIIbmAMG7ms="; + sha256 = "0d57b5a47wapzpkkq5rbvvi4caylc35j5910b64rxxn4nmm1kd6x"; inherit (darwin) configd; inherit passthruFun; }; @@ -179,10 +179,10 @@ in { sourceVersion = { major = "3"; minor = "9"; - patch = "4"; + patch = "6"; suffix = ""; }; - sha256 = "Sw5mRKdvjfhkriSsUApRu/aL0Jj2oXPifTthzcqaoTQ="; + sha256 = "12hhw2685i68pwfx5hdkqngzhbji4ccyjmqb5rzvkigg6fpj0y9r"; inherit (darwin) configd; inherit passthruFun; }; @@ -193,9 +193,9 @@ in { major = "3"; minor = "10"; patch = "0"; - suffix = "a5"; + suffix = "rc1"; }; - sha256 = "BBjlfnA24hnx5rYwOyHnEfZM/Q/dsIlNjxnzev/8XU0="; + sha256 = "0f76q6rsvbvrzcnsp0k7sp555krrgvjpcd09l1rybl4249ln2w3r"; inherit (darwin) configd; inherit passthruFun; }; diff --git a/pkgs/development/libraries/c-ares/default.nix b/pkgs/development/libraries/c-ares/default.nix index 20bcf80d9e5..4f571b7f1dd 100644 --- a/pkgs/development/libraries/c-ares/default.nix +++ b/pkgs/development/libraries/c-ares/default.nix @@ -8,13 +8,15 @@ let self = stdenv.mkDerivation rec { pname = "c-ares"; - version = "1.17.1"; + version = "1.17.2"; src = fetchurl { url = "https://c-ares.haxx.se/download/${pname}-${version}.tar.gz"; - sha256 = "0h7wjfnk2092glqcp9mqaax7xx0s13m501z1gi0gsjl2vvvd0gfp"; + sha256 = "sha256-SAPIRM4gzlEO8OuD+OpB+iTsqunSgMRoxYLSuyWzkT0="; }; + enableParallelBuilding = true; + meta = with lib; { description = "A C library for asynchronous DNS requests"; homepage = "https://c-ares.haxx.se"; diff --git a/pkgs/development/libraries/ffmpeg-full/default.nix b/pkgs/development/libraries/ffmpeg-full/default.nix index ddcc81f8930..2186c154f80 100644 --- a/pkgs/development/libraries/ffmpeg-full/default.nix +++ b/pkgs/development/libraries/ffmpeg-full/default.nix @@ -443,14 +443,6 @@ stdenv.mkDerivation rec { buildFlags = [ "all" ] ++ optional qtFaststartProgram "tools/qt-faststart"; # Build qt-faststart executable - doCheck = true; - checkPhase = let - ldLibraryPathEnv = if stdenv.isDarwin then "DYLD_LIBRARY_PATH" else "LD_LIBRARY_PATH"; - in '' - ${ldLibraryPathEnv}="libavcodec:libavdevice:libavfilter:libavformat:libavresample:libavutil:libpostproc:libswresample:libswscale:''${${ldLibraryPathEnv}}" \ - make check -j$NIX_BUILD_CORES - ''; - # Hacky framework patching technique borrowed from the phantomjs2 package postInstall = optionalString qtFaststartProgram '' cp -a tools/qt-faststart $out/bin/ diff --git a/pkgs/development/libraries/ffmpeg/2.8.nix b/pkgs/development/libraries/ffmpeg/2.8.nix index 0df810ff10b..6d94c2e9974 100644 --- a/pkgs/development/libraries/ffmpeg/2.8.nix +++ b/pkgs/development/libraries/ffmpeg/2.8.nix @@ -7,5 +7,4 @@ callPackage ./generic.nix (rec { knownVulnerabilities = [ "CVE-2021-30123" ]; - doCheck = false; } // args) diff --git a/pkgs/development/libraries/ffmpeg/generic.nix b/pkgs/development/libraries/ffmpeg/generic.nix index 083210b1fef..7e4a6a08098 100644 --- a/pkgs/development/libraries/ffmpeg/generic.nix +++ b/pkgs/development/libraries/ffmpeg/generic.nix @@ -17,8 +17,7 @@ # Darwin frameworks , Cocoa, darwinFrameworks ? [ Cocoa ] # Inherit generics -, branch, sha256, version, patches ? [], knownVulnerabilities ? [] -, doCheck ? true, ... +, branch, sha256, version, patches ? [], knownVulnerabilities ? [], ... }: /* Maintainer notes: @@ -188,13 +187,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - inherit doCheck; - checkPhase = let - ldLibraryPathEnv = if stdenv.isDarwin then "DYLD_LIBRARY_PATH" else "LD_LIBRARY_PATH"; - in '' - ${ldLibraryPathEnv}="libavcodec:libavdevice:libavfilter:libavformat:libavresample:libavutil:libpostproc:libswresample:libswscale:''${${ldLibraryPathEnv}}" \ - make check -j$NIX_BUILD_CORES - ''; + doCheck = false; # fails # ffmpeg 3+ generates pkg-config (.pc) files that don't have the # form automatically handled by the multiple-outputs hooks. diff --git a/pkgs/development/libraries/glibc/2.32-master.patch.gz b/pkgs/development/libraries/glibc/2.32-master.patch.gz index 8ea998b5bea..b935f821e95 100644 Binary files a/pkgs/development/libraries/glibc/2.32-master.patch.gz and b/pkgs/development/libraries/glibc/2.32-master.patch.gz differ diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index ca82f7dc709..8535215f2f8 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -42,7 +42,7 @@ let version = "2.32"; - patchSuffix = "-48"; + patchSuffix = "-54"; sha256 = "0di848ibffrnwq7g2dvgqrnn4xqhj3h96csn69q4da51ymafl9qn"; in @@ -61,7 +61,7 @@ stdenv.mkDerivation ({ [ /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping. $ git fetch --all -p && git checkout origin/release/2.32/master && git describe - glibc-2.32-48-g16949aeaa0 + glibc-2.32-54-g182ffd8e75 $ git show --minimal --reverse glibc-2.32.. | gzip -9n --rsyncable - > 2.32-master.patch.gz To compare the archive contents zdiff can be used. diff --git a/pkgs/development/libraries/openssl/1.1/macos-yosemite-compat.patch b/pkgs/development/libraries/openssl/1.1/macos-yosemite-compat.patch new file mode 100644 index 00000000000..b0e37e32561 --- /dev/null +++ b/pkgs/development/libraries/openssl/1.1/macos-yosemite-compat.patch @@ -0,0 +1,56 @@ +From cef404f1e7a598166cbc2fd2e0048f7e2d752ad5 Mon Sep 17 00:00:00 2001 +From: David Carlier +Date: Tue, 24 Aug 2021 22:40:14 +0100 +Subject: [PATCH] Darwin platform allows to build on releases before + Yosemite/ios 8. + +issue #16407 #16408 +--- + crypto/rand/rand_unix.c | 5 +---- + include/crypto/rand.h | 10 ++++++++++ + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c +index 43f1069d151d..0f4525106af7 100644 +--- a/crypto/rand/rand_unix.c ++++ b/crypto/rand/rand_unix.c +@@ -34,9 +34,6 @@ + #if defined(__OpenBSD__) + # include + #endif +-#if defined(__APPLE__) +-# include +-#endif + + #if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) + # include +@@ -381,7 +378,7 @@ static ssize_t syscall_random(void *buf, size_t buflen) + if (errno != ENOSYS) + return -1; + } +-# elif defined(__APPLE__) ++# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM) + if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess) + return (ssize_t)buflen; + +diff --git a/include/crypto/rand.h b/include/crypto/rand.h +index 5350d3a93119..674f840fd13c 100644 +--- a/include/crypto/rand.h ++++ b/include/crypto/rand.h +@@ -20,6 +20,16 @@ + + # include + ++# if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM) ++# include ++# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101000) || \ ++ (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 80000) ++# define OPENSSL_APPLE_CRYPTO_RANDOM 1 ++# include ++# include ++# endif ++# endif ++ + /* forward declaration */ + typedef struct rand_pool_st RAND_POOL; + diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 77a6b513ee6..00bdf14ae15 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -188,14 +188,16 @@ in { }; openssl_1_1 = common { - version = "1.1.1k"; - sha256 = "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9"; + version = "1.1.1l"; + sha256 = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E="; patches = [ ./1.1/nix-ssl-cert-file.patch (if stdenv.hostPlatform.isDarwin then ./1.1/use-etc-ssl-certs-darwin.patch else ./1.1/use-etc-ssl-certs.patch) + ] ++ lib.optionals (stdenv.isDarwin) [ + ./1.1/macos-yosemite-compat.patch ]; withDocs = true; };